Coffee Chat with Mark Flegg—NIS2 and Its Implications for Global Brands

Coffee Chat with Mark Flegg—NIS2 and Its Implications for Global Brands

Welcome back to CSC Coffee Chats—a series of interviews with CSC’s Digital Brand Services experts, where we talk about industry issues across cybersecurity, domains, brand protection, and fraud protection.

I grab a cuppa with our subject-matter experts and discuss what’s on their minds. This month Global Director of Security Services Mark Flegg and I discussed the Network and Information Security Directive (NIS2) 2022, which comes into force in October 2024. Mark had a mug of decaf Lavazza coffee with milk (other coffee brands available!); I had a strong decaf tea with milk and one sugar.

So, grab your beverage of choice and take five whilst reading our discussion.

On a sunny Thursday morning, I grab a mug of tea, put my headset on and settle in my chair to speak with Mark Flegg. After a brief discussion on how to correctly pronounce “Lavazza” (we settled on “luh-vat-suh” rather than “la-vaz-za”), we got right in to discussing our hot topic of NIS2. I ask Mark to give me a 60-second overview.

“In a nutshell, NIS2 is a directive from the European Parliament to improve cyber hygiene for its member states. The easiest way to think about it is GDPR for IT,” he explains. I subsequently took a look at the official summary of NIS2 and it calls for “a high common level of cybersecurity across the Union,” which includes national cybersecurity strategies, setting up cyber crisis management authorities, putting cyber risk management measures into place, clear reporting, and having enforcement action plans.

“There have previously been similar directives put into place that said, ‘hey organizations, you should have better cyber hygiene,’ but these were more guidelines than anything else. NIS2 is basically an evolution of these and has been put into law.” This happened in December 2022, and EU member states have until October 17 this year to define how they’ll make it part of their own laws for their respective regions.

Initially, NIS2 affects a selection of 10 industries that the European Parliament consider essential for society to function, namely economic security, electronic communications (email), finance, data providers, healthcare, food and water, law and security, transport, energy, and protection services. “Although this may seem like a relatively finite list, it really covers anyone or any organization that might have an impact on society,” Mark adds. Additionally, although mandated to EU member states, this also covers any organization doing business in the EU—just like the Global Data Protection Regulation (GDPR).

The NIS2 Directive is a 60-page document—standard bedtime reading for the likes of Mark, I’m sure, but perhaps not for everyone else—so I ask him, what are the salient points that organizations in, or doing business with, EU member states need to consider? Mark picks out three points of action that he considers key.

Number one. “Review your risk management policies! And make sure they include domain registrars and domain name system (DNS) services. Make sure the organizations you work with are NIS2 compatible or you’re putting yourself at risk of non-compliance,” Mark advises. Akin to GDPR, non-compliance results in some eye-watering fines; €10 million or 2% of annual worldwide turnover, whichever is greater. “Make sure you have enterprise-class DNS and DNS redundancy as well,” he adds, “You need a plan B!”

Number two. “Audit your suppliers for NIS2 compliance and do it sooner rather than later.” When it comes to cybersecurity, you’re only as strong as your weakest link, so assessing third-party providers in your supply chain is essential. Mark suggests evaluating suppliers by conducting a risk-assessment questionnaire, asking for a NIS2 compliance statement, or putting in place some applicable service level agreements.

And number three? “Appoint a CSIRT,” Mark advises. What’s that, I ask? “It stands for cybersecurity incident response team; a team that will liaise with the government’s own CSIRT in the event of an incident.” Organizations in the specified industries will only have 24 hours to report an incident, so getting this team together and all on the same page is essential. Who should be on the CSIRT, I enquire? “It needs to be a multi-disciplinary team covering cybersecurity, IT, legal, governance, and compliance. Cybersecurity is everyone’s responsibility—representatives from each of these areas must not just be aware, but be ready to act,” says Mark.

Time is certainly of the essence when it comes to NIS2—with less than four months until the October deadline, it’s important for any organizations covered by the directive to get their cyber hygiene squeaky clean.

Thanks for reading our coffee chat on NIS2. Look out for the next blog in the series, where I’ll cover other pertinent industry topics with CSC experts.

By the way

You can find out more about CSC’s domain security and DNS services here, or complete this form to chat with one of our experts.