Cybersecurity compliance: the heavy burden of regulations on IT leaders

 IT leaders must consider the full scope of cybersecurity risk management, governance and preventative measures required to meet NIS 2 and DORA

Eureg

Despite all evidence, many business leaders remain confident that their organisation won’t fall victim to a cyberattack – often doing ‘just enough to get by’ to reduce the risk of a breach.

But change may be on the horizon. Organisations must ready themselves for the introduction of new cybersecurity legislation that puts their cyber practices under the microscope.

The revised Network and Information Systems Directive (NIS 2) mandates more robust cybersecurity measures for companies operating critical infrastructure and providing essential services across Europe. It will focus on their cybersecurity risk management capabilities and introduce stricter incident reporting obligations. 

If implemented correctly, directives can help IT leaders have a bigger voice within the C-suite

The directive will also see higher penalties for non-compliance of up to €10m (£8.4m) or 2% of global annual revenue and greater accountability for top management in cases of non-compliance.

Organisations have until 17 October to make sure they are compliant in time for the new regulations to come into place. Although NIS 2 doesn’t apply to the UK, organisations that fall under the scope must be compliant in order to do business in the EU - placing tight constraints on any UK-based company wanting to work outside of home soil.

Additionally, after NIS 2 the next regulatory initiative on the horizon is the Digital Operational Resilience Act (DORA), which is dedicated to financial services. 

The DORA regulation, which comes into force on 17 January 2025,  was created to establish an ICT risk management framework for the EU Financial Services industry and harmonise the regulations that already exist in individual EU member states. In principle, this directive is a great idea – to create strong cyber resilience practices in an industry that faces the highest risk of cyber threats through both private and nation state actors.

Not just a technology checklist

The huge challenge for many IT leaders, however, is that directives like NIS 2 force them to review and upgrade their organisation’s current frameworks, demanding preventative rather than mitigative measures. This revelation may be an unwelcome surprise to those believing their organisation simply needs to update their tech to achieve compliance. 

While individual security tools will still be deployed, the emphasis is firmly on implementing cybersecurity as an end-to-end process – and there’s no silver bullet to achieve compliance.

“NIS2 is trying to achieve a type of herd immunity. The legislation is doing that through a focus on not just tech implementation but governance, user training and the human element,” explains James Tucker, Head of EMEA, CISOs in Residence, at Zscaler.

NIS 2: a gap between confidence and understanding

The good news though, is that according to Zscaler’s 2024 NIS2 & Beyond: Risk, Reward & Regulation Readiness report, four-fifths (80%) of IT leaders are confident that their organisations will be able to reach compliance with NIS 2 ahead of the deadline.

The not-so-good-news is that this confidence doesn’t appear to correlate with their understanding of NIS 2. Less than half (49%) feel their leadership fully understands the requirements for compliance. Furthermore, nearly two thirds (62%) of IT leaders believe NIS 2 represents a significant departure from their current cybersecurity practices. 

“A lot of the people we’ve talked to felt that NIS 2 is way out of left field - which, as a security practitioner, scares me. Because there’s nothing crazy in this: you have a security framework, you train your users, all the elements of a strong security strategy that we have been talking about forever,” says Tucker.

Steps to meet compliance

So, how can organisations improve their cyber hygiene to meet the new wave of compliance? “Organisations must fundamentally re-evaluate and revamp their cybersecurity strategies,” says Tucker.

Organisations need to ensure compliance audits become part of an ongoing cycle for security teams in order to stay ahead of threat actors and ensure their security infrastructure is fit-for-purpose at all times.

Rather than viewing legislation as a tick box exercise, teams should use this audit to understand where they can simplify and consolidate assets to better prove that they have a full overview of their infrastructure and can implement the needed policies to remain compliant.

This simplicity should extend to technology vendors as well. Instead of having upwards of 30 security vendors for different firewalls and VPN solutions, organisations should aim for ones that can run all apps and solutions through a central solution to ensure greater visibility of their infrastructure.

Additionally, implementing a Zero Trust architecture helps to reduce an organisation’s attack surface, prevents lateral movement, and allows them to securely connect the right user to the right application without exposing their networks to the internet. This significantly mitigates the risk of attacks while helping organisations meet NIS 2 and DORA’s mandates for secure data handling, access controls and incident management.

“We truly believe that Zero Trust is needed, not just to solve NIS 2 concerns, but in building a foundation of how we should design and implement secure environments across our industries in the future,” says Tucker.

As threat actors continue to innovate and evolve the way they target critical industries, the need for regulations and directives that improve both security infrastructure and also resilience are more important than ever. If implemented correctly and with the technical advice of experts, directives such as NIS 2 and DORA can help IT leaders to have a bigger voice within the C-suite. They can secure the investment needed to create a strong security foundation upon which they can innovate and help push the company forward, rather than ending up in a compliance black hole of simply ensuring that they have ticked the right boxes to avoid punishment.

For more information please visit www.zscaler.com