The process of integrating NIS2 into legislation among EU member states is underway. Once adopted and enacted, NIS2 will have significant implications for organizations and the cybersecurity teams working within them, defining stringent operating and reporting requirements that in turn will elevate the skills needed within cybersecurity teams.

Over the next few months, the European Union Network and Information Security Directive, better known as NIS2, will be transposed into national law by all EU member states. Although the regulation came into force in January 2023, EU national parliaments had a deadline of October 17, 2024, to incorporate the law into national regulation. So far, Belgium, Croatia, Hungary, Italy, Latvia, Slovakia and Lithuania have completed the process, with the other EU member states in various stages of progress towards completion.

Each EU member state needs to adopt laws which will achieve the goals and requirements of an EU Directive and align national legislation with EU legislation. This approach, while lengthy, allows each member state some flexibility in how NIS2 is enforced. While the main substance of the Directive will be the same across EU member states, some countries can choose to implement the Directive in a more rigorous manner, while some will interpret the Directive in a less strict manner.

The Impact of Variable Implementation

Regulatory uncertainty is likely, especially for companies operating across multiple countries EU member states, due to the differences in how each country chooses to implement the directive. There is also a possibility that organizations may chose to establish an EU base in a country which has chosen to implement NIS2 in a less strict manner, as the complexity and cost of compliance will be lower. Organizations taking this approach risk being less protected and may operate with less stringent cybersecurity measures than their peers as a result.

Ensuring that organizations have the cybersecurity personnel and skills on hand to respond to NIS2 requirements will be a challenge. Over the past year, the cybersecurity workforce gap in Europe – the perceived need for additional cybersecurity expertise – increased by 9.8%. This is the equivalent of 424,000 skilled individuals. As NIS2 increases the demand for specific skills and personnel to put requirements into practice, this gap is likely to grow further. Teams will be put under further resource pressure to deliver the requirements of NIS2.

How NIS2 Will Impact Skills

NIS2 significantly impacts demand for a variety of skills and roles within cybersecurity teams. As a result of its requirements, demand for certain activities will increase and become vital. Key activities related to cybersecurity that will need to be carried out include:

Risk Management

• Cybersecurity Risk Assessment: Conducting thorough risk assessments to identify vulnerabilities in network and information systems
• Regular Cybersecurity Audits and Reviews: Conducting periodic audits and reviews to evaluate the effectiveness of cybersecurity measures
• Cybersecurity Policy Development: Developing and enforcing policies for assessing the effectiveness of cybersecurity risk management
• Business Continuity Planning: Developing and maintaining plans for business continuity, including backup management and disaster recovery processes
• Data Protection and Privacy Compliance: Ensuring compliance with data protection and privacy regulations, in alignment with cybersecurity measures

Implementation

• Development and Maintenance of Cybersecurity Frameworks : Creating and updating frameworks for managing cybersecurity crises and incidents
• Training and Awareness Programs: Conducting regular cybersecurity training and awareness programs for staff at all levels
• Implementation of Security Measures: Ensuring the adoption and implementation of appropriate security measures, including elements like multi-factor authentication, to prevent or minimize the impact of cyber incidents
• Cross-border and Cross-sectoral Cooperation: Facilitating cooperation within and across sectors and borders, especially in information sharing and response coordination

Management and Reporting

• Vulnerability Management and Reporting: Detecting, reporting and managing vulnerabilities, including maintaining an anonymous reporting process
• Incident Response and Reporting: Establishing and executing incident response plans, including timely reporting of significant incidents to designated authorities
• Monitoring and Analysis of Cyber Threats: Continuously monitoring and analyzing cyber threats and incidents, disseminating information about these threats
• Supply Chain Security Management: Securing the supply chain, including evaluating the cybersecurity practices of suppliers and service providers

Delivering and maintaining these elements to the required level (requirements for which may vary in stringency from country to country) will require a diverse range of skills and roles within organizations. It emphasizes the need to evaluate the cybersecurity workforce, identify potential team and skills gaps, and address them through reskilling, upskilling, and, where necessary, hiring additional staff.

ENISA Consultation: Your Opportunity to Shape Technical Guidance for NIS2 Implementation

ENISA has launched a public consultation on its draft technical guidance aimed at helping entities and EU member states implement the cybersecurity risk-management measures mandated by NIS2. This guidance translates the NIS2 requirements into practical, actionable steps, offering explanations of legal concepts, examples of evidence to demonstrate compliance, and mappings to European and international standards.

ISC2 encourages members across Europe to participate in this consultation, both individually and as part of our collective response. Your insights can help ensure the guidance reflects the real-world challenges and needs of cybersecurity professionals. The consultation is open until 9 December 2024, 18:00 CET, and feedback can be submitted through ENISA’s official form and Excel template.

• With NIS2 progressing, ISC2 is also seeking volunteers to engage in an exclusive project that will result in supportive guidance for impacted organizations. Participants will engage in one full-day workshop this fall and will be asked to supply additional insights in the succeeding weeks. Those interested should register as a Content Curator on the ISC2 Volunteer Interest Form. Selected members will be valued as a Subject Matter Expert (SME) and receive Continuing Professional Education (CPE) credits. More information is available at https://www.isc2.org/volunteer/volunteer-opportunities/content-curator-nis-2-directive. Should you be interested in learning more or have questions, please reach out to GuidanceTeam@isc2.org

Related Insights

• Putting Cybersecurity Professionals at the Heart of EU Policymaking
• Building Europe’s Cybersecurity Leaders of Tomorrow
• Information Sharing in Cyber Supply Chain Risk Management – A New Model