Sigurður Gísli Bjarnason
Introduction
Compliance requirements are a hot topic at all the cybersecurity events I attend these days, so I thought I would share my thoughts.
Most people are talking about the new EU NIS2 directive. In this context, NIS stands for Network Information Security and was originally implemented in the EU in 2016. A few years later, the EU decided it could do better and introduced revision 2 in 2022. The NIS version, or NIS2, gave member states until October 18, 2024, to implement this new regulation into national law. As of October 23, 2024, only four member states have met this requirement, but the rest are expected to have met this requirement by the end of 2024.
EFTA/EEA countries (Iceland, Norway, and Switzerland) are expected to implement this into national law sometime in 2026.
Overview
The law imposes strict requirements and severe penalties for inadequate cybersecurity. Fines can amount to up to 10 million euros or up to 2% of annual global revenue, whichever is higher. Non-compliance can also lead to strict supervision, unexpected audits, criminal investigations, or even dissolution of the company. The law therefore has many very sharp teeth.
Although there is a long list of requirements, nothing on that list is new. This is all just basic security hygiene that the entire industry has been preaching for many years. Standards such as NIST and ISO 27001 have also been teaching all of this for many years. In fact, if you have ISO 27001 certification and the scope of certification is the entire company, you should be in fairly good standing when it comes to NIS2 compliance. You can think of this as a legally mandated ISO 27001 certification where you cannot scope the certification to the janitor’s closet and the penalties are losing your operating license, not just losing the certification.
The more extensive parts of NIS2 compared to ISO 27001 relate to incident response and business continuity. For example, NIS2 requires companies to notify “competent authorities” of breaches or incidents (even just suspicion of incidents) within 24 hours, follow-up after 72 hours, and then continued follow-up as required by authorities.
Scope of NIS2
These 15 different sectors fall directly under NIS2
- Energy
- Transport
- Banking
- Financial markets
- Insurance
- Health
- Water supply – drinking water and wastewater
- Digital infrastructure
- Information and communication technology service providers
- Public administration
- Postal and courier services
- Waste management
- Manufacturing
- Food management
- Research
Did you notice I said “fall directly under”? Although these sectors include many companies, this is only part of the companies this applies to because other companies that service companies in these sectors are also included. The situation is not that many companies are exempt.
Even though NIS2 may not make it into Icelandic law for an additional one to two years, Icelandic companies are not exempt. Although the EU cannot penalize Icelandic companies for violating its laws, it can penalize EU companies for doing business with companies that do not comply with NIS2 according to the third-party risk management provision. So if you are servicing an EU company that is under NIS2, you could lose business if you do not meet the requirements.
There is also an exemption for certain micro-enterprises, with fewer than 10 employees or less than two million euros in annual revenue. Based on the current exchange rate, that is approximately 300 million ISK in annual revenue or about 25 million ISK per month in revenue. Even in Iceland, there are not many companies with revenue below that.
Companies exempt from NIS2 are considered to have no macroeconomic or societal value.
Perspective
If you sit down with your lawyer and consider all the requirements for those who fall under NIS2 and he/she advises you that you do not, according to law, need to meet NIS2 requirements, you might be tempted to celebrate. Realize then that you are celebrating the fact that the law considers your company so small and insignificant that hardly anyone will notice or care if you suffer a cyberattack and have to close for a few weeks or if some other cyber incident takes you out of operation for a few weeks with the associated loss of revenue.
Instead of thinking that you are legally allowed to be negligent and careless about your company’s cybersecurity, I suggest you take a different approach.
I recommend that you save yourself the legal costs of trying to figure out whether you are legally obligated and just decide that you will comply with the law regardless of whether you can be fined or not. You can declare that your company is socially important and large enough to matter. If you do not consider your company important and that it does not matter to society, why are you in business?
After you have decided that your company matters, you begin a management-supported project to strengthen your cybersecurity and prioritize it to ensure you meet all NIS2 requirements.
If you need assistance with that project, we are available to help you plan it, prioritize, and figure out where you should focus your efforts. We never sell you anything you do not need, but we are available to help you identify where you might have gaps and develop a plan to fill those gaps with minimal cost. If you have limited resources, we can work with you to find ways to meet the requirements and be secure with the least possible investment.
In conclusion
The truth is that all companies are in their own way both significant and important and in most cases part of a larger whole and a larger chain. Your company may be servicing some even larger company and it may become a requirement from them that all their suppliers and service providers have their cybersecurity in order. The point is that cybersecurity is like maintaining your teeth and your car. If you perform regular maintenance, you keep your teeth intact and your car rust-free, but if you neglect this, you will eventually end up with a major repair. Which is expensive. Do not wait to get into trouble. Book a free consultation with us today.
