What You Should Know About the New European NIS2 Directive on Cybersecurity

CEOs of essential companies must prepare for the NIS2 Directive on cybersecurity, whose deadline for transposition is October 17. Cybersecurity is an outstanding issue in the business landscape, as highlighted by the wave of cyberattacks that occurred during the summer.

Telefónica, Santander, Iberdrola, El Corte Inglés, Air Europa, Decathlon, Ticketmaster and Alcampo are just a few of the major companies affected. The fact that these large companies have fallen victim to such crimes underscores the challenge of implementing effective security measures amid high vulnerability. It’s important to note that, according to a study by technology firm Pandora FMS based on data from the National Cybersecurity Institute (INCIBE), Spanish strategic sectors are more threatened than ever. The energy, banking, and transportation sectors account for 25% of attempted attacks.

A company is severely impacted when a cyberattack causes a security breach and data is exposed. On one hand, these attacks often result in financial losses. Conversely, they negatively affect the company’s image and reputation, as key stakeholders may lose trust.

Protection Against Cyber Risks: Effective Security Measures and Response Plan

Protecting against cyber risks is crucial for both large and small companies. In 2023 alone, more than 4.5 billion attempted cyberattacks were reported worldwide. In this challenge of protection, it is not enough to have the most sophisticated security measures on the market. Most small and medium-sized enterprises (SMEs) cannot afford this. According to the INCIBE (National Cybersecurity Institute), 96% of companies  in Spain have some security measure, but only 2.3% have all available protections.

The challenge of effective protection requires that technical security measures be complemented with an action protocol. In other words, a response plan that allows top management to know what to do in the first hours and days after a cyberattack. From a technical perspective, the objective is to restore business as usual as quickly as possible. But it’s also necessary to comply with regulatory requirements to avoid severe penalties. However, having a cyberattack response plan is within reach for small and medium-sized companies. In this response plan, communication plays a strategic role.

Communication Is Strategic in Case of a Cyberattack, Especially With the NIS2 Directive

Why is communication strategic in the event of a cyberattack? Because regulations are becoming increasingly strict in these matters. If a company fails to notify the relevant authorities and affected parties with diligence and transparency, it risks severe financial penalties. Moreover, the European NIS2 Directive, which provides legal measures to boost the overall level of cybersecurity in the EU, allows regulators to temporarily remove executives (including the CEO) if it considers that they are not acting with the required diligence and transparency in their communication.

The NIS II Directive entered into force in January 2023 and must be transposed by October 2024 within all European countries. Among its new requirements, it mandates that companies notify the authorities of a major security incident within 24 hours of its detection. An initial assessment of the incident must also be made within 72 hours. These requirements apply to companies considered essential in strategic sectors such as energy, transportation, water, banking, and healthcare, among other sectors.

If You Are a Communication Director, Protect Yourself Against the NIS2 Directive

Knowing what to do in the first hours and days after a cyberattack can make the difference between a quick recovery or worsening the crisis, between incurring severe penalties or avoiding them. As we’ve seen, it can also mean whether the state intervenes in your company by removing its executive team. In this context, communication directors of essential and critical entities will face significant challenges with NIS2 in effect. Executive teams could be held personally liable for violations. To avoid this, they should act more swiftly and transparently than before.

To prevent the initial chaos of a crisis (which a cyberattack certainly is) from leading to improvisation and mistakes that could result in the state intervening and removing them from their roles, it is best to have a clear action plan ahead. This procedure should clearly state, for instance, that in the event of a serious cybersecurity incident, there is a maximum of 24 hours to notify the relevant CSIRT (Computer Security Incident Response Team) or, if applicable, the competent authority (INCIBE-CERT and the Spanish Data Protection Agency in the case of a data breach). Companies also have 72 hours to submit an initial evaluation report to these authorities. Additionally, they must inform users, customers, and all potentially affected parties as soon as they suspect that sensitive data may have been exposed. Failing to do so, or not doing so with sufficient diligence, can result in severe penalties of up to 10 million euros or 2% of annual revenue.