The EU tightens cybersecurity requirements for critical infrastructure and services with the new NIS2 Directive – what does this mean for small businesses?
Cybersecurity is a vital concern for any business. However, not all businesses face the same level of cyberthreats or regulatory obligations. In this blog post, we’ll explain what the NIS2 Directive is, who it applies to, and whether small businesses need to take action. The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. Starting in October 2024, businesses operating certain enumerated essential services or critical infrastructure within the EU will need to meet its requirements for cybersecurity. The NIS2 Directive is primarily aimed at medium and large businesses. However, if you run a small business, how does this initiative impact you? The EU Commission Recommendation 2003/361/EC1 clearly defines a small business as one that employs less than 50 people and has an annual turnover or annual balance sheet of less than €10M. The NIS2 Directive is of most concern to medium and large businesses, and only a very small fraction of small businesses has to meet its requirements. Small businesses that operate uniquely critical and essential services and those that act as providers of electronic communications networks or publicly available electronic communications services, trust service providers, and top-level domain (TLD) name registries must meet the NIS2 Directive, regardless of their size. Companies that employ more than 50 but fewer than 250 people and have an annual turnover not exceeding €50M and/or an annual balance sheet less than €43M are classed by the EU as a ‘medium-sized business’. But even if you are a medium-sized business, you will be impacted by the NIS2 Directive only if you are active in one of the critical sectors explicitly specified in the annexes to the directive. Cybersecurity solutions that are designed to help businesses meet the NIS2 Directive are likely to be more complex and require security expertise to implement and manage. Consequently, they are probably more expensive to buy and operate. They will also generally be designed to be operated by in-house cybersecurity teams or a Managed Security Service Provider (MSSP). However, for small businesses without IT personnel and/or cybersecurity expertise, the more complex a system is, the more likely it is to be misconfigured, which can result in a less secure solution than desired. Moreover, no single software solution can ensure full compliance with the NIS 2 Directive, as the guidelines of the directive go far beyond deployment of cybersecurity software, requiring companies to take additional organisational and operational measures and follow extensive documentation obligations. It is also worth pointing out that the NIS2 Directive describes required security measures only very generally. More details about the specific security measures required to meet the NIS 2 Directive requirements will be included in delegated acts of the European Commission and local laws adopted by individual member states implementing the NIS 2 Directive, none of which is currently fully known. While NIS2 introduces important cybersecurity and resilience measures, most businesses (regardless of size) do not fall within its stringent requirements due to their sector and risk profile. However, understanding and voluntarily adopting some of its best practices could still benefit small businesses in enhancing their cybersecurity posture and helping to build customer trust. Enterprise-grade cybersecurity products are designed to be used by security professionals or Managed Security Service Providers. They’ll generally have many more capabilities than any small business user will ever need or use. So, it’s worth considering whether buying a product or service that helps you meet a directive, but isn’t relevant to your business and has features you’ll never use, makes economic sense. If you would like more information on the NIS 2 Directive, please visit: https://eur-lex.europa.eu/eli/dir/2022/2555What is the NIS2 Directive?
What is a ‘small business’?
I run a small business, do I have to meet the NIS2 Directive?
I’m a medium-sized business, do I need to meet the NIS2 Directive?
Why would a security vendor advise me to consider meeting the NIS2 Directive if the law tells me I don’t need to?
What’s special about a cybersecurity solution that helps me meet the NIS2 Directive?