Here's a NIS2 compliance checklist since no one cares about deadlines anymore The European Union's NIS2 Directive came into force on January 16, 2023, and member states had until October 17, 2024, to transpose it into national law. Yet many organizations still don't meet the required standards two years after it was approved. According to survey from backup shop Veeam carried out shortly before the …
I have been working on the myriad of National and EU regulations since they started flowing out of the EU with NIS Directive and GDPR.
Any organisation with an international footprint of operations is under such pressure to "comply" with all the international, state, Bloc, Local, National rules and regulations that, quite frankly, they are now suffering from compliance fatigue and wondering what comes next.
Whilst the continual sword of Damocles threat of punitive fines hangs there, most organisations are still reeling from the last set of regulations or audits, or regulators or customer security questionnaires etc etc and more audits and more intrusive questions and so on.
I'm all for regulation, but the EU seems hell bent on producing so many regulations and acts that no-one, not even the EU themselves are managing to keep up with it!
I can use DORA as an example. Half of the RTS and ITS aren't ratified or defined yet, there are huge gaps in it's implementation and compliance and it "goes live" in January 2025..... How?
All I keep hearing about is Federal fines for this, EU fines for that and so on.
Governments need to look at supporting businesses to become resilient and operate well, not see the private sector as a cash cow via fines and settlements!
Speaking as a UK regulator, I don't think UK or European regulators see business as a cash cow, the whole "fines up to 10% of global turnover" bollocks got plucked from a policy officer's backside as a default penalty because the policy officials didn't understand either regulation or business.
Regulators and policy making officials are chalk and cheese, as different from each other as IT pros are from sales or finance. From a regulator's perspective, what we want is compliance. We aren't policemen, we don't keep any fines, but our purpose is (believe it or not) to help business into compliance, and penalties are a last and very reluctant resort. We undertake market surveillance (in EU speak) to detect non-compliance, but we hope not to find it. If we find it, we hope a friendly word will get the needed outcome. If the friendly word doesn't work, there's some statutory powers to request specific actions or request information.
From a business perspective, they don't (mostly) intend to not comply. They want clear guidance, plenty of notice, help with understanding and meeting the rules. Fines are also mostly an "other operating expense" or exceptional item, so don't harm executive bonuses, they often don't come out of any particular director's budget, so the organisation feels no pain.
There's some instances where an organisation breaches the rules either deliberately or through wanton neglect, and in that case the public expect big penalties, but in general there's better ways of getting compliance other than the threat of draconian fines, and ways of exacting penalties that scare business far more than cash fines, such as brief sales suspensions.
And as you rightly say, too much regulation, overbearing scope, and poorly drafted laws are bad for business, bad for compliance and thus bad for regulators.
> From a business perspective, they don't (mostly) intend to not comply. They want clear guidance, plenty of notice, help with understanding and meeting the rules.
To use the introduction of GDPR (25th May 2018) as an example it seems like a large number of organisation, despite having plenty of notice, did nothing until the last minute.
In the UK some of that can be blamed on the ICO, including their "position" that they wouldn't actively enforce GDPR for (6?) months after it came into effect - what did they think was going to happen as a result? Those orgs that "couldn't be bothered" to be in compliance by 25th May 2018 then put off their compliance activities again for months when ICO signalled their lack of enforcement...
The 2 year period between the GDPR law being signed off in the EU in 2016 through to 25th May 2018 *was* the notice and implementation period for orgs to ensure they were in compliance *by* the date it came into effect.
So businesses in general want plenty of notice about new regulations, but when they get that they still don't want to do anything about the regs until the last minute (or after the last minute)?
There are enough rather hard to pin down phrases within this 'regulation' that make it almost impossible to determine if you are indeed in the scope, or not.
And if you are in scope, for some (smaller) companies it is (or will be) rather hard to meet the requirements, simply because the effort is very expensive.
Additionally, to comply certain processes will slow and require to employ more people who have to be qualified and certified to perform their duties.
Where will they come from? How will they be paid?
Example: A small company (let say 10 staff) is an integral part for several cooperations each with >50 million Euro total revenue globally. total revenue, not profit. the cooperations are in the transport sector. The small company provides let's say a logistics scheduling tool without which the large cooperations can not easily function. Under long term contracts.
Thanks to NIS2 and its requirements the small company is in scope and now has to employ 5 additional people with certifications in various professions, one of the being a person who is only there to monitor compliance.
Changes to the product that now take 6 months where they before changes took 1 week. Said changes might be for optimization of the scheduling because of e.g. certain waterways being blocked.
The cost of doing business has increased for no real reason and there is no sensible way to increase the price of the product short term.
Result: (best case scenario) the owner sells of the product to a larger cooperation and the the other 14 people have to look for new jobs.
(worst case scenario) the company closes its doors, the product is not usable anymore and the transport cooperations which used it are in chaos. It spreads to the population because one of them is a major participant in transporting perishable goods, and nothing arrives anymore in the shops. Looting and burning ensues and soon people are reduced to try and eat the politicians. It turns out they are not even useful for that purpose because its either hot air inside them, or excrement. Everyone (else) dies of dysentery.
All is true but I think the real goal of these regulations, as they have been implemented, is to eliminate small to medium business entities. As for the larger firms, who benefit from the elimination of the smaller, they increase their prices, claim compliance, and when they as standard operating procedure technically fail all compliance in reality, they get a pass from penalties from the "authorities". Sounds like the USA. In the end NIS1 and NIS2 are ill conceived, and overtly complex with vagueness. Sounds like they are not compliant themselves in the very rules they intend to enforce. SOP = FAIL.
The recent-ish report by Mario Draghi recognises many of these problems around regulation and its effect on the economy, but we have yet to see what the EU in general is able to come up with a constructive response. As the EU governing elite are bureaucrats whose primary purpose has been the centralisation of power, how confident is anybody that it can undo fifty years of that approach?
Worth bearing in mind that most legislation and regulation starts from a real or perceived need - in this case the woeful cybersecurity of many important firms.
As long as judicial bodies take a lackadaisical attitude to enforcement, companies will take a lackadaisical attitude to compliance.
The usual plaster over the cracks is judicious influencing of the enforcement agencies and the politicians who ride their backs.
The only way to actually make it happen is to hang 'em high and focus their replacements' minds.
"introducing more robust requirements in key areas: Risk management; corporate responsibility ..."
I doubt whether any organisation falling within the scope currently has a cat's chance in Hell of genuinely complying with these requirements, primarily because infosec risk management hardly exists in practical terms. The fundamental reason is that risk assessment as currently conducted is about as reliable as crystal ball gazing, so management decisions are based largely on utter nonsense most of the time. So until risk infosec assessment training gets real (i.e. includes the basic axioms of probability and how to apply them, robust methods for identifying potential root causes, and the psychology of good and bad judgement) no 'method' or tool will raise the quality of risk management to a standard that permits real corporate responsibility to be exercised.
Good points Mike 137,
Risk Assessments are still being done by "best guess" or "in my experience" - probability calculations come down to individual's own experiences rather than a truly well rooted in theory practitioner's history.
It's one of my biggest challenges when presenting observations and recommendations when reviewing a particular area, once you add the finger in air scoring, it becomes completely subjective and is then attacked by other people's own subjectivity and fails to add any value.
I don't know of many well experienced and/or well respected risk professionals that can cover information security risk assessments without any ambiguity or challenge.
Simply because you can digitise a process, doesn't mean you should. If it reduces resilience and increases costs (including hardware, software and subscription costs, year on year), then it may be better to pay staff to do things manually on paper with offline systems. Increasing regulations and fines may also require companies to use less tech.
>With the deadline for enforcement approaching, businesses have been left confused about their responsibilities.<
I'm pretty sure most businesses are happy the member states drag their feet as it will give them an excuse to do nothing before that directive is a national law.
Is it cynical to expect lobbying on local level to delay for as long as possible?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
