NIS2, or How to Fight Them Cybercriminals
quietus writes:
The EU is at it again -- with unleashing a new raft of legislation upon world+donkey.
Maybe some of the colored tape bureaucrats are avid readers of Soylentnews, as this time they got top management in their crosshairs.
EU members need to implement the directive into national law by January 16, next year (2025). Full text of the directive here, interesting reviews here and here, and a link to the EU's wider Cybersecurity Strategy (which also involves security of hardware and software products) here.
The culprit of service is the second generation of the EU's Cybersecurity Directive (NIS2). The new legislation widely extends its scope to nearly any company with more than 50 employees and 10M+ in yearly revenue. On top of that, the number of industrial sectors which are deemed essential in terms of critical infrastructure doubles from 6 to 12, including ICT service management, government institutions, post and courier services, manufacturing companies, the food-processing industry, waste water management, space companies, research organisations and the chemical industry as a whole. Suppliers to these companies can also fall under the new regulation.
In practice, national centers for cybersecurity will be responsible to execute cybersecurity checks through audits and/or unannounced security scans. If the target company neglects their recommendations, it risks heavy fines: at least 2 percent of worldwide revenue up to a maximum of 10 million for companies with more than 250 employees, or more than 50 million yearly revenue. Smaller companies risk at least 1.4 percent of yearly revenue with a maximum of 7 million.
These fines cannot just be classified under company expenses, though. Under the new regulation, CEOs and board members are obligated to follow cybersecurity training, and to sign off on all cybersecurity measures. They are deemed personally responsible, and run the risk of being barred temporarily from similar roles, and -- most importantly -- of having to pay the resulting fine out of their own pocket, not through the company.
Read more of this story at SoylentNews.