What tough new cyber regulations mean for big business

Companies could face hefty fines or even suspensions of service in the European Union under strict new cybersecurity regulations set to come into force next month.

The EU’s NIS 2 cybersecurity directive will on Oct. 17 become enforceable by member states. That means firms will have to ensure their operations are up to scratch with obligations set out by the new law.

The rules impose tougher requirements on companies around their internal cyber resilience strategy and internal practices.

CNBC runs through all you need to know about NIS 2 — from what the law requires to the potential penalties businesses could face for violations.

NIS 2, which stands for Network and Information Security Directive 2, is an EU directive that aims to increase the security of IT systems and networks across the bloc. Introduced in 2020, the law serves as an update to an earlier directive simply called NIS.

NIS 2 expands the scope of its predecessor to address more recent cybersecurity challenges and threats that have emerged as criminals have found new ways to hack companies and compromise their sensitive data.

The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, health care institutions, internet providers, transport firms, and waste processors.

The main areas it will address are risk management, corporate accountability, reporting obligations, and business continuity planning in the event of a cyber breach.

Geert van der Linden, executive vice president of global cybersecurity services at Capgemini, told CNBC that NIS 2 has effectively set a new baseline for companies on what’s acceptable to protect citizens, maintain operations and remain resilient in the face of cyberattacks.

“NIS 2 will be seen as a global standard by judges” when it becomes enforceable, Van der Linden added. “For our clients, regardless of whether they are seen as essential or important in the regulation, they have to look at that baseline and make sure they are compliant.”

By meeting this baseline, companies will effectively protect themselves against claims, Van der Linden added. He compared it to taking out home insurance to protect your house from burglars.

“Where do the burglars go? It’s always the least protected house. They open every door to see where can they get in,” he said. The same is becoming true for companies looking to protect themselves from cyberattacks, Van der Linden added.

Under NIS 2, firms will also have to vet their digital supply chains for cyber threats and vulnerabilities. Companies today use multiple different products and tools every day, giving criminals more potential avenues of attack.

Chris Gow, head of Cisco’s EU public policy team, told CNBC that a “mapping exercise” will take place under NIS 2 where companies have to scan their tech vendors to evaluate any potential risks.

Businesses will also have a “duty of care” to report and share information on cyber vulnerabilities and hacks with other companies under NIS 2 — even if it means having to own up to being a victim of a cyber breach.

Companies that fail to comply with the new law could face massive potential fines, along with other punitive actions.

For entities considered essential, like transport, finance and water companies, failure to comply with NIS 2 can lead to fine of up to 10 million euros ($11.1 million) or 2% of global annual revenues — whichever ends up being the higher amount.

Companies that are considered to be essential, meanwhile — such as food companies, chemicals firms, and waste management services — face fines of up to 7 million euros or 1.4% of their global annual revenues for noncompliance.

Firms can also face possible suspensions of service if they fail to comply with NIS 2, as well as closer supervision to see if they have become compliant.

If a business falls victim to a cyber breach, they’ll have 24 hours to submit an early warning notification to authorities. This is stricter than the 72 hour time window firms have to notify authorities about a data breach under GDPR (General Data Protection Regulation), a separate data privacy law in the EU.

“Preparing for NIS 2 is not a race to see what you can get away with, rather it is a race in which the strongest organisations race past the baseline and leverage this effort to their competitive advantage,” Carl Leonard, EMEA cybersecurity strategist for Proofpoint, told CNBC.

“I anticipate organisations will be better supported through efforts coordinated at a European Union level,” Leonard said. “This will include shared threat intelligence, a higher common level of cybersecurity and a ‘we are in this together’ mentality.”

Businesses have been racing to get their internal processes and controls, as well as broader culture around cybersecurity, into shape ahead of the Oct. 17 deadline.

Cisco’s Gow said that even without the threat of new regulation looming, businesses have been working hard to shift their culture internally to ensure that they’re taking the threat of cyber breaches and outage incidents seriously.

“Even aside from what’s happening on the regulatory side, we see that reporting is happening from CISO [chief information security officer] level all the way up to the board and management.”

He added though that NIS 2 is causing businesses to act faster on bringing their cyber controls and practices up to speed with the new rules.

“It definitely does have an impact,” he said. “I’m seeing it myself. People internally are coming forward with questions from sales and management, asking ‘How does this play out for us?'” He added there’s “preparation to do right now” for businesses to ensure they meet the requirements of NIS 2.

Still, even with cyber security a much more prominent focus in board rooms, this hasn’t stopped cyberattacks from taking place.

Earlier this year, a ransomware attack on Synnovis, a private health care provider in the U.K., disrupted more than 3,000 hospital and GP appointments. The attacker, a Russian-based hacking group called Qilin, demanded a £40 million ransom payment.

Gow said that it would be a mistake to assume that new regulation can prevent similar incidents from happening in future, but added that NIS 2 has helped “create some scrutiny and focus resources around demonstrating how you’re going about lifting overall security levels.”