Bernold Nieuwesteeg, director of the Centre for the Law and Economics of Cybersecurity at Erasmus School of Law, warns of a lack of uniformity in the way important and essential companies assess their cybersecurity levels. A new EU directive, the Network and Information Security 2 Directive (NIS2), requires important and essential organizations to have their cybersecurity in order and to map it out. However, the directive does not provide a standard method for documenting cybersecurity measures and strategies, Nieuwesteeg explains in an opinion piece in het Financieele Dagblad.
NIS2 must be implemented in the national legislation of EU member states by October 2024 and will apply to eighteen vital sectors, such as governments, energy companies, and the Port of Rotterdam. Cyber threats are increasing, which according to Nieuwesteeg is why more cybersecurity laws are sensible: "It makes sense for the European legislator to encourage companies and organizations to work on cybersecurity. It increasingly concerns the security of the entire 'ecosystem.' Companies and organisations must map out the cybersecurity of their suppliers."
However, according to Nieuwesteeg, NIS2 is too vague about the implementation and compliance of cybersecurity, and the Dutch supervisory authority must intervene: "We see an increase of frameworks and forms for assessing the cyber risk of suppliers, with various questions: Does a company have the right cybersecurity policy? Does it comply with all laws and regulations? Has multifactor authentication been implemented? Is the cyber risk financially covered? Are employees sufficiently involved in the cybersecurity strategy? The questions vary widely and are numerous."
In addition to the vague legislation, fines can amount to two percent of a company's annual global turnover. In addition, criticism of cyber legislation can also lead to the accusation that you are trivializing cybersecurity. Nieuwesteeg finds this problematic: "an organization does not achieve optimal cybersecurity through fear, fines, and ambiguity."
According to the director of CLECS, there is an obvious solution to potential problems caused by NIS2: "The solution lies in developing a standard method for mapping out the suppliers. We can learn from the German automotive industry, where Mercedes, BMW, and Volkswagen have developed a single standard for quality control in suppliers. Approval from Volkswagen means you don't have to fill out similar forms for BMW. But the regulator must also provide clear examples of how organizations comply with the law. Is the use of Microsoft Teams or Zoom, for example, 'NIS2-proof'? The Dutch Data Protection Authority, which oversees the GDPR, is finally doing this, albeit slowly."