In May, the European Commission welcomed a new political agreement called NIS2, reflecting the Union’s demand for higher levels of cybersecurity across the continent. The original NIS was the first piece of EU-wide legislation that centered on cybersecurity. However, the implementation of NIS2 has been introduced due to continuing business digitalisation in Europe and simultaneous surge in cyberattacks. Europe is an interconnected society which makes the continent a risk to malicious cyber activities that can occur at a global level. This is particularly pertinent given the current geopolitical climate. 

The most alarming problem with cyberattacks is their speed, their capacity to transcend borders and the overall cost implications. In 2017, Cybersecurity Ventures made a forecast that the damage costs of global ransomware would reach US$20 billion by 2021, which is fifty-seven times more than the total damage reported in 2015. The same report also reflects how ransomware attacks happened every 40 seconds in 2016, whereas today the is far more frequent and estimated at under 10 seconds. 

Due to this, the European Union has called for businesses in all Member States, including Luxembourg, to adhere to greater security requirements and for reporting obligations to be streamlined. These changes will be reinforced for harmonised sanctions across the Union.

The new reporting obligations will mean that a firm’s resources will need to focus on mitigating incidents during the crucial phases of their emergence. According to the EU, this gives firms a 24 hour window to report an incident to the CSIRT. This change means that businesses will be forced to divert excessive resources away from mitigation towards their legal compliance. 

The goal with NIS2 is to reduce the number of inconsistencies in the resilience across market sectors. In addition to this, companies will be obliged to address and/or implement seven key elements with regards to the security measures they take. These include supply chain security, vulnerability disclosure, encryption and incident response policies and procedures. 

In order to successfully adhere to new reporting requirements, hedge funds and private equity firms operating in Luxembourg will need to ensure they are compliant with the NIS2 directive. This will require that firms invest in their individual governance and risk assessment processes. It will be critical to have an effective incident and detection tool in place to alert to any attacks. This will need to be streamlined with a reporting tool that can notify the CSIRT within the 24 hour time period. 

The NIS2 is a key component to Europe’s overall digital strategy.The European Union is working hard for society to thrive in the age of digital transformation. With the threat of large-scale cybersecurity attacks ever looming, the way the EU responds to these incidents is crucial. The EU needs to ensure its legal framework protects its citizens. The implementation of the NIS2 will mean that financial firms that operate in Luxembourg will have the building blocks put into place so they can operate in a safe way that protects their business operations, client data and employee privacy. 

Source: written by George Ralph, Global Managing Director & CRO at RFA.