NIS2 and other regulations are essential, but who’s helping the CISO?
NIS2 is one of the cybersecurity frameworks that should be on the radar of most organizations. Translating it into practice within the organization often falls to the CISO. Yet tracking and implementing such legislation is no easy task, especially when resources are scarce or there’s no expertise in the boardroom.
Cybersecurity regulations are essential, but they make life considerably more complex for organizations. First, because they often involve multiple legislative frameworks that overlap to some degree. NIS2 is undoubtedly the best known, but depending on the sector you may also need to consider DORA (for the financial industry), the Cyber Resilience Act (for software and hardware products), and the Critical Entities Resilience Directive.
An overlapping web of frameworks
A second challenge is applying all these directives. While one framework may take effect immediately, another must first be transposed into local legislation by EU member states. In the latter case, there’s a strong chance countries will emphasize different priorities. For multinationals, this can be highly challenging. If Belgium, for example, chooses the CyberFundamentals (CyFun) framework from the CCB as its compliance guide, another country might prefer NIST, the ISO standard, or even a homegrown framework.
This results in a tangle of policy frameworks with varying deadlines, implementation methods, and reporting requirements. The interpretation of regulations is often left open to debate. If NIS2 says that measures must be taken to guarantee business continuity, that description is deliberately vague. It’s therefore crucial to think this through, get informed, and distill the essence of the legislation — a responsibility that typically lands with the CISO.
For CISOs, legislation is often a complex matter. Most have a technical background, which rarely aligns with legal expertise. Large organizations can rely on an in-house legal department, but even legal professionals find cybersecurity regulation a niche field. And even when you know the potential penalties and what needs to be done to be compliant, that still doesn’t mean anything has been implemented yet.
The isolated CISO
To make matters worse, CISOs often have few resources and limited access to the board. The “C” in CISO officially stands for “Chief,” but in practice, there is always at least one person above them. This makes it harder to get messages through to top decision-makers. Ideally, the “C” should also stand for “Collaborator” and “Communicator.” But that’s another challenge: even if the CISO gets a seat at the table, explaining the problem in understandable terms is not always easy.
The result is high pressure and, consequently, high turnover. The average CISO must take on all compliance-related tasks in addition to their existing work. Some companies don’t have a CISO at all and divide the puzzle among several people, making follow-up even more chaotic.
For many companies, the process starts from scratch, meaning they don’t have a full-time CISO role from day one because there are still other, more technical fires to put out. This is one reason why CISO-as-a-Service is becoming more popular: it helps organizations take the first steps until they’re ready to hire someone full-time.
From prevention to detection
Whereas most SME solutions are still focused on prevention, a SOC approach is about detection and response. “Today, SMEs often still believe they can stop criminals from getting in,” says Van der Perre. “But that’s no longer realistic. With Micro-SOC, they can detect intruders before ransomware is triggered. And many businesses don’t even realise they’re already compromised. If we see something suspicious, we pick up the phone. We explain what’s happening in plain language, and we help remediate.”
Towards a risk-based approach
The positive side of NIS2 is that it helps put cybersecurity on the agenda and raises awareness, partly because the board is to some extent liable if a cyberattack harms the organization or society. Unlike the GDPR, where the number of fines remained relatively low, the creators of NIS2 have clearly thought through how to enforce compliance. It pushes companies to reflect and shift to a more risk-based approach.
So what’s the solution for CISOs struggling with NIS2 and other regulations? A good cybersecurity partner can help build a strong case. There are also products on the market claiming NIS2 compliance. While that may be true to some degree, you should never think you can be compliant in one step. A product is essentially the automation of a compliance journey you’ve already started. Be cautious with self-proclaimed experts, who often take an opportunistic approach and remember, we’re all still learning about these regulations together.
Ultimately, NIS2 and similar legislation boil down to one key question: what do you need to do to get the business back up and running as quickly as possible after an incident? If you can answer that, you’re already far ahead. There’s no point in spending €150 million on cybersecurity if your company’s turnover is €100 million. It’s all about proportion and interpretation. With limited budgets, you can’t do everything at once and with a risk-based approach, you don’t need to. By mapping risks, you can set the right priorities: what needs to be tackled now, and what can wait.
It’s up to the CISO to make that translation, ideally supported by a specialized partner who can extract the essence of legislation for your organization, help implement an appropriate framework, and make compliance demonstrable.
Good to know.
Orange Cyberdefense Belgium is proud to be one of the first Belgian companies to be officially recognized as NIS2-compliant.Read more about our NIS2-directive here.