EU NIS2 Directive and the future of cybersecurity for critical infrastructures – i.e., Subsea Cables (A new era of compliance and opportunities)

As of October 17, 2024[1], the NIS2 Directive[2] is officially in force across the European Union, ushering in a new era of cybersecurity regulations for critical infrastructure operators. With the increasing reliance on digital networks and the global economy's dependence on secure, uninterrupted communication, this regulation could not have arrived at a more pivotal moment. However, to date, only a few EU member states have successfully transposed the NIS2 Directive into national law. These include Belgium, Croatia, Hungary and Latvia, while several other countries, such as Germany and France, have published draft laws, but transposition is expected to be finalized by 2025. The other states haven't even started the transposition process yet...!

For companies operating in critical infrastructures such as subsea cable infrastructures, which form the backbone of global data transmission, compliance with NIS2, and consequently with the national law created following? the transposition of this Directive in the states which they operate, is not just a regulatory tick-box - it represents not only a challenge, but a significant opportunity to lead both security innovation and market competitiveness.

? The Impact of NIS2 on Subsea Cable Operations

Subsea cables carry over 95% of the world’s internet traffic, facilitating everything from financial transactions to governmental communications. With such immense data flows, the security of these infrastructures is critical not only to business operations but also to national security and global commerce. NIS2 raises the stakes, requiring companies to adhere to stringent cybersecurity measures to manage risks, ensure continuity, and report incidents swiftly.

The directive covers all aspects of network and information systems, compelling operators to establish robust risk management frameworks (Article 21(2)), secure supply chains, and maintain resilient infrastructure. In the case of subsea cable operators, this means taking a proactive approach to both cybersecurity and physical security at every stage of the infrastructure lifecycle—from installation to maintenance. For subsea cable companies, this translates into securing cable landing stations, protecting data in transit, and ensuring maintenance protocols meet stringent security standards.

? Why NIS2 is a Game Changer

For companies in the subsea cable sector, the implementation of NIS2 presents an unprecedented opportunity to redefine industry standards and outpace competitors through exemplary security practices. This regulation introduces a framework that not only protects critical infrastructure from increasing cyber threats but also creates an ecosystem of accountability and resilience.

Here's why the NIS2 (and/or national legislation after its transposition) is a game changer:

1. Mandatory Risk Management: Companies are required to implement comprehensive cybersecurity risk management measures (Article 21(2)(a). These include threat assessments, incident response plans, and continuous monitoring of vulnerabilities across both digital and physical infrastructures. For subsea cable operators, this means securing cable landing stations, protecting data in transit, and ensuring that maintenance teams operate within a robust security framework.

2. Incident Reporting: One of the key aspects of NIS2 is the obligation to report significant cybersecurity incidents (Article 21(2)(b) and Article 23) within tight timeframes. This fosters transparency and cooperation across sectors, ensuring that potential vulnerabilities or breaches are identified and mitigated early. For subsea cable operations, being able to swiftly report and manage incidents minimizes downtime and ensures trust with international clients.

3. Supply Chain Security: The directive recognizes that the weakest link in any infrastructure is often within the supply chain. NIS2 mandates that companies ensure supply chain security, requiring third-party contractors, such as those involved in installation and maintenance of subsea cables, to adhere to the same high cybersecurity standards (Article 21(2)(d) and Article 22). This creates an additional layer of resilience and helps safeguard operations from both cyber and physical threats.

Strategic Value Beyond Compliance

While NIS2 compliance is mandatory for all operators within the EU, the directive offers strategic advantages that go beyond mere regulatory fulfillment. For subsea cable operators, embracing NIS2-compliant security measures creates new opportunities to lead in global markets, build client trust, and secure long-term financial stability.

?1. Proactive Global Leadership in Cybersecurity - Subsea cable operators working within the EU must meet NIS2 regulation, but the benefits of adopting these stringent security measures extend beyond Europe. By applying NIS2 - compliant cybersecurity practices across global operations—including in non-EU regions—companies can position themselves as leaders in global cybersecurity. In regions with less stringent regulations, adopting NIS2 voluntarily demonstrates proactive risk management, earning trust from governments, multinational corporations, and high-value clients.

2. Enhanced Trust and Reputation - Governments, financial institutions, and corporations are increasingly looking to partner with companies that demonstrate a clear commitment to cybersecurity. By complying with NIS2 and exceeding international standards, subsea cable operators can enhance their reputation for reliability and security. This, in turn, creates business opportunities with stakeholders that prioritize secure communication channels and robust infrastructure resilience.

3. Competitive Differentiation - The global subsea cable market is competitive, with operators vying for contracts that require the highest levels of operational security. By embracing NIS2, companies can differentiate themselves as early adopters of advanced cybersecurity practices. This will not only help in securing contracts but also ensure long-term growth in a market that will increasingly favor security-conscious operators.

4. Long-Term Financial Growth - Implementing the NIS2 standards means that incidents are reduced, downtime is minimized, and client trust is enhanced. All these elements translate into financial growth. In an industry where operational disruptions can lead to significant financial losses, having a NIS2-compliant cybersecurity plan ensures that risks are well-managed, protecting revenue streams and safeguarding company profitability.

Adapting NIS2 for Global Projects

While NIS2 directly affects companies within the EU, subsea cables connect countries across multiple jurisdictions connecting countries with varying cybersecurity regulations. For companies working on cross-border projects involving both EU and non-EU countries, it’s crucial to create a cybersecurity framework that harmonizes NIS2 regulation with standards and local regulations to harmonize security practices. This ensures that vulnerabilities in one jurisdiction don’t compromise the entire system.

Adapting NIS2 framework globally ensures consistent protection, while allowing for flexibility and global compliant approach where local laws differ. For instance, in regions with weaker regulations, companies can voluntarily adopt NIS2 regulation to differentiate themselves. In markets with strong cybersecurity regulation, such as the U.S. or Japan, companies can integrate NIS2 with other international standards, such as ISO/IEC 27001 or the NIST Cybersecurity Framework to create a cohesive, globally recognised security strategy. This adaptability not only ensures compliance but also allows subsea cable operators to secure contracts across different regulatory environments, making the business resilient and competitive on a global scale.

Looking Ahead: Securing the Future of Subsea Cable Operations (a point of view!)

With NIS2 now in force, its influence is set to extend far beyond the EU’s borders. By embracing NIS2 and incorporating its principles into global operations, subsea cable companies are positioning themselves to lead in the next phase of global digital infrastructure development.

The opportunity now lies in acting early, establishing best-in-class cybersecurity practices, and integrate them into both installation and maintenance phases. This proactive approach not only ensures compliance but opens the door for market expansion, increased client trust, and financial growth.

In an era where secure, uninterrupted communications are more important than ever, NIS2 compliance will become a key differentiator for this critical infrastructure's operators. Those who seize this opportunity to prepare their operations for the future will not only fulfil regulatory requirements (avoiding high fines for non-compliance), but will also emerge as leaders in the global security of digital infrastructures.

[1] After entering in force in?January 2023, Member States had to transpose the NIS2 Directive into national law by 17 October 2024.

[2] The NIS 2 Directive (Network and Information Systems Directive) is EU-wide cybersecurity legislation designed to strengthen the cyber resilience of organizations providing essential services to the economy and society. It applies to both public and private entities operating in critical sectors such as energy, transport, water management, healthcare, and digital infrastructure. The directive targets organizations within the EU that qualify as medium-sized or larger enterprises, aiming to enhance security across key and important sectors.