The NIS2 Paradox: Paperwork vs Actual Security

The unintended consequences of the NIS2 directive

The Network and Information Systems (NIS2) Directive aims to boost cybersecurity across the EU. It is a major step towards strengthening critical infrastructures. So, in general, I am a big fan. This is why I already invited one of the founding fathers Bart Groothuis from the European Parliament and Jasper Nagtegaal from the Dutch Authority for Digital Infrastructure in two webinars we hosted earlier.

However, in practice, I see that the NIS2 directive is not without its weaknesses. We see that many companies are finding themselves entangled in compliance paperwork at the expense of actual cybersecurity resilience. In this newsletter, I will highlight this unintended consequence, particularly for companies with limited budgets, and how to solve this problem.

In theory, NIS2 is great news...

To start with the good news: The NIS2 directive is a major step forward for many companies in their cybersecurity. The main idea is to raise cyber resilience by thorough risk analysis, combined with managing those risks at board level. For many companies, the ISO27k standard is a good starting point for NIS2 compliance. It covers everything from setting the risk appetite to identifying your risks, defining measures, implementing those measures, measuring the effectiveness of those measures, and formal risk treatment of any unacceptable risks.

...but in practice paperwork seems to be winning

But in practice, I see some companies treat the implementation of ISO27k as a paper-heavy project. And of course, to be certified, you must have working (documented) processes and demonstrate the effectiveness of those processes, which is labor intensive as well as paper intensive.

Some companies forget the ultimate goal of this certification process and of NIS2 compliance: raising their cyber resilience. Just because you are ISO27k certified doesn’t mean you can’t be hacked. The large amount of publicly disclosed hacks and successful ransomware attacks are clear examples of this. Many of those companies were ISO27k certified.

Less money for real security

This shift in focus, which can directly be linked to the introduction of NIS2, means resources are diverted away from essential activities like external attack surface monitoring, vulnerability testing, incident response simulations, network zoning, security monitoring, etc., to compliance paperwork.

I see some companies, especially those with limited cybersecurity expertise, mistakenly equate compliance with security, neglecting the importance of proactive measures that can actually mitigate risks. This reallocation of resources can leave these companies more vulnerable to cyberattacks, as they may lack the necessary defenses to protect against sophisticated threats. Because paperwork will not keep hackers out.

The solution: view compliance as a means to an end

To resolve this shift towards paperwork, you need a balanced approach. I advise not to view compliance as an endpoint, but as a component of a broader, more comprehensive cybersecurity strategy to raise your cyber resilience. Compliance should support you in making the right risk-based decisions. Here are some recommendations to reach compliance without sacrificing your actual security:

1. Prioritize practical security measures: Allocate enough budget and resources for practical security measures, including for example asset discovery, security monitoring, IT/OT segregation and zoning. And verify those. Focus on things that will make it harder for the attacker (defense in depth).
2. Integrate compliance with security practices: Make sure compliance activities are integrated into the overall security strategy, rather than treated as separate tasks. This integration can help align your compliance efforts with real security needs.
3. Integrate cybersecurity risks into enterprise risk management processes: This will help you treat cyber security risks like any other risk at board level, and helps allocate the right budget to risks that are above the risk appetite at board level. This is exactly what NIS2 aims to achieve.
4. Educate and train your staff: Invest in ongoing cybersecurity training for your employees to enhance their ability to recognize and respond to security threats. They are the eyes and ears in your company.
5. Involve everyone, from floor to board: Make sure that the people in the operations are valuable input to your security management processes. Nobody knows better where the risks are than the people involved in operations. And an added benefit is that they feel heard about their concerns and will get budget allocated when required, which stimulates a strong security culture.
6. Validate and assess risk through penetration testing and Red Teaming: By simulating real-world attacks through Red Teaming and penetration testing, you validate and complement identified threats and assess their potential impact and likelihood to determine their risk. This step is crucial for prioritizing which threats need immediate attention and determining the effectiveness of current defenses. The results of Red Teaming can guide strategies for risk mitigation, making sure that security efforts are concentrated where they are most needed. And the good news is that Red Teaming will identify weaknesses in People, Process and Technology.

My advice: integrate compliance into your cybersecurity strategy

The NIS2 Directive is a well-intentioned effort to improve cyber resilience across the EU, but I also see a downside in practice. Companies, particularly those with limited budgets, must navigate the delicate balance between compliance and practical security measures. By prioritizing real-world security practices and integrating compliance into a broader cybersecurity strategy, you can better protect your organization or company against actual cyber threats, while also achieving compliance. So, compliance not as the end-goal, but as a means to get more (cyber) resilient.

Share your thoughts

Now it is your turn: How do you feel about NIS2, Network and Information Systems Directive? Do you feel overwhelmed by paperwork, or do you feel NIS2 does bring you more security? How to find a healthy balance? Please leave a comment in the section below.

About the author

Sjoerd Peerlkamp is Director Industrial Cybersecurity (IT/OT Security) at Secura / 必维国际检验集团 . He has more than 15 years of experience in IT and OT Security. Among other things, as Group IT Security Officer at a large European energy company, Cyber Threat Manager at a large oil company and CISO at the largest Dutch Distribution System Operator.

Subscribe now

The cybersecurity world is changing. Subscribe to Cyber Vision to learn more about the changing nature of cybersecurity, and the future of cyber resilience. Or check out our latest news at Secura.com.