New Cybersecurity Regulation: What Does It Mean for You?

Last week, the outgoing Dutch Minister of Justice and Security sent a letter to parliament stating that the translation of new European cybersecurity rules into national legislation will be delayed. Cybersecurity organisations are starting to grow impatient: digital threats are evolving and won’t wait for regulation. What do these new threats look like and how is new regulation supposed to help?

In November 2022, OpenAI released ChatGPT; the generative AI chatbot took the digital world by storm, with The New York Times even calling ChatGPT “the best AI chatbot ever released to the general public”. However, it didn’t take long for the general public to discover the chatbot’s malicious potential. Computer security researcher Brendan Dolan-Gavitt wondered whether ChatGPT could generate malicious code; and it did not disappoint. When the model was asked to complete a simple ‘capture-the-flag’ challenge, the chatbot was able to recognise and write code to exploit a critical vulnerability.

This recent development represents a new problem: the commercialisation of cybercrime. Cybercrime-as-a-service, in which criminals sell their products and services through online platforms, has made digital criminal activity accessible and scalable for some time now. But with the introduction of Large Language Model chatbots like ChatGPT, even the most inexperienced hacker could potentially generate complex malicious code.

While OpenAI has been implementing measures designed to prevent the harmful use of its chatbot, it is still possible to bypass these filters, as evidenced by the growing amount of malware developed with ChatGPT available on the dark web. This has resulted in a steep rise in the number of cyber attacks, and the expectation is that these numbers will continue to grow. So what can we do about it?

A month after the release of ChatGPT, the European Commission published the new Network and Information Security directive (NIS2), successor of the NIS1 and Europe’s regulatory answer to the growing amount and complexity of cybersecurity threats. The NIS2 introduces new requirements with regard to mandatory risk managing and reporting, boardroom responsibility and supply chain security across a broad range of organisations.

So what does this mean? As of October 2024, when NIS2 will need to be translated into national regulation, stringent cybersecurity requirements will apply to ‘essential’ organisations in sectors like energy, finance, health and public administration. Additional requirements will be put in place for ‘important’ sectors like manufacturing, food production and providers of digital services. Generally, the directive will apply to the organisations that fall within these categories and have a minimum of 50 employees or an annual turnover of at least 10 million euros. Various evaluation tools have already been developed by national authorities to help organisations determine whether and how NIS2 is going to apply to them.

NIS2 has requirements for basic cyber hygiene measures but will impact business processes in other ways as well. Here are five requirements that we think you should be aware of:

• Duty of care requires organisations that fall under NIS2 to carry out a risk assessment, followed by implementing measures that guarantee the continuation of services and protection of vital information.
• Duty to report means that serious cybersecurity incidents or vulnerabilities have to be reported to the supervising authority (such as the NCSC in the Netherlands) within 24 hours of their detection.
• Boardroom responsibility under NIS2 means that an organisations’ Board of Directors and the CEO must take cybersecurity training to enable proper cybersecurity risk management. Failure to maintain adequate oversight can lead to legal liability.
• Supply-chain security should be addressed by a risk assessment that includes the relationship between each organisation and their direct suppliers or service providers.
• Supervision will be done more proactively by national authorities (RDI in The Netherlands) through regular and targeted audits, on- and off-site checks, requests of information, and access to documents or evidence.

If this seems like a lot, that’s because it is. Compared to NIS1, NIS2 is very ambitious in terms of both scope and requirements. This means that digital security, across EU member states, will see a significant boost. But it also means that many organisations will need to do some serious work in order to become compliant.

If attackers are using new and innovative technology to their advantage, why wouldn’t defenders do the same? AI can help organisations face increasingly complex cybersecurity threats and meet regulatory requirements. For example, AI can support cybersecurity defenders with analysis of logs, files, network traffic, secure code development and testing, and threat intelligence. But more ambitious and innovative applications are also possible, such as automated vulnerability scanning, in which large parts of the vulnerability management process like auditing, logging, threat modelling, reporting and patching can be automated. With scarcity in cybersecurity expertise not expected to drop any time soon, solutions like this are vital in keeping organisations’ information security at an acceptable level.

However, complying with NIS2 requires more than appropriate information security management. Having the right data governance, modelling and infrastructure in place can significantly reduce the amount of time needed for incident reporting and response. Automated and secure data logging, sharing, collection and authorisation results in more efficiency and also significantly reduces the time and cost of audit preparation. To increase supply chain awareness, these solutions can even be implemented externally and extend to direct suppliers and service providers. Lastly, tailored data visualisation tooling like business intelligence dashboards can facilitate boardroom engagement and relieve Chief Information Security Officers of their number one headache when dealing with the board.

The increased scope of NIS2 is a testament to a cliché that we’ve been hearing in the cybersecurity sector for more than a decade now: “cybersecurity is no longer only a technical issue”. Increasing digitalisation, new regulations and ever-evolving threats ask for a holistic and comprehensive approach that takes into account a plethora of legal frameworks, political developments and human behavioural psychology. Het Innovatiecollectief can offer this approach.

Het Innovatiecollectief is a cooperation between Publyon, Amsterdam Data Collective (ADC) and  Hooghiemstra & Partners (H+P), offering end-to-end support to organisations that want to leverage the power of data and AI to optimise their digital security. With integral advice on strategic positioning, technical solutions and regulatory compliance Het Innovatiecollectief will prepare your organisation for new digital threats and the introduction of NIS2.

Want to know what the new regulation means for your organisation? Or would you like to know more about cybersecurity optimisation through leveraging the power of data and AI? Reach out to Timon Domela Nieuwenhuis Nyegaard (Cybersecurity consultant) for a chat.