How should organizations prepare for today's cybersecurity challenges and the EU's NIS2 Directive? Increased collaboration within and between organizations is essential.
The EU’s NIS2 directive seeks to ensure that in our changing world, the organizations critical to society remain resilient against these threats. The directive is expected to be implemented across Europe as soon as during the autumn of 2024.
In the middle of all this, what action should companies take? Security Lead Jari Pirhonen from Tietoevry Tech Services is the right person to answer the question. With a career that spans decades, Pirhonen is one of the leading cybersecurity experts in Finland – as well as a sought-after public speaker, known for his ability to discuss the complex theme in accessible and inspiring ways.
The European Union's main concern are the sectors that help sustain our society. That’s why NIS2 directly affects only about one percent of companies, including the energy sector, healthcare, and digital infrastructure.
Regardless, Pirhonen stresses that other organizations should get to know the directive too. This is due to the surprisingly wide ripple effect.
The NIS2 directive should be seen as a baseline.”
“If your company already aligns with the current cybersecurity best practices, you’re typically already ahead of the legal requirements. Still, it’s a good idea to double check whether NIS2 will call for any further actions.”
The companies must make sure they comply with the new law. Fittingly, of the biggest changes NIS2 introduces is wider corporate responsibility. It emphasizes that in the end, management is accountable for cybersecurity and needs to ensure it is implemented at a sufficient level. The clauses also make stronger statements on comprehensive risk management.
“Vulnerabilities are not limited to networks or software”, Pirhonen states.
“That’s why one of the goals of NIS2 is to take a wider array of risks into account, including those related to personnel or physical environments.”
Read more about preparing for the NIS2 Directive: a guide for business and security decision makers
Jari Pirhonen
During the pandemic years, the increase in remote work made many companies reconsider their level of information security – and to pay closer attention to training their employees on the topic. On the other hand, Russia’s invasion in Ukraine has raised concerns over cyber threats growing faster than it is possible to prepare for them. Pirhonen thinks that building awareness of cybersecurity practices across all parts of organizations is overdue.
I often say that cybersecurity is too important to be left solely to IT and security departments alone – the cybersecurity experts cannot possibly be involved with everything that happens within an organization.”
What would this shared awareness look like in practice? Pirhonen thinks that a strong security culture is built on three tenets. The first is company-wide know how: every employee must receive sufficient cybersecurity training tailored to their respective roles. The information flow between the departments and individuals should also be encouraged. The second tenet is the motivation of both the management and the experts to maintain the cybersecurity discourse within the company. The third is related to investment.
“It is crucial to make sure that enough time and budget are allocated to implementing and testing cybersecurity in all undertakings. Often, there are people in the projects who would have the required skills, but are unable to use them due to monetary constraints or tight schedules.”
Tietoevry is one of the 160 000 European companies that must comply with NIS2. Many of their customers play a critical role in the supply resilience of the Nordics. Hence, their ability to overcome crises and disruptions with minimal harm is essential.
“We are constantly conducting a large amount of various audits, both on our own initiative and by our customers”, Pirhonen explains.
Serving the clients with risk management already begins at the contract stage. This is because it’s important to define the needs and areas of responsibility from the get go, Pirhonen notes. Depending on the situation, the collaboration might include consulting, maturity level assessments or a dedicated cybersecurity manager.
Resourcing and preparing for the threats is closely tied with the question of constantly growing amounts of data. In AI solutions, for example, it is integral to define not only what data should be collected but also who can access it. The changing times and increasingly complex systems require a mindset of constant learning. Here, too, co-operation can work wonders. Understanding the value of this, Tietoevry is actively involved in TIETO, the largest information society readiness exercise in Finland.
Sight of TIETO22 information society readiness exercise. Photo by Meeri Utti.
“We constantly collaborate with the National Cyber Security Centre and the National Emergency Supply Agency”, Pirhonen mentions. He hopes that NIS2 could further expand cooperation between organizations.
“When it comes to cybersecurity, it’s wise to look beyond your own operational environment. It’s especially valuable to have discussions about shared challenges and solutions with other institutions.”
Read more about the findings of the Nordic Cyber Resilience Report 2024
Navigate regulations, tackle cyber threats and enhance security with this expert-authored guide. Gain actionable insights and practical steps to protect your digital assets.
DOWNLOAD EXPERT GUIDE