How the NIS2 Directive impacts your business and the role of cyber insurance

The NIS2 Directive is legislation which aims to achieve a high common level of cyber security across the European Union.

Under the legislation, businesses identified by the Member States as operators of essential services must take appropriate security measures and notify relevant national authorities of any serious incidents.

Non-compliance of this legislation by companies can ultimately end in administrative fines, which could be up to 10% of a companies’ annual turnover.

What is the NIS2 Directive?

The NIS2 Directive is an EU-wide legislation on cyber security with an aim of boosting the overall level of cyber security in the EU. It primarily covers businesses in the following sectors:

Sectors of high criticality

• Energy
• Banking
• Financial markets
• Health sector
• Drinking water
• Digital infrastructure
• Transport

Other critical sectors

• Postal and courier services
• Waste management
• Waste water
• Food production, processing and distribution
• Manufacturing
• Manufacture, production and distribution of chemicals
• Digital providers
• Research
• Public administration
• Space

Key requirements

Businesses identified in their member states as operators of essential services in the above sectors need to ensure they cover the following –

• Cyber security risk management:
  Businesses covered by the directive need to conduct risk assessments and implement risk treatment plans. Management is also required to take responsibility for their businesses’ cyber maturity and as part of this must partake in cyber security training and ensure their employees have a greater knowledge of cyber security.
• Notify serious incidents within the following timeline:
  • Without undue delay – notify the essential and important entities of any incident with significant impact
  • Within 24 hours – an initial warning should be communicated to the to the competent authority or CSIRT, which covers the early presumptions regarding the type of incident
  • After 72 hours – a report must be submitted which includes an incident assessment covering the severity, impact and compromise indicators
  • After 1 month – a final report of the incident must be submitted
• Ensure supply chain security:
  Individual enterprises will be responsible for addressing cyber security risks in their own supply chains, as well as within supplier relationships.

Implications for SMEs and businesses in critical sectors

For businesses affected by the NIS2 Directive it is important to plan the steps required for compliance with the legislation. The first step should be an audit of the business’s critical services, processes and assets that provide the essential service as defined in NIS2. Doing this will help highlight what work is required to be compliant, including any quick wins or process amendments.

The deadline for the NIS2 Directive to be applied into national law for all member states is 17 October 2024. So, businesses need to ensure they are complying with this legislation to avoid financial penalties and damage to reputation.

As the UK is no longer bound by EU legislation, it will not be implementing NIS2. However, it is important for UK businesses who work within EU states to be aware of the NIS2 legislation especially if they are part of a supply chain for an EU business, which is bound by the legislation.

Why cyber threats are a growing concern

According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach has increased year on year. By 2024, it reached an all-time high of $4.88 million, which represents a 25% increase since 2020.

In 2024, malicious attacks (those committed by outside attackers or criminal insiders) made up a staggering 55% of all breaches and phishing and stolen or compromised credentials were still the two most common types of attack that businesses were victims of.

It’s clear based on the data that cyber-attacks are rising in frequency, sophistication and the impact they can have on businesses. What’s even more worrying is that customers are becoming more affected by company data breaches, as 46% of breaches involve customer personal data and more than half of organisations are passing the costs of their data breaches directly onto their customers.

How cyber insurance supports your business

Whether the NIS2 legislation affects your business directly, indirectly through a client’s supply chain, or not at all, the rising threat of cyber-attacks should be something that gives you pause.

As the data shows, businesses need to not only fear these breaches directly but also the rising costs from businesses that are recovering from an attack themselves and have no choice but to pass these costs onto their customers.

If you don’t currently have the resource for a quick level of response to a data breach, then having cyber insurance for your business can ensure you can get the expert support you need in the days, weeks and months that follow an attack.

Whatever your set up, it’s important to protect yourself and your clients and ensure that if the worst does happen, the downtime and cost for your business (and those of your clients) is minimal.

Here are three key areas where cyber insurance can directly support your business:

• Provide timely support
  Researchers in the IBM Data Breach Report 2024 found data breaches with a lifecycle exceeding 200 days had the highest average cost compared to breaches with lifecycles under 200 days. So, the quicker you can respond to a breach the less disruption there will be for your business and customers. Many cyber insurances offer 24/7 help lines that allow you to get specialised support as soon as an attack occurs.
• Reduce monetary impact of a breach
  Research shows that the greater a business’s disruption, the greater the monetary impact. So, in the case of a breach you need financial support to ensure you can keep things running whilst you deal with the fallout. Many cyber insurance policies cover lost business income and the quicker you can access this support the better. For example, our Cyber Liability policy deferment period is only 3 days.
• Helping your business become more resilient
  It’s no use getting your business up and running quickly if you don’t improve your systems to protect against a similar breach in the future. So, many cyber insurance policies provide you with financial help to improve your company system resilience directly following a claim.

Ensuring compliance and peace of mind

One of the key areas of the NIS2 Directive is to have a clear and documented incident response and plan for recovery following a breach. Holding cyber insurance helps with both these areas of compliance:

• Response service
  Most cyber insurance policies include access to response services. This allows a business to have access to experts in cyber security who can provide support and insight into why a breach has occurred and what steps need to be taken for recovery. This support makes meeting the new reporting timeline easier as you have a team to help ensure these deadlines are met. It also ensures that you will have a clear plan for recovery.
• Resilience improvement cover
  It is important to have a plan following a breach both to recover and how to protect your business in the future. Many cyber insurances include resilience improvement cover which provides financial help to improve your computer system resilience following a claim.

Protecting your business in the new cyber security landscape

The goal of the NIS2 Directive is to improve cyber security and resilience across European Union. Even if you think this legislation doesn’t apply to you, it is worth preparing for compliance (in case you are affected through a supply chain) by completing an audit of your cyber risk strategies, creating a roadmap and increasing the cyber security awareness within your business.

A key step to compliance is through purchasing cyber insurance, which will help protect your business should the worse happen. We’ve now improved our Cyber Liability cover to ensure that you can access help fast, minimise disruption to your business and improve your approach for the future.