NIS2: European ports prepare to comply with new regulations
A revolutionary change is awaiting the companies that will be operating in European ports in 2024. NIS2 — the new cybersecurity law aiming to safeguard critical infrastructure — comes into effect in 2024, and will impact hundreds of organisations.
A revolutionary change is awaiting the companies that will be operating in European ports in 2024.
I have already written about NIS2 coming into effect in 2024. It will impact hundreds of organisations. For many port-related firms, NIS2 is the first ever set of cybersecurity regulations that they will have to comply with, so the shift is significant, and so are the penalties for potential violations.
Fines of up to 10 million euros (or up to 2% of global revenue, whichever is higher) may be imposed on violators that either refuse to comply or simply won’t meet the standards on time. Judging by the amount of fines, we may conclude that securing critical infrastructure has become a top priority for the EU — and not only on paper or just in the mouths of smooth-talking European politicians.
This comes as no surprise, as the number of cyberattacks has been growing rapidly — especially since the outbreak of the war in Ukraine.
Why is this so important?
Critical infrastructure companies face cyber threats all the time, but it was the war in Ukraine that truly brought their vulnerabilities to light. And these attacks on the key links in global supply chains may disrupt operations in many essential sectors, such as the energy or heavy industry, which is strongly associated with the military. That’s why adhering to the new rules is so important, not only from an economic perspective, but also in terms of the safety of the general population.
This example (just one of many) illustrates the point more clearly — in late January and February 2022, major oil terminals in Europe fell victim to a ransomware attack. Among other places, the attacks also occurred in Antwerp, which houses the second biggest port after Rotterdam. As a result, companies were forced to suspend their operations, and tankers crowded outside the port, unable to unload. At the same time, two German oil supply companies were also attacked and, in effect, they couldn’t fulfil their supply contracts. And who was to blame? Russian-speaking hacker groups using BlackCat ransomware, which suggests that the attacks might have come from the top rungs of the political ladder.
What’s the big deal about the new rules?
The initial version of the cybersecurity regulations from 2018 — called NIS — mandated fewer safeguards than NIS2 and applied only to the largest critical infrastructure companies. The new rules have been expanded and will impact mid-sized companies as well. Plus, they will also apply to sectors that didn’t fall under the previous law (for example, technology providers).
We can expect that the NIS2 Directive will probably require firms to take the appropriate measures necessary to prevent cyberattacks, and respond to any emerging threats.
This includes:
- detailed risk and vulnerability analysis,
- reporting cyberattacks (obligated to provide a warning within 24 hours, full notification within 72 hours, and a final report within 30 days after the incident),
- ensuring business continuity by implementing backup management and disaster recovery solutions,
- crisis management, meaning having special procedures in place in case of any cybercrime incidents,
- putting security measures first throughout the entire product life cycle — from planning to maintenance,
- cybersecurity education and training — incorporating best practices into day-to-day operations from the lowest to the highest level in each and every organisation,
- using cryptography, multifactor/continuous authentication and encryption solutions wherever possible,
- using secured communication tools,
- having proper asset management and access to control systems, etc.
This may sound like a lot, but… it would be hard to believe that any companies already operating in European ports would have to start from scratch with their cybersecurity efforts. These days, having certain procedures in place is an absolute must.
However, this has never been required by law, overseen by an official entity (ENISA — The European Union Agency for Cybersecurity) or coordinated on a transnational level (in case the need to respond to certain incidents arises) using a special mechanism called EU-CyCLONe (The European Cyber Crisis Liaison Organisation Network). And this is exactly what the new reality is going to look like, according to the NIS2 proposal.
Unnecessary investment or new opportunity?
Even though the NIS2 demands a lot of effort from the companies that operate in European ports, this can hardly be seen as an unnecessary move. One could argue about the scope of the new requirements, the level of control, or the amount of penalties but, in general, tighter restrictions should, instead, be considered by organisations as an opportunity to get their ducks in a row.
Whether it’s required by law or not — cybersecurity should be one of the top priorities for any firm, from the smallest ones to the largest players in the market. Nowadays, protecting your systems from cyber threats and ensuring business continuity during a crisis is simply a matter of survival. Especially for companies that are significant from both economic and political perspectives, as well as on national, regional and global levels. And being part of global supply chains automatically labels your organisation as “essential”.
If you’re one of the companies that operate in European ports and/or in critical sectors — Future Processing will gladly guide you through these shifts.
And even if you don’t fall under the new law, but you want to strengthen your cybersecurity level, feel free to get in touch with us. We’ve already been focused on the security space since long before it became political. Let our extensive knowledge and invaluable experience serve as a beacon for you in these increasingly demanding times.