Just 30% of EU member states have nationally implemented The Network and Information Security Directive (NIS2). While this is not unusual given that attention is divided among NIS2, the Digital Operations Resilience Act (DORA), and the European Cyber Resilience Act (CRA), target deadlines are being missed. This puts businesses on the back foot and risks falling even further behind the adoption curve.
NIS2 is the biggest cybersecurity legislation in over a decade, setting the stage for secure digital infrastructure across the EU. The directive’s deadline has passed, as of 17 October 2024, but like many other EU regulations, NIS2 is taking a phased approach across Europe — much like when GDPR was introduced in 2016.
Although businesses in the UK are not obligated to comply with these regulations, those with EU-based clients or those that make up part of EU supply chains will come under its thumb.
Vice President of Solution Architecture at Sonatype.
A view of NIS2
The driver for this legislation is clear. Recent high-profile cyber incidents have caused major disruption — like the cyberattack on the NHS, the CrowdStrike outage, and the SolarWinds fiasco. As society increases its dependency on software, software developers increasingly rely on open source to ship new products quickly. Open source makes up 90% of modern software, with consumption reaching a staggering 6.6 trillion downloads in 2024. Cyber resilience must improve commensurately to meet software consumption.
NIS2 introduces stringent cybersecurity reporting standards across banking, manufacturing, and public administration. UK businesses working with EU partners are already being asked to meet these standards and contracts are being rewritten to demand adherence to NIS2 standards to protect shared systems and data. Remember that the rising tide lifts all boats.
Under the NIS2 directive, companies have 24 hours to report major cybersecurity incidents, with updates due within 72 hours and a final report needed in 30 days. They must also implement and document policies, from vulnerability monitoring to information security training, which exceeds previous requirements.
Vulnerabilities in software supply chains spread rapidly. Even though NIS2 isn’t law in the UK, the underlying principles of the directive are good cybersecurity best practices to observe. Non-compliance not only puts UK companies at greater risk of security incidents, but as with GDPR, we see cybersecurity legislation trending in this direction. Adapting early to these changes avoids unnecessary operational strain, especially for those at risk of being pulled into scope by upcoming EU legislation such as the CRA and Product Liability Directive.
The observability conundrum
Software supply chain security has become a major target for bad actors, with open source malware, or malicious packages living in open source repositories, surging 156% in 2024. Bad actors often target third-party vendors as a gateway into larger organizations, proverbially killing several birds with one stone. Recent high-profile incidents show that their methods are becoming more sophisticated.
One such example is the April 2024 attack on the open source XZ Utils compression tool, where a bad actor posed as a legitimate contributor for two years, embedding malicious code that, if undiscovered, could have caused widespread global disruption.
NIS2 has been introduced specifically to combat these occurrences by imparting personal responsibility for cybersecurity to businesses themselves. Rather than being able to skirt accountability by blaming incidents on suppliers, companies are now personally liable for their cybersecurity. This development is sorely needed, as the rate of software consumption dwarfs the rate at which components are observed and tracked, and that gap is only widening. In the past 12 months, only 60,000 Software Bills of Materials (SBOMs) were published versus 6.9 million new open source components released. This gulf is a ticking time bomb, with businesses facing no-fault liability and harsh financial penalties.
What would Anne Robinson say?
When we think of software, we think of it as one system. The reality is that all software is an interdependent mesh of open and closed source components, and one weak link can be disastrous. On average, each application contains 180 components, with repeated updates, patches, and multiple versions. It’s impossible to track every single change manually. Automation and proper tooling are needed to keep up with the pace of consumption that modern software development demands.
If just one component is compromised, the ripple effect can be devastating. This is precisely why regulations are coming thick and fast to identify and remedy the weakest links in software supply chains.
UK businesses, while not directly under NIS2, should be mindful of its implications. Even though the EU is the first to draw a line in the sand on this issue, it will not be the last. Businesses stand to benefit by being proactive rather than reactive. Preparing for the upcoming CRA Bill helps companies stay competitive amid the changing legislative landscape.
The risk of being the weakest link far outweighs the compliance challenges, as protecting partners from costly cybersecurity incidents, compliance failures, and reputational damage safeguards a company’s long-term resilience and, ultimately, its bottom line.
We’ve featured the best business VPN.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
