Home / Industry

NIS2 and Its Implications for Global Brands

Last month, Stephanie Driver, CSC’s marketing manager, spoke with Global Director of Security Services Mark Flegg and discussed the Network and Information Security Directive (NIS2) 2022, which comes into force in October 2024. This is part of an ongoing series of interviews with CSC’s Digital Brand services business experts, where we talk about industry issues across cybersecurity, domains, brand protection, and fraud protection.

On a sunny Thursday morning, I grab a mug of tea, put my headset on and settle in my chair to speak with Mark Flegg. After a brief discussion on how to correctly pronounce “Lavazza” (we settled on “luh-vat-suh” rather than “la-vaz-za”), we got right into discussing our hot topic of NIS2. I ask Mark to give me a 60-second overview.

“In a nutshell, NIS2 is a directive from the European Parliament to improve cyber hygiene for its member states. The easiest way to think about it is GDPR for IT,” he explains. I subsequently took a look at the official summary of NIS2 and it calls for “a high common level of cybersecurity across the Union,” which includes national cybersecurity strategies, setting up cyber crisis management authorities, putting cyber risk management measures into place, clear reporting, and having enforcement action plans.

“There have previously been similar directives put into place that said, ‘hey organizations, you should have better cyber hygiene,’ but these were more guidelines than anything else. NIS2 is basically an evolution of these and has been put into law.” This happened in December 2022, and EU member states have until October 17 this year to define how they’ll make it part of their own laws for their respective regions.

Initially, NIS2 affects a selection of 10 industries that the European Parliament considers essential for society to function, namely economic security, electronic communications (email), finance, data providers, healthcare, food and water, law and security, transport, energy, and protection services. “Although this may seem like a relatively finite list, it really covers anyone or any organization that might have an impact on society,” Mark adds. Additionally, although mandated to EU member states, this also covers any organization doing business in the EU—just like the Global Data Protection Regulation (GDPR).

The NIS2 Directive is a 60-page document—standard bedtime reading for the likes of Mark, I’m sure, but perhaps not for everyone else—so I ask him, what are the salient points that organizations in, or doing business with, EU member states need to consider? Mark picks out three points of action that he considers key.

Number one. “Review your risk management policies! And make sure they include domain registrars and domain name system (DNS) services. Make sure the organizations you work with are NIS2 compatible, or you’re putting yourself at risk of non-compliance,” Mark advises. Akin to GDPR, non-compliance results in some eye-watering fines: €10 million or 2% of annual worldwide turnover, whichever is greater. “Make sure you have enterprise-class DNS and DNS redundancy as well,” he adds, “You need a plan B!”

Number two. “Audit your suppliers for NIS2 compliance and do it sooner rather than later.” When it comes to cybersecurity, you’re only as strong as your weakest link, so assessing third-party providers in your supply chain is essential. Mark suggests evaluating suppliers by conducting a risk-assessment questionnaire, asking for a NIS2 compliance statement, or putting in place some applicable service level agreements.

And number three? “Appoint a CSIRT,” Mark advises. What’s that, I ask? “It stands for cybersecurity incident response team; a team that will liaise with the government’s own CSIRT in the event of an incident.” Organizations in the specified industries will only have 24 hours to report an incident, so getting this team together and all on the same page is essential. Who should be on the CSIRT, I enquire? “It needs to be a multi-disciplinary team covering cybersecurity, IT, legal, governance, and compliance. Cybersecurity is everyone’s responsibility—representatives from each of these areas must not just be aware, but be ready to act,” says Mark.

Time is certainly of the essence when it comes to NIS2—with less than four months until the October deadline, it’s important for any organizations covered by the directive to get their cyber hygiene squeaky clean.

You can find out more about CSC’s domain security and DNS services here.

By CSC, We are the business behind business

We help effectively manage, promote, and secure our clients’ valuable brand assets against the threats of the online world. Leading companies around the world choose CSC as their trusted partner to gain control of their digital assets, maximize their online potential, and increase online security against brand risks.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global