The NIS2 directive is a crucial framework for ensuring the cyber resilience of essential services and digital infrastructure across the European Union. While the directive does not apply directly to organizations in the UK, businesses may well be affected if they sell into the EU market, or members of their supply chain are required to comply.
With just months until the October 17 directive deadline, concerned UK IT decision-makers must work closely with chief operating officers (COOs) and chief revenue officers (CROs) to ensure cybersecurity management is prioritized across their entire distribution chain to ensure NIS2 compliance and minimize the risk of security incidents that could wreak havoc on their operations, revenue and ability to scale.
As supply chain security becomes a higher priority, organizations must understand the types of threat actors targeting their supply chains, what will happen if EU partners do not comply with NIS2, and whether UK businesses should try to get ahead of similar regulations being introduced locally.
Understanding the Supply Chain Threat Landscape
There are several factors driving the rise in supply chain attacks. As organizations become more reliant on third-party suppliers, their attack surface grows larger and more complex. At the same time, adversaries are constantly seeking new ways to breach valuable businesses.
Many of these third-party suppliers are viewed as softer targets that are easier to breach and can provide access to the larger organizations they work with – often without raising alarm. As enterprises have become better at hardening their environments, attackers view supply chain attacks as a creative means to operate undetected.
Throughout 2023, targeted intrusion actors consistently attempted to exploit trusted relationships to gain initial access to organizations across multiple verticals and regions. This type of attack takes advantage of vendor-client relationships to deploy malicious tooling using two key techniques:
- Compromising the software supply chain using trusted software
- Leveraging access to vendors supplying IT services
Threat actors targeting third-party relationships are motivated by the potential return on investment (ROI). One compromised organization can lead to hundreds or thousands of follow-on targets. These stealth attacks can also more effectively provide an opportunity for attackers seeking to exploit a hardened end target.
The Impact of NIS2 on UK Organizations
The NIS2 directive sets new risk management measures and reporting requirements for organizations, requiring them to implement a higher level of security across their network and information systems. The legislation applies to organizations based in EU member states that operate across 18 key economic sectors.
It includes all organizations that employ more than 50 people or have a total annual turnover of more than €50m ($54.3m). The NIS2 provisions must be implemented before October 17, 2024.
While not directly impacted by the directive, UK organizations are often intricately linked to EU partners within their supply chains. As a result, they may be affected by NIS2 in the following ways:
- EU partners may demand adherence to NIS2 standards or similar as a condition for collaboration, requiring UK businesses to align with the directive's cybersecurity protocols – especially if its own cybersecurity practices are minimal.
- Failure by EU partners to comply with NIS2 standards increases cyber risk exposure for UK businesses within shared supply chains. Cyber-attacks targeting inadequately protected EU partners could propagate through interconnected networks, potentially compromising the security of UK organizations' systems and data.
- EU partners’ failure to comply with NIS2 standards could potentially disrupt supply chains, impacting UK businesses reliant on cross-border trade. This may lead to delays, increased costs and reputational damage for UK businesses operating within affected supply chains.
- Having robust cybersecurity practices in place instils confidence among partners. UK businesses that either fail to align with NIS2 standards or secure their own supply chains will be at a competitive disadvantage within EU markets, which could impact their ability to scale.
Continued UK Innovation
While the NIS2 rules affect organizations classified as core infrastructure operating in the EU, UK businesses should follow in their footsteps to avoid being the weakest link in the chain of distribution. NIS2 is not only about compliance, it’s about inspiring all businesses to align themselves with the best cybersecurity standards possible.
This is imperative for the cyber safety of supply chains, especially as more businesses move critical applications and data to the cloud. These resources will only come under greater attack by threat actors that continue to refine tactics and tradecraft to exploit the vulnerabilities and misconfigurations within them.
Battling these adversaries will require a comprehensive approach to security that enables organizations to maintain compliance, visibility and enforcement, regardless of where their data and applications reside.