Press "Enter" to skip to content

Navigating NIS2: A Guide for IT Service Providers

By Dave Sobel on July 1, 2024

96

Navigating NIS2: A Guide for IT Service Providers

View this email in your browser

 

The weekly newsletter of the Business of Tech, giving you new insights into the world of IT service delivery. 

Looking for stories from the podcast stories?  Check out the pod itself on Apple Podcasts, Spotify, or daily in your inbox.   Stories are available to everyone for five days,and Patreon supporters forever.

Was this forwarded to you?  Join the list!

 

 
 

 

 

 

Navigating NIS 2: A Guide for IT Service Providers

 

 
 

 

 

 

Up for some good old-fashioned regulation talk? Listeners know I’m always in the mood to chat about compliance, especially with a major change on the horizon in Europe: the release of NIS2.
 
Although it may not seem relevant to American MSPs yet, cybercriminals aren’t exactly known for respecting boundaries, let alone borders. Plus, I believe it’s important to know what regulations are designed to keep our customers safe and the best ways to go about implementing them. 
 
That’s why I welcomed Erik-Jan Frieser, Co-Founder & CEO at Frieser & Schuckmann, onto a recent bonus episode of The Business of Tech. He specializes in NIS2 compliance, so keep reading for his overview of the rules, the stakes, and best practices for American IT partners.
 
NIS2: the basics
 
In case you don’t know much about NIS2, I asked Frieser to walk us through where it comes from, what it contains, and who it applies to. 
 
He explained that although the directive originated with the EU, many individual countries have already started developing their own requirements based on it. As you’d expect, the focus is on cybersecurity, particularly for ‘high critical sectors’ like energy companies, transportation, financial markets, healthcare, drinking water, wastewater, and digital infrastructure (although other critical sectors like food, chemicals, and manufacturing are included, too). 
 
The biggest wake-up call, however, is that NIS2 will also apply to the supply chain companies that are offering services to these companies. In Frieser’s words:
 
“It’s getting broader and broader in companies that need to comply and companies that want to comply with NIST.”
 
As for specific requirements, Frieser’s first few examples only scratched the surface: incident handling, business continuity, supply chain security, cybersecurity awareness training, monitoring of your ISMS management, internal audits – the list goes on. 
 
“It’s really about looking at what have you done? What are you doing? How are you managing your cybersecurity? And it really will touch a lot of your customer base,” he said.
 
And, because this is Europe we’re talking about, failure to comply means fines. Really, really big fines. 
 
According to Frieser, when you’re not compliant with NIS2 in the essential high critical sectors, the fines can reach 10 million euros or 2% of your yearly revenue. For critical sectors, it can be up to a maximum of 7 million euros or 1.4% of worldwide revenue. 
 
The potential oversees impact
 
Believe it or not, Frieser already has multiple international clients who proactively reached out (no legal requirements involved) to achieve NIS2 compliance. Their reasoning is simple: they work with European companies, and they’re worried they’ll need to be NIS2 compliant, anyway. 
 
I asked Frieser to explain how broad this would really be. If I’m an American manufacturing company and I sell a unit to a European, would I need to make sure the sale and data follow NIS2 regulations? How granular is it?
 
He explained that it really boils down to whether the European customer is involved in high-critical or critical sectors. If they are, you should be prepared for them to expect that you comply with at least most of the requirements within NIS2.
 
Frieser’s solution
 
I wanted to talk to Frieser because he’s built a platform to help solution providers and IT companies in particular address the demands of NIS2 compliance. So what does his approach look like?
 
Even before NIS2, Frieser and his team developed similar platforms for other regulations like ISO, GDPR, and medical devices. Across the board, their goal has been to distill the complex legal jargon into a simple step-by-step portal anyone can follow – almost like a live, custom checklist. According to Frieser, it’s so simple that even a customer could complete it (though MSPs will obviously have an easier time speeding through it). 
 
Here’s how he explains it:
 
“We have four different versions of the portal. And when you start working in the portal, you will see all the requirements with explanations where you need to fill in who is responsible for different types of subjects. And there are different places where you can fill in what you have and what kind of measures you have made for each subject.”
 
It almost sounds like a worksheet. For example, in the security awareness portion, you would be asked, “What have you done around security awareness training inside of your company,” then be directed to a field where you could list out the measurements you’ve done.
 
If that sounds like a headache waiting to happen, there is some good news: per Frieser, there’s a lot of overlap between NIS2 and ISO. So if you’re already ISO compliant (or close to it), he says you’ll be able to achieve compliance pretty quickly. 
 

 
If you’re ready to dive into all things NIS2, you can connect with Frieser’s team at www.cyberbasics.org.
 
Do you see value in getting ahead of international compliance? Or would you rather hold out as long as possible? As always, my inbox is open for questions, stories, insights, or whatever else is on your mind.
 

More from MSP Radio

 

Missed Things? 

How about our latest videos to catch you up? 

The Daily Podcast available as videos

Building Successful Relationships with Microsoft: A Guide for Partners with Rob Fegan

The Future of AI in Data Protection: A Conversation with Alcion CEO Niraj Tolia

The Evolution of Managed Services with Michael George, CEO of Syncro

Embracing Change: Lessons from a graduate’s journey

Responsible Exploit Disclosure: A New Perspective with MacKenzie Brown from Blackpoint Cyber

Engaging with Students for Talent Acquisition: A Guide for Small Businesses with Don Snyder

Want the Daily News?   

All the stories from the daily Business of Tech Podcast are available in the daily digest, and stories are available to everyone for the first five days, and Patreon supporters forever.  Catch the audio of the show anytime on Apple Podcasts, Spotify, YouTube, or wherever you find podcasts.  Links at businessof.tech

 

Copyright © 2024 MSP Radio, All rights reserved.

Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.

Published in Newsletter and Podcast Story

Dave Sobel
Dave Sobel

Dave Sobel is a leading expert in the delivery of technology services with broad experience in both technology and business. He owned and operated a technology solution provider for over a decade, and worked for vendors leading community, marketing, product strategies, and M&A activities.

More from NewsletterMore posts in Newsletter »
More from Podcast StoryMore posts in Podcast Story »