All news with #nis2 tag

🔒 European policymakers are accelerating a push for greater tech sovereignty in response to shifting geopolitical trust and concerns over dependence on US and other foreign technologies. The debate spans legal, operational and supply-chain dimensions, with proposals under the EU’s Tech Sovereignty Package and revisions to procurement and the Cybersecurity Act. Achieving autonomy will require investment in local R&D, talent, interoperable systems and realistic timelines, while avoiding protectionist measures that stifle competition. The private sector must factor geopolitical risk into procurement to scale credible European alternatives.

🔒 The FCA has issued clarified rules on reporting cyber-related incidents and supplier outages to give firms greater certainty about what to report and when. The update creates a streamlined regime coordinated with the PRA and the Bank of England, introduces a single reporting portal, removes duplicated reporting for payment service providers and credit rating agencies, and refines required information so most firms can use a short form. Firms have 12 months to prepare; the changes take effect on 18 March 2027.

🔒 Security leaders at the UK's critical national infrastructure (CNI) firms are increasingly turning to regulatory compliance to steer cyber investment and maturity, Bridewell's Cybersecurity in CNI Report 2026 finds. The study shows 35% of leaders cite regulation as the primary influence, up from 26% in 2025. Adoption of frameworks like the NCSC CAF and NIS2 remains uneven, and organisations report widespread incidents and rising AI concerns.

🛡️ The German implementation of the NIS-2 directive came into force on December 6, 2025, prompting a last-minute rush of registrations to the Federal Office for Information Security (BSI). The BSI recorded more than 4,000 new registrations in the final week as organisations checked whether the rules apply to them. The law mandates rapid incident reporting — initial notification within 24 hours, updates within 72 hours and a final report after one month — and serious violations may lead to fines.

🛡️ The German law implementing the NIS-2 directive came into force on 6 December 2025, introducing stricter incident reporting and registration requirements. The Bonn-based Federal Office for Information Security (BSI) reported a surge of more than 4,000 registrations in the final week before the deadline and expects further last-minute filings. Affected organisations must report significant incidents within 24 hours, provide updates within 72 hours and submit a final report after one month, with potential fines for serious violations.

🔎 This Fortinet podcast episode examines the evolving EU-centric cybersecurity regulatory landscape and its implications for global businesses. Host Joe Robertson speaks with Dr. Tommaso De Zan of Access Partnership about layered rules such as NIS2, the Cyber Resilience Act, DORA, and emerging cloud sovereignty initiatives. They contrast horizontal and vertical regulations, highlight differences between regulations and directives, and emphasize that industry accepts rules but resents uncertainty. Practical advice includes early policy monitoring, engagement in consultations, and embedding security into products and operations.

🛡️ In the first episode of Fortinet's Brass Tacks: Talking Cybersecurity season 2, host Joe Robertson speaks with Annita Sciacovelli, a professor of international law and cybersecurity advisor to the Italian Ministry of Defence, about how modern cyber conflict increasingly targets societies rather than only military or corporate assets. They explain that attacks on energy, transport, finance, and public administration aim to erode trust and create strategic psychological pressure, reframing cybersecurity as a public-interest challenge. The discussion highlights legal distinctions between terrorism and state use of force, the importance of ENISA, and EU frameworks such as NIS2, DORA, and the Cyber Resilience Act, while underscoring the need for cyber diplomacy, intelligence sharing, and continuous resilience-building.

🔒 NIS2 forces organizations to treat supply chains as an integral part of cybersecurity rather than an afterthought. The directive shifts emphasis from perimeter defenses to the risks posed by external service providers and subcontractors, requiring firms to identify dependencies, set proportionate contractual security obligations, and implement continuous monitoring. It also elevates the CISO's remit to enforce cross-functional risk management.

🔒 NIS2 pushes organizations to treat supply-chain risk as central to cybersecurity, making external dependencies part of security architecture and leadership responsibility. It requires systematic inventories, contractual security obligations, and continuous monitoring of both direct providers and downstream subcontractors. For the CISO, the role shifts from technical stewardship to cross-functional risk management and enforcement. Common failures—poor prioritization, unenforced controls and organizational silos—must be addressed with scalable, evidence-based controls.

⚠️ The German Association of Cities warns the coalition's proposed Kritis umbrella law, due for a Bundestag vote, is insufficient because its 500,000‑inhabitant threshold excludes many essential facilities and weakens crisis preparedness. The draft tightens obligations for classified operators — including reporting duties and fines — but the Städtetag urges lowering the cutoff to 150,000 to cover medium-sized municipalities. The association also warns that allowing federal states to designate additional facilities risks creating a fragmented patchwork. In response to a January power-supply arson in Berlin, the amendment asks the government to review and remove publicly available infrastructure data to limit attacker intelligence, a shift Chancellor Friedrich Merz framed as moving from broad transparency toward greater resilience.

🔐 The European Commission has unveiled a cybersecurity package to strengthen the EU’s resilience against state and criminal cyber and hybrid threats. The proposals focus on reducing risks from high-risk suppliers outside the EU—particularly in critical infrastructure like mobile networks—using a common, risk-based framework. The plan updates the European Cybersecurity Certification Framework to speed product testing, eases compliance burdens for SMEs, and reinforces ENISA’s role in threat analysis, incident response and vulnerability management.

🔒 The European Commission has proposed a comprehensive cybersecurity package that would require the removal of high-risk suppliers from sensitive telecommunications networks and give Brussels authority to coordinate EU-wide risk assessments. The measure aims to strengthen defenses against state-backed actors and cybercrime targeting critical infrastructure while addressing uneven uptake of the 2020 5G Security Toolbox. The proposal also expands ENISA's remit to issue early threat alerts, centralize incident reporting, streamline voluntary certification, and support joint assessments across 18 critical sectors, with member states required to transpose changes within one year of approval.

🏛️ The Parliamentary Public Bill Committee is inviting industry submissions to inform scrutiny of the Cyber Security and Resilience Bill (CSRB), the planned successor to the NIS Regulations 2018. Now at committee stage after its second reading, the bill proposes expanded scope, tighter incident-reporting, mandatory supply‑chain risk management and alignment with the NCSC Cyber Assessment Framework. The committee will hear oral evidence from 3 February and has urged prompt written responses as it may conclude early.

🛡️ The new BSI portal lets companies register as NIS2 entities and report significant IT security incidents to the Federal Office for Information Security. Launched after NIS2 took effect in Germany in early December, the platform provides risk-analysis tools, legal guidance for registrants and access to the Alliance for Cyber Security. Hosted on AWS, it aims to deliver real-time data, daily situation reports and anonymous vulnerability reporting, though the cloud choice has attracted criticism over digital sovereignty.

🔒 The year 2025 tightened the regulatory landscape—DORA and NIS2 pushed many organizations to elevate cybersecurity and operational resilience. CISOs expect 2026 to remain dominated by compliance complexity, persistent cost pressures, and an acute skills shortage. Attention will shift toward Resilience by Design, software supply-chain security, and operationalizing Zero Trust for identities and machine accounts. Controlling Shadow AI and strengthening third-party risk management will also be high priorities.

🔐 The convergence of operational technology (OT) and information technology (IT) creates major business opportunities but also introduces significant cybersecurity complexity and risk. Legacy OT equipment, cultural divides between OT and IT teams, and a historical focus on uptime over security increase exposure as organisations digitise critical infrastructure. Leaders must embed security by design, address compliance such as NIS2, and unite teams to manage cloud, AI and device proliferation.

🛡️ Companies facing NIS2 risk turning compliance into a voluminous paperwork exercise unless security is embedded in the technical stack from the outset. The piece argues that documentation alone does not equal protection and advocates for automating controls and evidence via infrastructure as code, CI/CD pipelines, and policy-as-code. Practical focus areas include IAM, vulnerability and supply-chain management, and monitoring and incident response, where automation both reduces burden and improves auditability.

🔐 The EU's NIS2 Directive requires organizations in critical sectors to strengthen identity and access controls, with Article 21 explicitly calling for access policies and practical protections. Modern password hygiene favours long passphrases (e.g., 15+ characters), breach screening, and avoiding routine rotations unless compromise is suspected, alongside user-friendly measures like password managers. While NIS2 doesn't always explicitly mandate MFA, national guidance and ENISA expect phishing‑resistant MFA for privileged and critical accounts.

🔒 AWS reiterates its commitment to raising cybersecurity standards across the European Union, positioning security as a core responsibility across its global operations. The post explains how AWS supports customers in meeting the NIS 2 Directive (EU 2022/2555) and related Implementing Regulation (EU 2024/2690) through services, audited controls, and guidance. It highlights certifications, regional accreditations, and tools—such as AWS Security Hub, AWS Config, and AWS CloudTrail—that help entities meet governance, incident reporting, and resilience obligations. The blog also describes AWS collaboration with national authorities and programs that provide templates, training, and operational engagement to improve readiness and compliance.

🛡️ The EU directive NIS2, in force in Germany since 06 December 2025, risks becoming a paperwork-heavy exercise unless organisations adopt automation and DevSecOps. The article argues security must be planned and enforced by technology, using Infrastructure as Code, policies-as-code and CI/CD pipelines so controls and evidence (commits, pipeline logs, SBOMs) are revision-proof. Solutions such as CIEM, CNAPP and SIEM can centralise IAM, vulnerability and incident data so auditability is produced by the platform rather than by post-hoc Word documents.