Understanding NIS2: A Deep Dive into European Cybersecurity Regulation with Erik Jan Frieser

[00:00:00] Listeners know I do like to talk about regulation.

[00:00:05] I think it's really important that we make sure that we're applying the right compliance

[00:00:09] to our customers and making sure we're keeping them safe in all the right way.

[00:00:13] The Europeans are so invested in this as well, and I wanted to learn a little bit more

[00:00:18] about an upcoming regulation, NIST 2, so I had Eric Jean-Friezer on to tell me a

[00:00:24] little bit more and what they're doing to help be compliant.

[00:00:28] Let's get started on this bonus episode of the Business of Tech.

[00:00:58] Eric, thanks for joining me today.

[00:01:18] Thank you, Dave. Thank you for having me.

[00:01:22] Now, I cover a ton of legal and compliance stories on the show, but obviously,

[00:01:28] I've got a very heavily American audience, so I like touch to some European laws.

[00:01:33] But there's one coming up that I think we want to have a conversation about.

[00:01:37] Tell me a little bit about what's going on with NIST, that Network Information Systems

[00:01:42] Law, and they're directing from the EU. What's happening with it over the course of this year?

[00:01:47] So what we see is that the NIST 2 directive is coming towards us, and there's a lot of

[00:01:55] buzz going on around it in Europe. We see a lot of countries developing their own requirements.

[00:02:02] The member states are developing their requirements, and a lot of companies

[00:02:09] get lost in the jungle that called NIST 2 at the moment.

[00:02:14] And we developed a platform for that to help these companies out becoming client to NIST 2.

[00:02:21] Well, let's take the quick step back. What is NIST 2? What's it contained and who's it applied to?

[00:02:27] So the NIST 2 is a follow-up on the NIST 1 directive, and it really focuses on cybersecurity.

[00:02:35] It focuses on these high critical and other critical sectors

[00:02:39] that really need to have their cybersecurity on a good base level.

[00:02:44] And what has been developed is a directive that really shows these companies that they

[00:02:52] need to have in order to be compliant with NIST 2. And one of the other things is that

[00:02:57] there will be fines granted to these companies if they don't have this in place.

[00:03:02] And that's really a difference if we look to other directive.

[00:03:06] Now, I mean a lot of these cybersecurity frameworks are very standard. We talk a lot about the NIST

[00:03:12] cybersecurity framework in the US. We've got some of the new directors around that.

[00:03:16] But one of the things about NIST 2 is it applies very broadly in a way that a lot

[00:03:23] of my American listeners ought to care about. Talk to me a little bit about how it applies

[00:03:27] and who it applies to. So it really applies if you look at the official way to two sectors,

[00:03:34] the high critical sectors. You can think of the energy companies, transportation, financial market,

[00:03:43] healthcare, drinking water, wastewater, digital infrastructure. These are really the high

[00:03:49] critical sectors. But also the administrators of IT services, space travel, banking. So that's

[00:03:57] the section that's called the high critical sectors. But we also have the other critical

[00:04:02] sectors. And these are the digital providers, postals, courier services, waste management,

[00:04:10] food producing, chemicals, research, manufacturing. It's really a broad spectrum of these companies.

[00:04:18] And what we also see developing is the supply chain companies that are offering services to

[00:04:26] these companies. So it's getting broader and broader in the companies that need to comply and

[00:04:33] companies that want to comply to NIST 2. Now, we were talking before, and one of the reasons I

[00:04:39] was interested in this is that you looked at this and your interpretation is that there's

[00:04:43] actually going to be a lot of American companies that are swept up in ways that they may not

[00:04:49] be aware of. Give me some of the examples of the scenarios that you've been thinking about

[00:04:53] that my American listeners need to be aware of. So what we see is that we get a lot of questions

[00:05:02] asked by different companies, and they ask us like how is your tool working for us for NIST 2?

[00:05:07] And then I look at these companies and they ask them why do you want to become compliant

[00:05:11] on this too because you don't have to become compliant. But then these companies, they quickly

[00:05:17] say to me, we have these companies that we work with in Europe and we expect that they will ask us

[00:05:24] to also comply to these NIST 2 requirements. And that's why we specially designed also a supply

[00:05:31] chain portal for them to show that they have compliance to the minimal requirements that

[00:05:37] NIST 2 is asking them. And it's pretty broad, right? Because if I'm an American company and

[00:05:43] I manufacture something and I sell a unit to a European, I'm now swept up in this. I would have

[00:05:51] to make sure that that sale and all the data related to it is involved. Walk me, I mean,

[00:05:57] it's that granular? What do I have to protect? So it's really depending on which customers

[00:06:04] do you offer your service to in Europe. And if these customers are in these critical sectors,

[00:06:10] then you can expect them to ask you that you comply to the most of the requirements that are being

[00:06:16] asked inside of the NIST 2. So wait, I again think let's talk about the framework itself

[00:06:23] because I want to make sure that my listeners are getting a sense of some of the specifics

[00:06:27] in it. Like talk to me a little bit about some of the specific requirements that are in there

[00:06:33] and some of the penalties for noncompliance. So if you look at the specific requirements,

[00:06:40] Dave, then we're looking at a lot of them. We look at incident handling, business continuity.

[00:06:46] We look at the supply chain security. So they really have to look at how is your supply chain

[00:06:54] organizing their security. So that is one of really important. We also look at cyber security

[00:07:00] awareness training, monitoring of your eye as a management internal audits. And you really can go on

[00:07:08] it's really about looking at what have you done? What are you doing? How are you managing

[00:07:13] your cyber security? And it really will touch a lot of your customer base.

[00:07:18] So one of the things that's always notable about European regulations is that they

[00:07:23] generally come with real peaks. They are Europeans are much more aggressive as regulators

[00:07:29] in terms of making the penalties substantial. Tell me a little bit about the penalties for non-compliance.

[00:07:38] Yes, so this is one that's really important. Penalties can be really big. So when we are not

[00:07:46] complying to NISTU for the essential high critical sectors, the fines can go to 10 million euros

[00:07:55] or 2% of your year revenue. And if you look at the critical sectors, it can be to a

[00:08:02] two max of 7 million euros or 1.4% of worldwide revenue. So that is really a risk for your whole

[00:08:11] company of not being compliant to NISTU. So you've built a platform to help

[00:08:18] solution providers, IT companies address the NISTU compliance. Walk me through kind of what your

[00:08:24] approach is and what you've put together to help with that compliance process.

[00:08:29] Yes, so we really have developed a platform around NISTU. We've done this for years. We did it for

[00:08:36] ISO, we did it for medical defisor regulations, GDPR and others. And what our approach always was

[00:08:44] was make it simple because reading a directive like NISTU is really difficult. You have to go

[00:08:51] through it again and again. And then if you're not a legal specialist, it's really difficult to

[00:08:56] understand what's there. And that's exactly what we did. We made it simple with a team of legal

[00:09:02] and technical consultants. We've been through this directive and we've turned it around,

[00:09:07] especially for your organization, to really pick it up simple, fill in the things,

[00:09:14] the measures that you have made on every chapter that's needed and the requirement

[00:09:18] that's needed so you can in the end comply to NISTU on a really fast and easy way.

[00:09:25] So this seems like it looked through the approach would be really good for somebody

[00:09:29] particularly that may not be as familiar with it. Let's walk through a simple example.

[00:09:34] Say that I'm a medical device supplier and in particular I'm thinking about a

[00:09:40] managed services customer who supports this customer. So they've got a customer who supplies

[00:09:46] a small medical device, right? It's not a particularly

[00:09:49] piece and they don't, they're American based but they sell enough of them over in Europe to

[00:09:55] be compliant. Walk me through the process of how a solution provider would help this

[00:09:59] customer specifically with their needs. Yeah, so what we have developed is a platform that you

[00:10:06] can start using as a customer and it will be even better if you have a consultant from an MSP

[00:10:13] partner because they really can help you out with all the details and even

[00:10:17] become quicker compliant to NISTU. So we have four different customers, we have different versions

[00:10:23] of the portal and when you start working in the portal you will see all these requirements

[00:10:29] and they are there and they have explanations, they have explanations where you need to fill in

[00:10:34] who is responsible for different types of subjects and there are different places

[00:10:39] where you can fill in what kind of measures you have made for each subject. So for an instance,

[00:10:46] if we look at security awareness you will be asked what have you done around security

[00:10:51] awareness training inside of your company and then there will be a way where you can fill in

[00:10:57] all the measures measurements that you have made around security awareness. And of course if

[00:11:03] you have an MSP that really helps you out with this then they can also support you in setting up

[00:11:10] the security awareness training, maybe MXDR solutions or other solutions around cybersecurity.

[00:11:17] So for a lot of my listeners right, they've got American-based businesses,

[00:11:21] they're focused on that and they've done some work already around compliance. They may have

[00:11:25] worked to be compliant with some of the regulations that are relevant here.

[00:11:29] You worked with some companies that have transitioned to try new business in Europe,

[00:11:33] give me a bit of a sense of like how much that preparedness will apply when thinking about NISTU.

[00:11:41] Yes, that's a good question Dave. We see of course different directives and one of the

[00:11:48] directives we of course also see in Europe but also outside of Europe is the ISO 27001

[00:11:54] and other ISO directives. And of course what we see is there is similarity between NISTU and

[00:12:00] ISO. And what we did in our platform is that it has a cross-reference. So if you are

[00:12:07] complying to one of these chapters then it will also cross-reference to your ISO if you're using

[00:12:15] also or ISO portal for that. So there are similarities and on different requirements

[00:12:23] you can become compliant really quickly because you maybe already have done that.

[00:12:28] So Eric if people are interested in learning a little bit more how can they get in touch?

[00:12:35] Yes we have a website for that Dave. You can find it on cyberbasics.org.

[00:12:42] You can find all the information there and also the way to have a common contact with me

[00:12:47] and I'm really happy to help you out with any kind of questions around NISTU.

[00:12:52] Eric Zeghryzer is the CEO and co-founder at Frazier & Schuchman focused on the ICT

[00:12:59] delivery in a fast and coefficient way focusing on security and compliance.

[00:13:03] He's joined me today from his home in the Netherlands. Eric thanks for joining me today.

[00:13:08] Thank you for having me Dave have a nice day.

[00:13:13] The business of tech is written and produced by me Dave Sobel under ethics guidelines

[00:13:18] posted at businessof.tech. If you like the content please make sure to hit that like button,

[00:13:24] follow or subscribe. It's free and easy and the best way to support the show and help us grow.

[00:13:31] You can also check out our Patreon where you can join the business of tech community

[00:13:36] at patreon.com slash msp radio or buy our why do we care merch at businessof.tech.

[00:13:44] Finally, if you're interested in advertising on the show visit mspradio.com slash engage.

[00:13:51] Once again, thanks for listening to me and I will talk to you again on our next episode

[00:13:56] of the business of tech.

[00:14:00] Part of the MSP radio network