A tough new EU cyber law is off to a messy start, with many countries failing to adopt the rules
Businesses have been working hard to shift their culture internally to ensure they’re taking the threat of cyber breaches and outage incidents seriously.
Andrew Brookes | Image Source | Getty Images
New European Union regulations requiring businesses to bolster their cyber defenses is off to a slow start as many member states have failed to adopt the rules in time to meet a key enforcement deadline, according to research monitoring the progress of the directive.
The EU’s NIS 2 cybersecurity directive sets a high benchmark for companies over their internal cybersecurity systems and practices. It imposes tougher requirements around risk management, transparency obligations and business continuity planning, in the event of a cyber breach.
On Thursday, the new directive officially became enforceable by member states. That means firms have to now ensure their operations are up to scratch with the rules. However, most EU member states have yet to implement NIS 2 in their own respective national laws, meaning that enforcement is likely to be spotty.
Two countries — Portugal and Bulgaria — haven’t begun the transposition process for NIS 2, where directives are incorporated into the national laws of EU member states, according to a tracker tool from internet research organization DNS Research Federation. The governments of Portugal and Bulgaria were not immediately available for comment when contacted by CNBC Wednesday.
“The implementation status varies significantly across the bloc,” Tim Wright, partner and technology lawyer at Fladgate, told CNBC via email.
What is NIS 2?
NIS 2 — or the Network and Information Security Directive 2 — is an EU directive that aims to increase the security of IT systems and networks across the bloc. First proposed in 2020, the law serves as an update to an earlier directive simply called NIS.
NIS 2 expands the scope of its predecessor to address more recent cybersecurity challenges and threats, as criminals have found new ways to hack companies and compromise their sensitive data.
The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, health care institutions, internet providers, transport firms, and waste processors.
Businesses will have a “duty of care” to report and share information on cyber vulnerabilities and hacks with other companies under the new regulation — even if it means owning up to being a victim of a cyber breach.
If a business falls victim to a cyber breach, they’ll have 24 hours to submit an early warning notification to authorities — a stricter timeline than the 72-hour window firms have to notify authorities about a data breach under the General Data Protection Regulation, a separate data privacy law in the EU.
Firms will also have to vet their technology vendors one by one for cyber threats and vulnerabilities.
Will it be effective?
Fladgate’s Wright said that effectiveness of NIS 2 as a regulation will largely depend on consistent implementation and enforcement across EU member states.
“Bad actors may target countries lagging in their NIS2 transposition or look for weaknesses in supply chains, targeting smaller, less-secure vendors and suppliers to gain access to larger, better-protected organisations,” he told CNBC.
Businesses have been working to get their internal processes, controls and broader culture around cybersecurity into shape for years ahead of the Thursday deadline.
Chris Gow, enterprise tech firm Cisco’s EU public policy lead, said that the spotty nature of NIS 2’s implementation has also been “exacerbated by local adaptation of the law.”
This, in turn, is “creating discrepancies that can prove difficult to navigate, especially for smaller organisations with limited resources,” Gow told CNBC in emailed comments.
He recommended that, rather than being “overwhelmed” by discrepancies in local adaptations of NIS 2, organizations should “identify a common core of security controls and processes that stand them in good stead to both meet and demonstrate compliance at scale.”
What if a company fails to comply?
For “essential” entities like transport, finance and water companies, failure to comply with NIS 2 can lead to fines of up to 10 million euros ($10.9 million) or 2% of global annual revenues — whichever ends up higher.
Meanwhile, “important” businesses — such as food companies, chemicals firms, and waste management services — are looking at fines of up to 7 million euros or 1.4% of their global annual revenues for breaches.
Firms can also face possible suspensions of service if they fail to comply with NIS 2, as well as closer supervision.
“NIS 2 makes it clear – large fines, possible suspension of service and monitoring of compliance are being used as levers to encourage organisations responsible for critical services to pay attention to cybersecurity threats and their response to those,” Carl Leonard, EMEA cybersecurity strategist at Proofpoint, told CNBC.
“A baseline has been set in terms of risk-management and mitigation measures including incident handling, staff training, leadership accountability and many others,” Leonard added.
A Tesla Cybertruck sits on a lot at a Tesla dealership on April 15, 2024 in Austin, Texas.
Brandon Bell | Getty Images
Tesla shares slid more than 2% Tuesday after a report that the electric vehicle maker was halting production of Cybertruck and Model Y models for a week in Austin, Texas.
The production stoppage begins June 30, Business Insider reported, citing a staff meeting where the announcement was made. The pause, which is for maintenance on production lines, would be the third such shutdown at the Austin facility in the past year, according to BI.
Tesla is tentatively launching the robotaxi in Austin on June 22, using Model Y vehicles equipped with a new version of the company’s “Full Self-Driving” technology.
CEO Elon Musk shared a video clip on X last week of a Model Y robotaxi on a road in Austin, adding to the buzz for the promised launch.
CNBC has reached out to Tesla for comment on the reported pause.
Read the full BI story here.
Tesla year-to-date stock chart.
Thomas Fuller | Lightrocket | Getty Images
Reddit shares popped about 5% after the social media company debuted new artificial intelligence-powered advertising tools.
The two new features, announced Monday in a post during the Cannes Lions festival, will help brands better leverage discussions on the platform. The company said the tools are powered by an engine called Reddit Community Intelligence that turns “posts and comments into structured intelligence.”
Reddit announced a “listening tool” called Reddit Insights, which shares real-time insights with marketers to help them identify trends and launch campaigns. The other tool, called Conversation Summary Add-ons, allows brands to show “positive” user content under their ads.
“These are tools for a new era of community marketing, one where brands can tap into Reddit’s authenticity and connect meaningfully with high-intent communities around the world,” the company wrote.
The company said Publicis served as the exclusive alpha tester for Reddit Insights, while Lucid and Jackbox Games were among the early testers for Conversation Summary Add-Ons.
Companies across industries are betting on new ways to harness AI to improve advertising campaigns and better engage with users. These new tools are transforming the industry while also putting pressure on some advertising stalwarts.
The industry is also currently navigating a bumpy environment spurred by the trade war with China.
During the recent earnings season, many companies warned of sluggish advertising sales in certain regions due to a rocky macroeconomic environment. Recent developments, however, have suggested a cooling of tensions between the U.S. and China.
Last month, Reddit posted strong sales and upbeat guidance. The company has benefited from recent changes to Google search and internal site improvements, which include convincing logged-out users to open accounts. Logged-in accounts are more beneficial to advertisers.
WATCH: Outgoing WPP CEO says AI will ‘revolutionize’ advertising business
Helsing uses AI to analyze large amounts of sensor and weapons system data from the battlefield.
Pavlo Gonchar | Sopa Images | Lightrocket | Getty Images
European defense technology startup Helsing on Tuesday said that it’s raised 600 million euros ($693.6 million) in a bumper new round of funding.
The investment was led by Prima Materia, the venture capital firm founded by Spotify CEO Daniel Ek and by Shakil Khan, an early investor in the popular music streaming app. Ek is also chairman of Helsing.
Existing investors Lightspeed Venture Partners, Accel, Plural, General Catalyst and Saab also put money in, alongside new investors BDT & MSD Partners.
Defense and the technology behind it have become a hot area for investors lately, amid major global conflicts, including the Ukraine war to Israel-Gaza. Last week saw a further escalation of war in the Middle East as Israel launched a series of airstrikes against Iran.
In 2024, venture funding in Europe’s defense, security and resilience sector reached an all-time high of $5.2 billion, according to a recent report from the NATO Innovation Fund. The sector grew 30% in the past two years, outperforming the broader VC market, which saw a 45% decline over the same period.
Founded in 2021, Helsing sells software that uses artificial intelligence technology to analyze large amounts of sensor and weapons system data from the battlefield to inform military decisions in real time. Last year, the startup also began manufacturing its own line of military drones, called HX-2.
Helsing, which operates in the U.K., Germany and France, said it would use the fresh cash to invest in Europe’s “technological sovereignty” — which refers to attempts to onshore the development and production of critical technologies, such as AI.
“As Europe rapidly strengthens its defence capabilities in response to evolving geopolitical challenges, there is an urgent need for investments in advanced technologies that ensure its strategic autonomy and security readiness,” Ek said in a statement out Tuesday.
Helsing did not disclose its new valuation following the latest financing round, which is subject to “certain approvals,” according to a statement. The firm was previously valued at around 5 billion euros in a 450 million euro funding round led by General Catalyst last year.
-
Sports3 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports1 year agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoGame 1 of WS least-watched in recorded history
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports4 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Sports2 years agoButton battles heat exhaustion in NASCAR debut
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike