The new EU Network and Information Security (NIS2) Directive, which is expected to come into force by October this year, will change the digital infrastructure landscape across Europe. A wide-ranging set of regulations, it focuses on an important range of priorities, from cybersecurity risk management to ransomware protection. Non-compliance can result in fines of at least €10,000,000 or 2% of global annual revenue for those found to have been in breach.
Organisations must determine their applicability based on industry verticals and size, as authorities will not notify companies about their responsibilities. Of course, regardless of applicability, security requires investment from all media and entertainment (M&E) companies, especially because media content is particularly vulnerable to cyberattacks from ransomware groups and hacktivists.
What is NIS2 and why is it important?
So, what makes NIS2 so significant? First announced back in 2016 and most recently updated last year, NIS2 is an EU framework that sets out a range of regulations designed to improve cybersecurity levels in the EU. In particular, it puts significant emphasis on issues such as cybersecurity preparedness, crisis management and cooperation across member states. This is also intended to help harmonise the way EU member states build a security culture.
In practical terms, it is relevant to a very wide range of medium-to-large organisations and enterprises (there are over 30 million businesses in the EU) across a wide range of essential services and industry sectors. Each member state is required to incorporate NIS2 into their local laws and, as has been the case with other Directives such as GDPR, this is a complex task that can be fraught with delays, a lack of consistency and widely varying levels of enforcement.
Indeed, GDPR provides a useful point of comparison. When it came into effect in 2018, there were concerns that GDPR would, among other things, impose significant compliance costs, increase operational complexity and stifle innovation. While various difficulties remain, it has certainly acted as a major catalyst for improving data protection in the EU and beyond, with cumulative fines passing the €4.5 billion mark in July 2024.
Compliance and protection
Where does this leave organisations across the M&E ecosystem who will need to improve their cybersecurity posture to comply with NIS2? Clearly, protecting content is already very high on the agenda for businesses across the sector – research published late last year suggested that security breaches cost the industry 9% of its revenue over a 12 month period.
Take the security challenges associated with on-demand workflows, for example. In this context, creative professionals need to access content from everywhere. In today’s highly connected industry it simply isn’t desirable or practical to have data unavailable to key stakeholders, on siloed networks or stored on inefficient legacy technologies. This is representative of the broader security issues faced by the industry, where everything from content creation to consumption is dependent on efficient and secure technology infrastructure.
On the flipside, however, the risks associated with malware in general and ransomware in particular are practically ubiquitous. Last year, for example, it is estimated that there were over 300 million attempted ransomware attacks worldwide – a staggering figure which suggests that, for many businesses, it’s not a question of if or when they will be targeted, but how often.
What’s also true is that businesses have limited time and resources, but there are a number of areas where improvements in approach can deliver significant security benefits:
- Access controls. Limiting access to sensitive data can be achieved without impacting the overall efficiency of people and processes. Modern access control technologies can build on approaches such as multifactor authentication to include least privilege access controls, so employees only have access to systems and data necessary for their job roles.
- Security training. As part of a culture of security awareness and vigilance, training plays an important role to ensure that people remain up-to-date with emerging risks and best practice approaches to keeping their systems safe.
- Advanced threat detection and response. Investing in advanced intrusion detection and prevention systems can significantly boost security posture and help mitigate threats in real time. This is a particularly important capability given the constantly changing nature of security risks and vulnerabilities.
- Incident response and reporting. Effective incident response can not only minimise damage and recovery time, but it can also play a major role in meeting compliance obligations. In the case of NIS2, there are specific and detailed incident reporting requirements designed to ensure breaches are addressed in a timely manner.
These represent just some of the various opportunities organisations across the M&E sectors have for optimising their approach to security. Those that focus their time and investment to address the wide range of challenges we all face will put themselves in a strong position to remain secure and compliant in the years ahead.
Security in M&E is already a hot topic and NIS2 may well prove to be the catalyst that drives more investment into this area.
