Cyprus businesses prepare for EU cybersecurity directive amid rising threats
Businesses in Cyprus are strengthening their cybersecurity measures in anticipation of the European Union’s network and information security directive (NIS 2).
The new directive comes into effect across all 27 EU member states on October 18, 2024.
The directive aims to enhance cyber resilience across a wider range of industries, introducing stricter risk management requirements and faster incident reporting, in response to a global surge in cyberattacks.
The NIS 2 directive updates the 2016 legislation, which focused on protecting critical infrastructure sectors like energy, healthcare, and finance.
The new version expands its scope to include more industries, standardising cybersecurity requirements across the EU.
It also introduces tougher penalties for non-compliance, places greater emphasis on securing supply chains, and promotes improved information sharing between EU member states.
Andrey Leskin, CTO at Qrator Labs, a provider of cyberattack mitigation services, highlighted the urgency of this directive as the number of cyber incidents rises globally.
“Cyprus is no exception,” Leskin said, noting that almost half of local businesses experienced cyberattacks in 2023, with many paying an average of €27,000 to address the damage.
He explained that the most frequent attacks in Cyprus were DDoS (Distributed Denial of Service), particularly targeting the financial, e-commerce, IT, and telecom sectors.
In response to the growing threat landscape, Qrator Labs announced that it recently became a member of TechIsland, the largest non-profit IT association in Cyprus.
The organisation aims to transform Cyprus into a technology and innovation hub.
As an active member, Qrator Labs said that it plans to assist local businesses in boosting their cyber resilience and adhering to the new European regulations.
To align with the NIS 2 directive, Leskin advised businesses to start by developing a threat model that assesses the likelihood and potential impact of cyber threats.
This process should include analysing historical incident data and gathering threat intelligence from cybersecurity vendors.
He continued by saying that companies need to consider the potential for financial and operational disruptions, compliance risks, and reputational damage when evaluating the impact of these threats.
Leskin also stressed the importance of understanding attackers’ motives, skills, and methods by developing an adversary model.
“Organisations must identify threats from cybercriminals, insiders, or competitors and use market intelligence to assess their behaviours,” he said.
In terms of protection, he mentioned that businesses should choose tools that address specific threats like DDoS attacks, phishing, or identity theft, rather than relying on generic cybersecurity solutions.
Leskin also cautioned that specialised products are more effective in addressing each identified risk.
“The rollout of NIS 2 represents a significant tightening of the EU’s cybersecurity framework as the region confronts growing cyber threats,” he stated.
“For businesses across Europe, particularly in vulnerable sectors, swift action and strategic risk management are essential to avoid costly breaches and ensure compliance with the new regulations,” he concluded.