Navigating NIS2 and Cyber Resilience Act: Business Resilience Insights from EY’s Koen Machilsen

This episode of Code to Cloud features a discussion with the EY Consulting Partner in Cybersecurity, Koen Machilsen. There, Koen is responsible for delivery and innovation of the EY Consulting Cybersecurity and privacy service offering, and has been with the company for over 16 years. Prior to joining EY, Koen held various roles in IT operations. Koen and host Tim Chase, Global Field CISO at Lacework, discuss the significance of integrating cybersecurity into business resilience strategies. The conversation covers how to respond to cybersecurity incidents, the importance of preparation and regular training, and the necessity of understanding business impact when developing cyber crisis management plans. They also delve into the European Union’s NIS2 and Cyber Resilience Act regulations, explaining how they aim to enhance cyber resilience across organizations by mandating stringent cybersecurity practices and reporting requirements. The discussion underscores the need for local transpositions of these directives and the challenges they introduce. Finally, they emphasize the importance of cyber resilience as an integral part of overall business resilience in the digital age.

Key Quotes

*”In today's digital world, you cannot have decent business resilience without having cyber in there. And why is this? Because technology is embedded in the heart of many organizations. That technology is interconnected with clouds and based on internet technology. So it makes it inherently vulnerable to cyber attacks. So if you want to have a good business resilience strategy, to me, cyber is a vital part of that.”

*”The overall objective of incident reporting is not to get organizations fined. It's to be able to do early sharing of those incidents or those indicators of compromise potentially to other organizations within or across different member states. All again, to make sure that whatever impact there is, that it does not get bigger from a member state or from a European Union perspective.”

*”A lot of organizations are prepared to handle crise -, the traditional ones - but do not really fully understand yet what it takes to handle a cyber crisis specifically. I think one of the biggest benefits that NIS2 will bring is creating that awareness and making sure that decent cyber crisis management is adopted.”

*”The key question here is to really understand the impact of an incident from a few angles. I think understanding the impact of that incident is, is that really in the area that falls in scope of NIS2 for that organization? In what local European market is this impact cost? And to what extent is this impact significant? Because that's again at the discretion of the organization to determine. And I feel that those three elements really can help you decide how and where and when you need to report those incidents. So capturing all that information as part of your Security Incident Management process is key.”

Time Stamps

[0:30] Meet Koen Machilsen, EY Consulting Partner in Cybersecurity

[1:00] Handling a Cyber Incident: First Steps

[2:03] Understanding the Impact of an Incident and Communication

[3:45] The Importance of Regular Exercises

[6:26] Threat Modeling and Business Impact

[8:27] Regulation Insights: NIS2 Explained

[11:05] Incident Reporting Challenges

[20:24] Cyber Resilience Act Overview

[26:39] Rapid Fire Questions with Koen Machilsen

[30:13] Conclusion and Final Thoughts

Links

Connect with Koen on LinkedIn

Learn more about EY

Read EY’s article on how to prepare for NIS2

Learn more about Lacework

This po