The NIS 2 Directive and its Impact on M&A/D

In response to growing cybersecurity challenges, the European Union (EU) will revitalize its cybersecurity directive NIS (Network and Information Security), the legislation framework on measures for a high common level of cybersecurity. The updated directive is commonly known as NIS2 that member states need to transpose into national law by October 17, 2024.

NIS2 - Emerging governance, risk, and compliance requirements

Building upon the foundation laid by the NIS Directive, NIS2 represents a significant evolution in EU cybersecurity policy. One of the most notable changes is the expansion of the directive’s scope to include more industry sectors and additionally introduce several new provisions to enhance cybersecurity resilience and response capabilities. To comply with the new directive

• Organizations must take measures to minimize cyber risks (risk management, controls, incident reporting mechanisms).
• Organizations must choose and implement measures for supply chain security that fit the vulnerabilities of each direct supplier.
• Corporate management need to oversee, approve and be trained on the cybersecurity measures implemented.

More stringent penalties for noncompliance with the directive, aiming to ensure effective enforcement and incentivize organizations to prioritize cybersecurity measures in several sectors.

NIS2 - What are the impacts on mergers, acquisitions, and divestitures (M&A/D)?

M&A/D in general stress standards, are full of one-off scenarios, operational effectiveness is typically low and status quo of existing technology architecture is unclear. When it comes to cyber risks a recent survey of Zscaler has shown that VPN-related attacks have especially increased in frequency in M&A/D scenarios in the past years. But not only the frequency has increased but also the sophistication and severity of these attacks have increased, baring huge problems during a transaction when operational stability is not effective yet. 

That's the reason why effective cyber mitigation and NIS2 conformity begins already in the Technology Due Diligence process, especially focusing on network and security architecture, governance and legacy technology incl. software and code. Also, not having sufficient transparency at an early stage increases risk potential and counteracts NIS2 compliance.

Planning a NIS2 conform divestment or integration starts at Day0. As ownership of NIS2 is on both business and IT side - a recent Zscaler survey has shown that primary ownership sits with the CIO/CISO area (42%) and business areas (58%), responsibilities must be reflected in the operating model along all key business processes especially in the supply chain area where vulnerability transparency and mitigation is harder to achieve due to disparate environments. Until Day1, three topics must be clearly addressed. 

• Define governance and responsibilities for risk and cyber mitigation in Business, IT and third parties.
• Invest in the right technology architecture. Reduce attack vectors where possible while achieving a holistic organizational transparency.
• Protect your intellectual property by having an effective data loss prevention (DLP) mechanism implemented early on.

NIS2 - How the right technology solution help overcome NIS2 challenges in M&A/D

In transactions, when standards are stressed and regular operation is not always possible, organizations thrive for effective solutions to secure connectivity, integrity and security while being able to have transparency and control over your organizational assets within or outside the organization. Yet, time pressure, cost and business continuity must not suffer by no means. 

Platform solutions providing brokered Zero Trust connectivity and security grant both the right set of capabilities that you need in order to address NIS2 challenges while they are easy to rollout and manage at transparent cost (mainly OPEX). Good Zero Trust architecture solutions are proxy-based, come with brokered connectivity, inspect all traffic and do not use any VPN or firewall related technologies - they are typically born in the Cloud. A big watch out remains scalability and global service availability. Integrating and divesting companies is done on a global level. Therefore a global data center presence is inevitable where all services are executed at all points of presence (SLA). If not, poor platform performance eventually counteracts M&A/D velocity and user experience with higher overheads on cost and people side. 

Key takeaways of NIS2 in M&A/D scenarios

1. Transparency into the entire technology estate and process expectation conformity are the two important elements in each due diligence that help determine the level of risk and cyber resilience. 

2. NIS2 compliance starts with having clear responsibilities on the business and IT side as part of the operating model

3. While the right architecture is a foundational element to be successful against cyber attacks, legacy concepts like castle and moat (firewalls, VPNs) bare too many attack factors for hackers, especially in M&A/D situations where standards are stressed and regular operations are off limits.

4. Counteract technology complexities with a platform first approach. Platform solutions harmonize the infrastructure landscape and provide security and connectivity as a service. While traditional solutions work well in standard operations, they come to its limits when organizations frequently buy/sell or see change as a driver for new opportunities.

Further guidance and recommendations can be found in the Zscaler Whitepaper, 'Enhancing Cybersecurity In the EU: An In-Depth Look at the NIS2 Directive and Its Impact On M&A/D‘, which is available for download here.