Businesses in Cyprus are expected to toughen their cybersecurity defenses due to new European directive

Cyprio businesses are ramping up their cybersecurity defenses as the EU’s NIS 2 (Network and Information Security) Directive is set to take effect across all 27 European states on October 18, 2024. The new directive aims to bolster cyber resilience across a broader range of industries, imposing stricter risk management requirements and faster incident reporting obligations, as cyberattacks surge globally.

The NIS 2 directive updates the original 2016 legislation, which focused on protecting critical infrastructure, such as energy, healthcare, and finance sectors. However, the scope of NIS 2 expands to include more industries while enforcing harmonized cybersecurity standards across the EU. The directive introduces harsher penalties for non-compliance and emphasizes supply chain security and improved information sharing between EU member states.

This directive comes at the right time as the number of cyber incidents globally is increasing. Cyprus is no exception, notes Andrey Leskin, CTO at Qrator Labs, a leading provider of cyber attack mitigation services. Almost half of local companies experienced a cyberattack in 2023, with half of the firms paying an average of €27,000. Among the most frequent types are DDoS attacks, which often target financial, ecommerce, IT, and telecom companies, and are very common in Cyprus. These companies experienced the largest number of L3-L4 DDoS (network flooding) in Q2 2024, as per the latest report by Qrator Labs.

Following the rising threats the company recently became a member of the biggest non-profit IT Association ‘The TechIsland’ in Cyprus that aims at turning the country into a technology and innovation hub. Qrator Labs is now a contributing member which means high involvement in its activities and plans to help local businesses to improve their resilience to cyber threats and follow new European legislation. 

In order to improve their cybersecurity in align with new Directive companies have to start with outlining a threat model that evaluates both the likelihood and potential impact of cyber threats, Leskin says. This involves assessing historical incident data and analyzing threat intelligence from cybersecurity vendors. Potential financial and operational disruptions, compliance risks, and reputational damage should be considered when evaluating the impact. Equally important is developing an adversary model to understand the attackers’ motives, skills, and methods. ‘Organizations must identify threats from cybercriminals, insiders, or competitors and use market intelligence to assess their behaviors,’ Leskin notes.

Selecting the right tools for specific threats, such as DDoS attacks, phishing, or identity theft, is also a crucial step. Leskin cautions against relying on multi-purpose cybersecurity solutions, advising companies to prioritize specialized products tailored to each identified risk.

‘The rollout of NIS 2 marks a significant tightening of the EU's cybersecurity framework as the region grapples with escalating cyber threats. For businesses across Europe, particularly in sectors vulnerable to attack, swift action and strategic risk management will be essential to avoid costly breaches and ensure compliance with the new regulations,’ he concludes.