Last year, the world experienced 3205 cyberattacks and data breaches, and the biggest attack exposed more than 3 billion user accounts. As organizations step up their cybersecurity efforts, they must also ensure compliance with emerging regulations. Newly implemented laws like the NIS2 (Network and Information Systems Directive) are now focusing not just on external or customer facing protocols and incident management, but also secure internal communication processes and records.
In this article, we will explore how these regulations are reshaping crisis communication and what organizations must do to safeguard collaboration during an emergency.
Crisis Communication and the Rise of Cyber Regulation
The General Data Protection Regulation (GDPR) and the NIS2 Directive are two important laws designed to protect data, and ensure business resilience and continuity. While GDPR mandates measures to ensure data privacy and security at all times including during a crisis, the NIS2 focuses specifically on cybersecurity and establishes rules for crisis communication.
As the cyber risk landscape continues to escalate, it is evident that timely and comprehensive internal communication and coordination are crucial for effectively handling an adverse event. Effective incident response requires teams to share sensitive information, and an attack on the communication channels used can further exacerbate the crisis.
NIS2 emphasizes board oversight and accountability in crisis management. Senior executives and board members are now held responsible for ensuring emergency response protocols are secure, traceable and transparent. This puts the spotlight on internal communications as well as external or customer-facing engagement.
What NIS2 Expects from Organizational Communication
The NIS2 establishes some clear rules for corporate crisis communication processes, focused on response time, audit ready documentation and secure communication channels.
Incident Reporting Time
The NIS2 requires organizations to report significant cybersecurity incidents in three phases:
1. Early Warning
- Companies must submit an early warning to the relevant authority or the national Computer Security Incident Response Team (CSIRT) within 24 hours of an incident.
- This report must inform the authorities if the incident was caused by an illegal or malicious act and if it could have cross-border ramifications.
- The intent is to quickly contain the spread of a threat and minimize its impact.
2. Incident Notification
- This report must be submitted within 72 hours of the organization becoming aware of an incident.
- It must be detailed and provide an initial assessment of the severity of the event as well as its possible impact
- It must also include any available indicators of compromise
- The organization must report the event to law enforcement authorities if it were criminal in nature
3. Final Report
- This must be submitted within one month of the initial notification.
- It must provide a detailed description of the incident including :
- Cause
- Severity
- Impact
- Completed and ongoing response and mitigation efforts
- International implications and impact
Organizations must also report any significant cyber threat that they suspect may cause a serious breach. The NIS2 categorizes a threat as significant if it meets these conditions:
- Potential to cause material operational disruption or financial losses
- Potential to cause significant material or immaterial damage to natural or legal persons.
Audit-Ready Documentation
- NIS2 mandates auditable records of all communications during a crisis to ensure transparency and compliance
- They must be easily accessible for review by regulators or internal auditors
- This underscores the need for secure, traceable enterprise communication tools as consumer messaging applications may not accurately capture or log extensive messaging trails.
Multi-Factor Secure Access
- The NIS2 mandates strong security measures including end-to-end encryption and multi-factor authentication for internal communication. This requires a robust communication system that can protect voice, video and text communications, as well as files and documents.
- It also stresses the importance of robust role-based access protocols.
- Multi-factor authentication adds an additional layer of security, making it more difficult for cybercriminals to infiltrate systems and tamper with crisis-related communications.
The Danger of Unencrypted Channels During a Crisis
How safe is a communications channel? The truth is, even platforms that claim to be encrypted and fully secure have serious vulnerabilities that can be exploited by hackers. For example, China’s Salt Typhoon cyberattack on US telecom providers, hotels and airlines exposed national security data and information on political leaders. The hackers used sophisticated technology, and tactics to breach defences and successfully exploited existing backdoor portals used by government and intelligence agencies for legal surveillance.
Despite their claims of robust cybersecurity measures, almost all consumer messaging apps and even enterprise communications platforms like Slack or Microsoft Teams have built in security blind spots in their architecture.
Even without intentional security gaps, most communication platforms including Zoom, Slack, MS Teams, do not ensure end-to-end encryption. To count as fully encrypted, the platform must protect data when it’s at rest, as well as in transit. It must be encrypted at the sender’s end, and decrypted only when it reaches the intended recipient. If the platform or tool does not ensure this level of complete encryption then the gaps in coverage can be exploited. Unauthorized or malicious access to sensitive information shared during a crisis will undoubtedly make a bad situation much worse.
End-to-End Encryption: Not Just for Messaging
When it comes to protected emergency communication, the confidentiality of conversations and files is only one piece of the puzzle. You must also consider the full extent of cybersecurity measures in place, regulatory requirements, and user experience:
Robust Encryption – Consider the level of encryption your tool ensures. Check if there are any backdoor vulnerabilities that can be exploited. Wire uses advanced encryption measures like the Proteus Protocol to protect every message and file. This means that all data shared on our platform is encrypted with a unique key. We also offer multi device support, so users can seamlessly access their messages across devices to ensure quick and uninterrupted coordination. Wire also uses Messaging Layer Security (MLS) Protocol to secure group conversations.
Zero Trust, Role-Based Access Controls – What happens if a hacker manages to breach the platform’s defences and gain access to files and discussions? On a consumer app like WhatsApp or Signal or even MS Teams and Slack this is likely to lead to a serious data breach. In addition to end-to-end encryption, the platform must also operate on a zero-trust architecture that guarantees role-based access controls. So, even if it is hacked, bad actors cannot get hold of any sensitive information.
Usability - The question is, do such advanced security measures hinder usability? And the answer is an emphatic no. We ensure delightfully invisible security – our platform ensures the maximum protection for your discussions, files, and calls, without sacrificing user experience. We believe this is critical to prevent teams from resorting to unofficial, unapproved communication channels simply because they are easy to use.
Fallback Communication: What if a cyberattack compromises your corporate network or affects service providers? You need a platform that ensures out-of-band, fallback communications. Wire works independent of corporate networks and even mobile networks, allowing teams to collaborate in real time and asynchronously.
Traceability: The NIS2 mandates auditable records of every message sent during a crisis. Your communication platform must be able to store all incident related conversations, call logs, and files. Wire stores detailed logs of all incident management discussions and files which can be easily retrieved for compliance purposes.
Conclusion
The modern enterprise landscape is highly digital and interconnected, and a cybersecurity breach can snowball into a huge incident without effective mitigation strategies. Secure incident response communication is quickly becoming a strategic priority, driven by regulatory requirements and better understanding of the vulnerabilities in collaboration and messaging platforms. End to end encryption, multi factor authentication, and auditable records of communication are key requirements under the NIS2 and enterprises must take a proactive approach to ensuring secure and compliant crisis communication strategies.
Discover more about securing your crisis communication strategy to comply with regulations like NIS2. Download our whitepaper on “The Critical Role of Secure Communications in NIS2 Compliance”.
