A new white paper from Patrick Donegan, Principal Analyst at Hardenstance, explains how telcos must respond to NIS2, the European Union cybersecurity directive that all member states will have to codify in law by October 2024. Like much of Donegan’s work, “Telco Security Takeaways from the NIS2 Directive” is a straightforward read that quickly and simply addresses the key essentials of the subject matter. His driving observation is that:
NIS2 substantially raises the bar in terms of what is expected for how telcos and other critical sectors of industry frame and execute on their cybersecurity operations
Some of the key points from Donegan’s analysis are:
- NIS2 will impose more substantial security obligations on telcos than anything that has gone before.
- The goal is to make the philosophy of risk management central to decisions about cybersecurity.
- Implementation of NIS2 could have counterproductive consequences if not handled with care.
- Improved vulnerability disclosure and threat intelligence sharing is likely to be one of the most important outcomes without NIS2 prescribing how this will be effected.
- It can be better to delay telling authorities about incidents than to give them inaccurate reports immediately.
- US hyperscalers must comply just like European telcos, helping to ensure fair treatment and equivalent outcomes.
Fines for non-compliance could potentially be worth 2 percent of a business’ worldwide annual turnover. As ever, we will have to see whether fines levied in practice come near to their theoretical upper limit, but the potential scale of penalties should grab the attention of executives. This will also reinforce the NIS2 stipulation that management will be held liable for their organization’s approach to cybersecurity and any infringements that result.
“Telco Security Takeaways from the NIS2 Directive” is a punchy and well-focused read. You can obtain it, free of charge and without needing to register, from here.



