SEC Regulation S-K came into effect in December 2023, impacting corporations listed with the SEC in the U.S. market. As of October 2024, the most recent iteration of the NIS2 Directive is in force in the European Union.
Both regulations address cybersecurity and cyber risk compliance but have different objectives. S-K addresses the need for corporate disclosures and cyber risk governance, while NIS2 focuses on cybersecurity risks and critical infrastructure protection.
Comparison of U.S. SEC Regulation S-K vs. EU NIS2 Directive
|
SEC Regulation S-K |
NIS2 Directive |
|
|
Objective(s) |
Standardizes cyber incident disclosures and requirements for cyber risk governance for publicly traded companies in the U.S. |
Ensure and harmonize the level of cyber resilience of critical infrastructure and essential services in the EU by requiring a standard level of cybersecurity measures - controls and incident response. |
|
Geographic Application |
United States |
European Union |
|
Issuer |
U.S. Securities and Exchange Commission (SEC) |
European Commission and national authorities within the EU. |
|
Targeted Companies |
Publicly traded companies |
Critical sectors such as energy, healthcare, finance, transportation, and digital infrastructure. |
|
Focus |
Incident disclosure requirements. Governance of cyber risks. |
Cybersecurity governance, incident preparedness and reporting. |
|
Reporting Methods |
72-hour disclosure of material cyber incident in 8-K. 10-K financial filings for risk governance. |
Mandatory notification of cybersecurity incidents within 24-72 hours, security posture assessments. |
|
Risk Management |
Disclosure of risk management measures and governance affecting financial performance. |
Proactive cyber threats management, requiring cybersecurity frameworks and policies. |
|
Penalties |
Regulatory fines, potential delisting for non-compliance. |
Financial penalties, public sanctions for non-compliance. |
As the regulator of S-K in the US, the SEC is naturally focused on financial transparency, corporate governance, and the materiality of incidents and risks to protect investors. NIS2 zeroes in on cybersecurity resilience, mandating security controls, incident reporting, and risk management for critical infrastructure. NIS2 also pursues the harmonization of cybersecurity across the EU for critical services.
The SEC’s intent to enforce the new cybersecurity regulation is demonstrated by its recent claims against four companies related to the SolarWinds incident—all of which settled for a combined penalty of $7 million. NIS2 still faces adoption challenges among the 27 EU members: only two member states have transposed the directive into law before the deadline, and another 23 are expected to follow shortly.
DeNexus helps industrial corporations understand and measure their risks to determine materiality but also supports the risk governance requirements of SEC S/K. Outputs from our platform, DeRISKTM inform compliance with required controls for NIS2.
Contact us for more information or a demo.