For HomeFor BusinessFor Partners
Enterprise Security
12 min read

The NIS2 Essential Insights Every Organization Should Know

Marcos Colón

September 05, 2024

The NIS2 Essential Insights Every Organization Should Know

A major deadline is coming up for the Network and Information Security Directive (NIS2), the latest cybersecurity regulation in the European Union (EU). By October 17, all EU members will have passed legislation that transposes NIS2 into national law, putting the directive on a path to be the single-most important cybersecurity framework for companies doing business in Europe.

In a recent conversation with Raphaël Peyret, director of product management, cloud security, at Bitdefender, we discussed the impact of the NIS2 directive on companies and the key steps they need to take to ensure compliance in 2024. Here are the key questions you need answers to:

What is the goal of NIS2?

NIS2 is a legislative act passed by the EU that strives to define and enforce a high common level of cybersecurity across member nations. While much of the act applies to EU countries and their national cybersecurity entities, NIS2 has two major requirements for private organizations: implement a risk management strategy (Article 21) and reporting of significant cybersecurity incidents that could lead to downtime – regardless of whether the intent is malicious or accidental (Article 23). Article 21 of the directive lists specific areas and technologies that should be covered by organizations – including risk analysis, incident handling, business continuity, network security, encryption, access control, asset management, multi-factor authentication (MFA) and others.

Who is impacted by NIS2?

NIS2 applies to mid-size companies and large enterprises and outlines 18 industries that are subject to the directive. These include 11 sectors of high criticality that comprise energy, transportation, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, managed service providers (including managed security service providers), public administration and space. While NIS2 applies to any organization that operates in these sectors, some industries may be subjected to more robust compliance requirements through additional legislation like the Digital Operational Resilience Act (DORA) that applies to the financial sector. Each EU member state will publish a list of entities subject to NIS2 and additional legislation. These lists are due by April 17, 2025, and may require organizations to self-register – requiring compliance officers to do their due diligence to determine how they will be impacted.

How does NIS2 relate to General Data Protection Regulation (GDPR)?

NIS2 is an additional piece of legislation that applies on top of and separately to GDPR. GDPR focuses on consumer privacy, outlining basic safeguards that companies need to implement to protect customer data. NIS2 relates to the cybersecurity infrastructure itself, making sure companies are employing robust cybersecurity strategies that have been proven to stop malicious actors from penetrating endpoints and networks.

What challenges will organizations face when trying to meet NIS2 requirements?

NIS2 was written specifically to give member countries the ability to build on top of the NIS2 baseline for how they regulate local businesses, either by providing more specific guidance, or adding requirements. That’s great, but the lack of specific guidelines introduces a lot of vagueness and uncertainty into compliance efforts. Risk management can mean so many different things at various degrees of effectiveness. It’s the same with incident reporting. Does every alert need to be disclosed or just successful breaches?

Should reporting be done only to the national reporting entity or should affected users or customers be notified as well? And what counts as successful or significant? There is a lot of ambiguity that companies are going to need to address.

So, how can organizations make sure they are compliant?

Article 21 of NIS2 outlines specific processes and technologies that need to be implemented. These are:

  • Policies on risk analysis and information system security: Organizations must develop and maintain comprehensive policies that address risk analysis and overall information system security. This ensures a systematic approach to handling risk and security so that potential threats are identified and mitigated promptly.
  • Incident handling: Establish clear procedures for managing and responding to cybersecurity incidents. This includes immediate response actions, containment measures, communication and post-incident analysis to prevent future occurrences.
  • Business continuity, such as backup management, disaster recovery, and crisis management: Organizations need to implement strategies for quickly recovering or maintaining operations during disruptions, including robust backup management, disaster recovery plans, and crisis management protocols to ensure resilience.
  • Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers: This requirement emphasizes the importance of securing the entire supply chain, ensuring that security practices are consistently applied by all suppliers and service providers to prevent vulnerabilities.
  • Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure: Organizations must integrate security practices throughout the lifecycle of network and information systems, from procurement to maintenance, and include procedures for managing and disclosing vulnerabilities. Organizations that develop software must also integrate security into their development lifecycle.
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures: Regular assessments of the effectiveness of cybersecurity measures are required to ensure that risk management strategies are operating as intended and adapting to new threats.
  • Basic cyber hygiene practices and cybersecurity training: Organizations must implement fundamental cybersecurity practices and provide ongoing training to ensure all employees understand and follow best practices.
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption: Strong cryptography policies must be in place, including the use of encryption where necessary, to protect sensitive information and communications.
  • Human resources security, access control policies, and asset management: This encompasses all aspects of Identity and Access Management (IAM), ensuring that only authorized personnel have access to critical systems and that all assets are accounted for and secured.
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate: Implementing robust authentication mechanisms and securing all forms of communication within the organization are critical to preventing unauthorized access and ensuring secure operations during emergencies.

The good news is that most organizations are already doing something around risk management and incident reporting – either as a best practice or as part of another compliance effort. ISO 27001 and SOC 2 cover much of the same risk management requirements as NIS2, and, I’d venture to guess, if you’re compliant with either of those standards, you’re going to have no problem complying with whatever requirements are outlined in NIS2 or the accompanying national legislation. For incident reporting, most organizations will find that the NIS2 requirements – specifically the requirement of a 24-hour early warning notification – are more robust than their existing capabilities which may need to be reconsidered. Regardless, it would be extremely beneficial to reach out to your national cybersecurity agency to get information about the specific laws in your country.

What can organizations do in the meantime?

As you prepare for NIS2 and other emerging regulations, it's crucial to consider how your cybersecurity partners can support you in achieving compliance and strengthening your overall security posture. The right partner not only equips you with advanced capabilities like real-time detection and response across endpoints and cloud environments, but also offers proactive measures such as penetration testing and red teaming to identify vulnerabilities before they are exploited. Additionally, managing and securing your cloud posture and extending detection and response across your entire IT landscape are critical components of a comprehensive security strategy. By choosing a partner with deep expertise and a robust suite of services tailored to your needs, you can ensure your organization is well-prepared for compliance and protected against emerging threats.

However, it’s not just about internal operations. The security posture of your entire supply chain is equally critical. In today’s interconnected business landscape, ensuring that your suppliers, distributors, and other partners maintain appropriate security controls is essential. This may involve difficult conversations and a thorough assessment of the security measures in place throughout the product’s lifecycle, but it’s a vital step to prevent potential vulnerabilities from affecting your organization.

As you navigate these challenges, consider how your cybersecurity partners can support you in achieving these goals. . Whether it's enhancing your visibility, strengthening your supply chain security, or preparing for future regulations like NIS2, choosing a partner with deep expertise and a comprehensive approach can make all the difference.

Ultimately, NIS2 compliance will come down to a close partnership between your organization, the local governing entity and your cybersecurity partners and vendors.

tags

Enterprise Security

Author

Marcos Colón

Marcos Colón

By leveraging his background as a journalist and editor, Marcos Colón has been specializing in cybersecurity content creation for over a decade. Known for his proficiency in communicating complex topics effectively, he bridges the gap between technical aspects and audience understanding. His interviewing skills and commitment to creating engaging narratives have made him a distinctive voice in the cybersecurity sphere.

View all posts

Right now Top posts

Top Ransomware Trends for 2024-2025 Security Teams Can't Ignore
Enterprise Security Ransomware

Top Ransomware Trends for 2024-2025 Security Teams Can't Ignore

August 27, 2024

A Comprehensive Look at the Evolution of the Cybercriminal Underground
Enterprise Security Ransomware Threat Research Threat Intelligence

A Comprehensive Look at the Evolution of the Cybercriminal Underground

August 07, 2024

Beyond Technical Offensive Security: 4 Tips for Implementing a Holistic Approach to Managing Cyber Risk
Enterprise Security

Beyond Technical Offensive Security: 4 Tips for Implementing a Holistic Approach to Managing Cyber Risk

August 06, 2024

Our Software Release Strategy
Enterprise Security

Our Software Release Strategy

July 19, 2024

FOLLOW US ON SOCIAL MEDIA

SUBSCRIBE TO OUR NEWSLETTER

Don’t miss out on exclusive content and exciting announcements!

You might also like

Bitdefender Threat Debrief | September 2024
Enterprise Security Ransomware Threat Research

Bitdefender Threat Debrief | September 2024
Jade Brown

September 12, 2024

Medusa Ransomware: A Growing Threat with a Bold Online Presence
Enterprise Security Ransomware Threat Research Threat Intelligence

Medusa Ransomware: A Growing Threat with a Bold Online Presence
Jade Brown

September 10, 2024

The NIS2 Essential Insights Every Organization Should Know
Enterprise Security

The NIS2 Essential Insights Every Organization Should Know
Marcos Colón

September 05, 2024

Bookmarks

loader