The Network and Information Security (NIS) Directive was designed to strengthen cybersecurity in organisations across European Union (EU) states. That directive is now being updated. The NIS2 legislation aims to increase cyber resilience and improve the EU’s level of preparedness in managing cyberattacks. Organisations within scope must act promptly to comply with NIS2, as well as to bolster their defences against cyber risks.
Indeed, as the threat landscape continues to evolve and cyberattacks become increasingly sophisticated, compliance with the updated NIS2 legislation is critical. The UK government’s 2023 cybersecurity breaches survey, which asked UK organisations about cyberattacks they had experienced in the preceding 12 months, estimates that across all UK businesses, approximately 2.39 million cybercrimes occurred during that period.
This staggering volume of cyber incidents shows — if proof was needed — just how essential effective security measures are today. A collective approach, guided and enforced by stricter regulations and penalties, is vital to mitigating some of the most pressing cybersecurity challenges today.
What is NIS2?
NIS2 is an update to the original NIS directive, which was introduced in 2016. The new incarnation sets out to modernise the legal framework in line with increased digitisation and the evolving cyber threat landscape. It also extends the scope of the cybersecurity legislation to include more organisations and entities.
NIS2 came into force in January 2023 and must be incorporated into the national laws of EU member states by 17 October 2024. UK organisations within scope must comply with the directive if they operate in the EU.
What does NIS2 mean for companies?
NIS2 aims to harmonise and strengthen cybersecurity across Europe. It bolsters and streamlines reporting requirements through a risk management approach. It also introduces the need to assess cybersecurity risks in a company’s supply chains and supplier relationships.
NIS2 also emphasises improving cybersecurity awareness by exchanging relevant information among impacted organisations and any necessary third parties in their supply chains. This information includes threats, vulnerabilities, tactics, techniques and procedures, and indicators of compromise. Notification obligations have also been extended.
Which companies fall under the scope of NIS2?
The NIS2 legislation applies to ‘essential entities’ in energy, transport, finance, health, water, public administration, space and digital infrastructure. It also applies to ‘important entities’ in postal services, waste management, chemicals, food, research, manufacturing and digital providers. All entities must meet the same requirements, but different supervisory measures and penalties apply.
However, NIS2 is an opportunity for all organisations to reappraise their cybersecurity approaches and move from reactive to proactive risk management. It also provides a framework against which companies can effectively assess their operations and capabilities. The directive extends consideration beyond organisations themselves to include supply chains and partners, making now the ideal time for all organisations to expand cybersecurity thinking to whole ecosystems.
Cyber threats will continue to intensify and become more sophisticated, so organisations should take every cue to expand their awareness and increase their measures. Laws and regulations in this area will continue to become more stringent and far-reaching, so businesses must equip themselves now to avert a potential compliance debt that would be difficult to overcome in the long term. Through NIS2 compliance, organisations can adopt an optimal security posture to protect their data, identities and infrastructures.
What must companies do to be NIS2 compliant?
All organisations must have cybersecurity strategies and plans that they review regularly and maintain. An effective approach for achieving this is to use the NIST Cybersecurity Framework (CSF) as a baseline. This set of architecture guidelines was developed by the US National Institute of Standards and Technology and defines five pillars: identify, protect, detect, respond and recover.
To implement a defence-in-depth as recommended by NIST, organisations need strong identity and access management (IAM) and data access governance (DAG). IAM solutions help govern identities and limit access to data, systems and applications according to the principle of least privilege to prevent inappropriate access. Strict password policies and rigorous control of privileged accounts are also vital components of IAM.
DAG solutions, meanwhile, help organisations identity what sensitive data they have, where it is stored and who has access to it, so they can put effective measures in place to protect it. DAG extends to continuous auditing to spot any suspicious activity around this data, such as changes to identities, the integrity of systems or the status of security. Any of these could indicate an attack in progress. Prepared companies will have customisable, automated response options in place so they can immediately block active threats to minimise their impact and enable rapid recovery.
Conclusion
NIS2 updates cybersecurity requirements for organisations operating in the EU. Companies must take advantage of all solutions at their disposal to identify and mitigate cybersecurity risks. Regulatory compliance is non-negotiable for covered entities, of course, but all organisations can treat the revised directive as an opportunity to improve their cyber hygiene, understand the risks associated with their extended supply chain and ecosystem, and protect their cyber infrastructure against constantly evolving threat.
Dirk Schrader is Field CISO (EMEA) and VP of Security Research at Netwrix. As a 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. As the VP of Security Research, Dirk is working on focused research for specific industries like healthcare, energy or finance. As the Field CISO EMEA he ‘speaks the language’ of Netwrix’ customers and prospects to facilitate a fit for purpose solution delivery.