www.helpnetsecurity.com
Open in
urlscan Pro
44.235.189.191
Public Scan
URL:
https://www.helpnetsecurity.com/2023/11/24/nis2-directive-compliance/
Submission: On November 27 via api from TR — Scanned from DE
Submission: On November 27 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOMPOST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1701051535"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>
Text Content
* News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Kennet Harpsøe, Senior Cyber Analyst, LogPoint November 24, 2023 Share NIS2 AND ITS GLOBAL RAMIFICATIONS The Network and Information Systems Directive (NIS2), due to come into effect in October 2024, seeks to improve cyber resilience in the European Union (EU). Its effects are likely to be wider reaching, though, bringing in more stringent processes and controls and redefining how we provision services to organizations that are deemed nation-critical. The mandatory directive will have teeth, with strict penalties for non-compliance for both the business and senior board personnel, who can be held directly accountable and prevented from holding similar positions in the future. It also aims to increase intelligence sharing between member states and enhance supply chain security. This latter measure will see the directive have a global impact. NIS2 is much wider in scope than its predecessor: all businesses – including small and micro businesses – that are deemed to have an important or essential role in a member state are now covered. Yet those outside of its jurisdiction may find themselves required to comply by association, including those outside the EU that are supplying services to the EU. SUPPLIERS WILL GET SUCKED IN Under Article 21, organizations must put cybersecurity risk measures in place, and Section 21(2)(d) is specific to supply chain security. It details the need to conduct internal and coordinated risk assessments to establish vulnerabilities specific to suppliers, service providers, and their cybersecurity solutions and processes. So, a non-EU-based provider of operationally critical products or services selling to a business classed as important or essential and based in the EU would be in scope. We can expect buyers and providers to incorporate these risk assessments, as well as other elements associated with NIS2 such as incident reporting procedures, into future contracts. There are strict reporting obligations, with a compulsory early warning immediately following a breach, which must be communicated to the relevant authority within 24 hours. A full notification report is required to be filed after 72 hours, and a final report a month later. However, implementing additional measures could prove costly, with reports suggesting the cost of compliance may rise by 22% for those not previously subject to NIS1. So how can organizations that must prepare to meet NIS2 control spending? ACHIEVING COMPLIANCE THROUGH OTHER STANDARDS Firstly, while NIS2 is wide-ranging, covering risk management, cybersecurity best practices, and business continuity/disaster recovery (BC/DR) elements, it includes several requirements, such as for an ISMS (information security management system) that can enable the organization to comply by virtue of other standards. Most of the requirements can be mapped to cybersecurity and risk standard ISO27001 and the remainder to BC/DR standard ISO22301. At the same time, those with IT/OT environments can also use IEC62433, for example. It’s also important to note that where an EU legal act such as DORA or PSD2 is already being observed with respect to cybersecurity or incident response, that ruling takes precedence, so there is no need to duplicate effort. Similarly, many of the controls can also be performed using existing systems without the need to reinvent the wheel. Security and incident event management (SIEM) is a prerequisite, for example, to provide centralized log management and the ability to detect and respond to incidents. Those businesses without a next-gen SIEM in place can opt to outsource this capability via a managed security services provider (MSSP). Determining what is needed will require gap analysis by closely examining the requirements of NIS2 against the current security measures already in place, and there will be some areas that require extra legwork. For example, from a technology perspective, cryptography and encryption are a significant focus in NIS2 in their own right, rather than in relation to specific controls. Strategically, there is also more emphasis on the role of senior management in spearheading risk awareness throughout the business. Plus, as NIS2 is partly a risk-based regulation, it will require assessments to be performed continuously, much like ISO27001. WHY NIS2 IS NECESSARY NIS2 is undisputedly an important turning point and a response to a growing cyber threat to national interests. We’ve seen Russia use Ukraine as a cyber range in which to test cyber weapons, and nation-state-sponsored attacks are growing, with the majority of APTs now attributable to Russia, China, Iran, or North Korea. Meanwhile, the FBI warned in September that fluctuating energy prices could well see attacks against critical national infrastructure increase in the US, revealing how interdependent the markets are. So, given that NIS2 is a sign of the times, is it likely to be adopted elsewhere? In the UK, which continues to comply with NIS1, it’s thought unlikely that NIS2 will be adopted verbatim, although amendments have been made, such as the extension of the regulations to include managed service providers (MSPs) to help protect the critical businesses they serve. That said, the UK government also gave itself the power to amend the NIS regulations in the future to ensure they remain effective. We could see NIS2 become a trailblazer, much like GDPR was for data protection regulations, giving nations a blueprint on how to protect the organizations that are critical to their economies. The directive sets the bar higher with respect to security, effectively creating a new minimum baseline and quicker response reporting that will make it much harder for a cyberattack to severely impact the functionality of a state. It’s an ambitious undertaking and one that will have widespread repercussions – and not just for those within the EU. More about * compliance * cyber resilience * cybersecurity * EU * LogPoint * opinion * risk assessment Share FEATURED NEWS * NIS2 and its global ramifications * 1 in 5 executives question their own data protection programs * New horizons in cyber protection with 2024 trends to watch Download: The Ultimate Guide to the CISSP SPONSORED * eBook: Keeping Active Directory out of hackers’ cross-hairs * eBook: Cybersecurity career hacks for newcomers * Guide: SaaS Offboarding Checklist DON'T MISS * Sumo Logic discloses potential breach via compromised AWS credential * Marina Bay Sands breach exposed data of 665,000 customers * The 3 key stages of ransomware attacks and useful indicators of compromise * Aqua Trivy open-source security scanner now finds Kubernetes security risks * AI-assisted coding and its impact on developers Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2023 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×