www.helpnetsecurity.com Open in urlscan Pro
44.235.189.191  Public Scan

URL: https://www.helpnetsecurity.com/2023/11/24/nis2-directive-compliance/
Submission: On November 27 via api from TR — Scanned from DE

Form analysis 1 forms found in the DOM

POST

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1701051535"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

Text Content

 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Please turn on your JavaScript for this page to function normally.
Kennet Harpsøe, Senior Cyber Analyst, LogPoint
November 24, 2023
Share


NIS2 AND ITS GLOBAL RAMIFICATIONS



The Network and Information Systems Directive (NIS2), due to come into effect in
October 2024, seeks to improve cyber resilience in the European Union (EU). Its
effects are likely to be wider reaching, though, bringing in more stringent
processes and controls and redefining how we provision services to organizations
that are deemed nation-critical.



The mandatory directive will have teeth, with strict penalties for
non-compliance for both the business and senior board personnel, who can be held
directly accountable and prevented from holding similar positions in the future.
It also aims to increase intelligence sharing between member states and enhance
supply chain security. This latter measure will see the directive have a global
impact.

NIS2 is much wider in scope than its predecessor: all businesses – including
small and micro businesses – that are deemed to have an important or essential
role in a member state are now covered. Yet those outside of its jurisdiction
may find themselves required to comply by association, including those outside
the EU that are supplying services to the EU.


SUPPLIERS WILL GET SUCKED IN

Under Article 21, organizations must put cybersecurity risk measures in place,
and Section 21(2)(d) is specific to supply chain security. It details the need
to conduct internal and coordinated risk assessments to establish
vulnerabilities specific to suppliers, service providers, and their
cybersecurity solutions and processes. So, a non-EU-based provider of
operationally critical products or services selling to a business classed as
important or essential and based in the EU would be in scope.

We can expect buyers and providers to incorporate these risk assessments, as
well as other elements associated with NIS2 such as incident reporting
procedures, into future contracts. There are strict reporting obligations, with
a compulsory early warning immediately following a breach, which must be
communicated to the relevant authority within 24 hours. A full notification
report is required to be filed after 72 hours, and a final report a month later.

However, implementing additional measures could prove costly, with reports
suggesting the cost of compliance may rise by 22% for those not previously
subject to NIS1. So how can organizations that must prepare to meet NIS2 control
spending?


ACHIEVING COMPLIANCE THROUGH OTHER STANDARDS

Firstly, while NIS2 is wide-ranging, covering risk management, cybersecurity
best practices, and business continuity/disaster recovery (BC/DR) elements, it
includes several requirements, such as for an ISMS (information security
management system) that can enable the organization to comply by virtue of other
standards.

Most of the requirements can be mapped to cybersecurity and risk standard
ISO27001 and the remainder to BC/DR standard ISO22301. At the same time, those
with IT/OT environments can also use IEC62433, for example. It’s also important
to note that where an EU legal act such as DORA or PSD2 is already being
observed with respect to cybersecurity or incident response, that ruling takes
precedence, so there is no need to duplicate effort.

Similarly, many of the controls can also be performed using existing systems
without the need to reinvent the wheel. Security and incident event management
(SIEM) is a prerequisite, for example, to provide centralized log management and
the ability to detect and respond to incidents. Those businesses without a
next-gen SIEM in place can opt to outsource this capability via a managed
security services provider (MSSP).

Determining what is needed will require gap analysis by closely examining the
requirements of NIS2 against the current security measures already in place, and
there will be some areas that require extra legwork.

For example, from a technology perspective, cryptography and encryption are a
significant focus in NIS2 in their own right, rather than in relation to
specific controls. Strategically, there is also more emphasis on the role of
senior management in spearheading risk awareness throughout the business. Plus,
as NIS2 is partly a risk-based regulation, it will require assessments to be
performed continuously, much like ISO27001.


WHY NIS2 IS NECESSARY

NIS2 is undisputedly an important turning point and a response to a growing
cyber threat to national interests. We’ve seen Russia use Ukraine as a cyber
range in which to test cyber weapons, and nation-state-sponsored attacks are
growing, with the majority of APTs now attributable to Russia, China, Iran, or
North Korea.

Meanwhile, the FBI warned in September that fluctuating energy prices could well
see attacks against critical national infrastructure increase in the US,
revealing how interdependent the markets are.

So, given that NIS2 is a sign of the times, is it likely to be adopted
elsewhere? In the UK, which continues to comply with NIS1, it’s thought unlikely
that NIS2 will be adopted verbatim, although amendments have been made, such as
the extension of the regulations to include managed service providers (MSPs) to
help protect the critical businesses they serve. That said, the UK government
also gave itself the power to amend the NIS regulations in the future to ensure
they remain effective.

We could see NIS2 become a trailblazer, much like GDPR was for data protection
regulations, giving nations a blueprint on how to protect the organizations that
are critical to their economies. The directive sets the bar higher with respect
to security, effectively creating a new minimum baseline and quicker response
reporting that will make it much harder for a cyberattack to severely impact the
functionality of a state. It’s an ambitious undertaking and one that will have
widespread repercussions – and not just for those within the EU.





More about
 * compliance
 * cyber resilience
 * cybersecurity
 * EU
 * LogPoint
 * opinion
 * risk assessment

Share


FEATURED NEWS

 * NIS2 and its global ramifications
 * 1 in 5 executives question their own data protection programs
 * New horizons in cyber protection with 2024 trends to watch

Download: The Ultimate Guide to the CISSP



SPONSORED

 * eBook: Keeping Active Directory out of hackers’ cross-hairs
 * eBook: Cybersecurity career hacks for newcomers
 * Guide: SaaS Offboarding Checklist




DON'T MISS

 * Sumo Logic discloses potential breach via compromised AWS credential
 * Marina Bay Sands breach exposed data of 665,000 customers
 * The 3 key stages of ransomware attacks and useful indicators of compromise
 * Aqua Trivy open-source security scanner now finds Kubernetes security risks
 * AI-assisted coding and its impact on developers




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - monthly newsletter with top articles
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×