What Will The NIS2 Directive Mean For Smaller Organisations?

Uploaded on 2024-04-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The EU Directive on the security of Network and Information Systems, often shortened to NIS, was first established in July 2016. When introduced it encompassed two groups - the operators of essential services; and relevant digital service providers, with the aim to strengthen cybersecurity resilience.

While somewhat effective, NIS was seen to have limitations particularly the narrow scope of organisations covered.  This was addressed in January 2023, when the European Union adopted a new version of the Directive.

NIS2 expands the scope of entities covered from seven to 18, adding new sectors based on how crucial they are for the economy and society, broken into two categories - essential and important. Any essential organisations, with a headcount of over 250 or in excess of €50 million revenue; and important organisations with a headcount over 50 or in excess of €10 million revenue from the sectors identified in NIS2 will be directly included in the scope. That doesn’t mean small or micro-organisations are excluded.

Each member state can extend the scope to include any organisation (in the identified sectors) deemed to fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.

All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024. Although no longer bound by EU regulation, the UK government has confirmed it will also strengthen its NIS regulations.

What You Need To Know

Meeting the compliance standards for NIS2 will be vital for all organisations that fall within its scope, but particularly so for smaller organisations currently at the behest of hackers looking for easy wins. SMEs invariably pay ransoms at a higher rate due to the severe impact that cyber attacks have on the continuity of their business, because of their lack of recovery protocols. Forward thinking SMEs will focus on preventing attacks before they occur, weatherproofing their company against an increased pace of threat.

NIS operates on a principle-based approach, allowing cybersecurity to become a part of an organisation’s ‘business as usual,’ rather than operating on a set of prescriptive rules. This is similar to multiple international, consensus-driven standards, including ISO/IEC and others, that offer pathways for SMEs and other organisations to develop and implement cybersecurity programs. Organisations understand their business better than an outsider, therefore the principle-based approach allows organisations to make informed decisions on how best to tackle cybersecurity challenges. 

One important change is that, while NIS required significant cyber incidents to be reported, the updated Directive includes a timeline for reporting incidents.

Within 24 hours of identifying any incident with significant impact an early warning should be communicated to the competent authority or CSIRT. This should be followed after 72 hours with a full notification report including the assessment of the incident, severity and impact and indicators of compromise. A final report must be communicated within a month. While detecting incidents is obviously important, the onus for organisations should be on reducing the risks faced and preventing incidents in the first place.

Compliance Does Not Always Equate To Security

Compliance with NIS2 is mandatory, and failure to adhere can result in large fines. However, organisations should not be lulled into a false sense of security that by following frameworks or ticking boxes they are secure.  The reality is that, while adherence with NIS2 principles will strengthen defences, alone it does not equate to being secure. Compliance with the legislation is no substitute for maintaining strong cyber hygiene. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data and critical systems contained.

True cybersecurity requires complete and holistic understanding of the risks that exist within the entire infrastructure. A preventative approach in Industrial cybersecurity is paramount to eliminate many of the core risks associated with the new trends and challenges that are present. When threat actors evaluate a company's attack surface, they're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. 

To mitigate the risks, it is essential to gain full visibility into both IT and OT environments - of IT and OT assets, IoT, Building Management Systems, and everything in between, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist. 

Knowing what is there is only part of the equation as it's imperative to understand how OT devices are interconnected and what interdependencies exist for critical functionality. With that intelligence, security teams then need to identify where weaknesses and vulnerabilities exist and prioritise those assets that could become possible attack paths. From this stance, steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations that could be indicators for attacks.

Gaining this broad visibility can be difficult, challenging security teams to conduct analysis, interpret the findings and identify what steps to take to reduce risk as quickly as possible. AI has the potential to address this. It can be used by cybersecurity professionals to search for patterns, explain what they’re finding in the simplest language possible, and decide what actions to take to reduce cyber risk.  AI is being harnessed by defenders to power preventative security solutions that cut through complexity to provide the concise guidance defenders need to stay ahead of attackers and prevent successful attacks. Harnessing the power of AI enables security teams to work faster, search faster, analyse faster and ultimately make decisions faster.
 
While regulatory compliance can be daunting, particularly for organisations who have never felt the weight of regulatory measures like this before, it is an important exercise. Knowing the adversary means organisations can anticipate cyber attacks, ensuring they are best positioned to defend against today’s emerging threats.

Hackers looking for low-hanging fruit will target smaller organisations whose security practices may be less mature. Raising the security bar should persuade them to move on and find another target.

Bernard Montel is EMEA Technical Director and Security Strategist at Tenable

Image: Ideogram

You Might Also Read: 

EU Updates Its Cyber Solidarity Act:

DIRECTORY OF SUPPLIERS - Governance, Risk & Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« Data Compliance When Using MS Copilot
Two Sides Of AI In The Industrial Internet of Things »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CORDIS

CORDIS

CORDIS is the European Commission's primary public repository and portal to disseminate information on all EU-funded research projects and their results.

Axial

Axial

Axial Systems is one of the UK’s leading solution providers and systems integrators in network, security and services.

CyberDef

CyberDef

CyberDef is a consulting company specialising in cyber defence services for small and medium enterprises.

NXO France

NXO France

NXO is an independent leader in the integration and management of digital workflows with services covering digital infrastructures, communications & collaboration, and security.

Berwick Partners

Berwick Partners

Berwick Partners’ Cyber Security Practice is a leading recruiter of senior management positions in this field; we have an exceptional understanding of the constantly changing Cyber landscape.

NSIT

NSIT

NSIT SAS is a consulting, advisory and service provider in IT systems. Solution areas include networking & infrastructure, IT management & administration, and cyber security.

Firedome

Firedome

Firedome's tailormade solution for IoT companies is designed to proactively prevent, detect, and respond to inevitable vulnerabilities in connected devices.

Fortalice

Fortalice

Fortalice provide customizable consulting services built on proven methodology to strengthen your business cyber security defenses.

Stanley Reid & Company (SRC)

Stanley Reid & Company (SRC)

Stanley Reid & Co is an Executive and Technical Search Firm serving the commercial market and the US Intelligence & Defense community. Our areas of expertise include Cybersecurity.

Schweitzer Engineering Laboratories (SEL)

Schweitzer Engineering Laboratories (SEL)

SEL specializes in creating digital products and systems that protect, control, and automate power systems around the world.

Wing Security

Wing Security

Wing fosters a stronger security culture by engaging SaaS end-users and enabling easy communication with security teams.

Jericho Security

Jericho Security

Jericho Security is on a mission to defend the world from the new threats of generative AI cyber attacks.

Redpoint Cybersecurity

Redpoint Cybersecurity

Redpoint Cybersecurity is a human-led, technology-enabled managed cybersecurity provider specializing in Digital Forensics, Incident Response and proactive cyberattack prevention.

Ivolv Cybersecurity

Ivolv Cybersecurity

Ivolv is here to assist your organization in building effective protection and resilience against cyber attacks.

Arsen Cybersecurity

Arsen Cybersecurity

Arsen is a French cybersecurity startup, dedicated to enhancing human behaviors in cybersecurity.

Mediatech

Mediatech

Mediatech, specialized in managed Cybersecurity and Cloud services, a single point of contact for your company's IT and infrastructure.