What Will The NIS2 Directive Mean For Smaller Organisations?

The EU Directive on the security of Network and Information Systems, often shortened to NIS, was first established in July 2016. When introduced it encompassed two groups - the operators of essential services; and relevant digital service providers, with the aim to strengthen cybersecurity resilience.

While somewhat effective, NIS was seen to have limitations particularly the narrow scope of organisations covered.  This was addressed in January 2023, when the European Union adopted a new version of the Directive.

NIS2 expands the scope of entities covered from seven to 18, adding new sectors based on how crucial they are for the economy and society, broken into two categories - essential and important. Any essential organisations, with a headcount of over 250 or in excess of €50 million revenue; and important organisations with a headcount over 50 or in excess of €10 million revenue from the sectors identified in NIS2 will be directly included in the scope. That doesn’t mean small or micro-organisations are excluded.

Each member state can extend the scope to include any organisation (in the identified sectors) deemed to fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.

All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024. Although no longer bound by EU regulation, the UK government has confirmed it will also strengthen its NIS regulations.

What You Need To Know

Meeting the compliance standards for NIS2 will be vital for all organisations that fall within its scope, but particularly so for smaller organisations currently at the behest of hackers looking for easy wins. SMEs invariably pay ransoms at a higher rate due to the severe impact that cyber attacks have on the continuity of their business, because of their lack of recovery protocols. Forward thinking SMEs will focus on preventing attacks before they occur, weatherproofing their company against an increased pace of threat.

NIS operates on a principle-based approach, allowing cybersecurity to become a part of an organisation’s ‘business as usual,’ rather than operating on a set of prescriptive rules. This is similar to multiple international, consensus-driven standards, including ISO/IEC and others, that offer pathways for SMEs and other organisations to develop and implement cybersecurity programs. Organisations understand their business better than an outsider, therefore the principle-based approach allows organisations to make informed decisions on how best to tackle cybersecurity challenges. 

One important change is that, while NIS required significant cyber incidents to be reported, the updated Directive includes a timeline for reporting incidents.

Within 24 hours of identifying any incident with significant impact an early warning should be communicated to the competent authority or CSIRT. This should be followed after 72 hours with a full notification report including the assessment of the incident, severity and impact and indicators of compromise. A final report must be communicated within a month. While detecting incidents is obviously important, the onus for organisations should be on reducing the risks faced and preventing incidents in the first place.

Compliance Does Not Always Equate To Security

Compliance with NIS2 is mandatory, and failure to adhere can result in large fines. However, organisations should not be lulled into a false sense of security that by following frameworks or ticking boxes they are secure.  The reality is that, while adherence with NIS2 principles will strengthen defences, alone it does not equate to being secure. Compliance with the legislation is no substitute for maintaining strong cyber hygiene. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data and critical systems contained.

True cybersecurity requires complete and holistic understanding of the risks that exist within the entire infrastructure. A preventative approach in Industrial cybersecurity is paramount to eliminate many of the core risks associated with the new trends and challenges that are present. When threat actors evaluate a company's attack surface, they're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. 

To mitigate the risks, it is essential to gain full visibility into both IT and OT environments - of IT and OT assets, IoT, Building Management Systems, and everything in between, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist. 

Knowing what is there is only part of the equation as it's imperative to understand how OT devices are interconnected and what interdependencies exist for critical functionality. With that intelligence, security teams then need to identify where weaknesses and vulnerabilities exist and prioritise those assets that could become possible attack paths. From this stance, steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations that could be indicators for attacks.

Gaining this broad visibility can be difficult, challenging security teams to conduct analysis, interpret the findings and identify what steps to take to reduce risk as quickly as possible. AI has the potential to address this. It can be used by cybersecurity professionals to search for patterns, explain what they’re finding in the simplest language possible, and decide what actions to take to reduce cyber risk.  AI is being harnessed by defenders to power preventative security solutions that cut through complexity to provide the concise guidance defenders need to stay ahead of attackers and prevent successful attacks. Harnessing the power of AI enables security teams to work faster, search faster, analyse faster and ultimately make decisions faster.
 
While regulatory compliance can be daunting, particularly for organisations who have never felt the weight of regulatory measures like this before, it is an important exercise. Knowing the adversary means organisations can anticipate cyber attacks, ensuring they are best positioned to defend against today’s emerging threats.

Hackers looking for low-hanging fruit will target smaller organisations whose security practices may be less mature. Raising the security bar should persuade them to move on and find another target.

Bernard Montel is EMEA Technical Director and Security Strategist at Tenable

Image: Ideogram

You Might Also Read: 

EU Updates Its Cyber Solidarity Act:

DIRECTORY OF SUPPLIERS - Governance, Risk & Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« Data Compliance When Using MS Copilot
Two Sides Of AI In The Industrial Internet of Things »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Applause

Applause

Applause provides real-world software testing for functionality, usability, accessibility, load, localization and security.

Forensic Control

Forensic Control

Forensic Control specialise in providing simple & straightforward Cyber Security to organisations, helping them assess, prevent and respond to cyber threats.

Momentum

Momentum

The Cyber Security team at Momentum offers a professional and specialist recruitment service across Cyber & IT Security.

ABB

ABB

ABB is a pioneering technology leader in industrial digitalization. Services include cyber security for industrial control systems IoT.

Zeneth Technology Partners

Zeneth Technology Partners

Zeneth is a consulting firm providing information technology and cybersecurity services to federal and commercial clients.

Government CSIRT - Chile

Government CSIRT - Chile

Government CSIRT is the Computer Security Incident Response Team for State networks and government cyberspace in Chile.

Pentera Security

Pentera Security

Pentera (formerly Pcysys) is focused on the inside threat. Our automated penetration-testing platform mimics the hacker's attack - automating the discovery of vulnerabilities.

NJVC

NJVC

NJVC delivers IT automation, optimization and security to empower mission-enabling IT for customers with secure requirements.

Lifetech

Lifetech

Lifetech is a software development, product engineering and system integration company. Cybersecurity services include SIEM deployment and training.

Crowe

Crowe

Crowe is a public accounting, consulting, and technology firm that combines deep industry and specialized expertise with innovation.

Apollo Information Systems

Apollo Information Systems

Apollo is a value-added reseller that provides our clients with the complete set of cybersecurity and networking services and solutions.

Symbol Security

Symbol Security

Through situational learning, simulations, and a gamified user experience, Symbol strengthens the cyber awareness of employees and helps companies lower cyber risk.

Womble Bond Dickinson

Womble Bond Dickinson

Womble Bond Dickinson is a transatlantic law firm, providing high-quality legal experience and outstanding personal service from key locations across the United Kingdom and United States.

Keytos

Keytos

Keytos has revolutionized the Identity Management and PKI industry by creating cryptographic tools that allow you to go password-less by making security transparent to the user.

Sage IT

Sage IT

Sage IT offer a wide range of professional and consulting services to help organizations overcome the challenges of today's ever-changing business environment.

Scope AI

Scope AI

Scope AI is an innovative technology company specializing in quantum security and machine learning.