What Will The NIS2 Directive Mean For Smaller Organisations?

Uploaded on 2024-04-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The EU Directive on the security of Network and Information Systems, often shortened to NIS, was first established in July 2016. When introduced it encompassed two groups - the operators of essential services; and relevant digital service providers, with the aim to strengthen cybersecurity resilience.

While somewhat effective, NIS was seen to have limitations particularly the narrow scope of organisations covered.  This was addressed in January 2023, when the European Union adopted a new version of the Directive.

NIS2 expands the scope of entities covered from seven to 18, adding new sectors based on how crucial they are for the economy and society, broken into two categories - essential and important. Any essential organisations, with a headcount of over 250 or in excess of €50 million revenue; and important organisations with a headcount over 50 or in excess of €10 million revenue from the sectors identified in NIS2 will be directly included in the scope. That doesn’t mean small or micro-organisations are excluded.

Each member state can extend the scope to include any organisation (in the identified sectors) deemed to fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.

All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024. Although no longer bound by EU regulation, the UK government has confirmed it will also strengthen its NIS regulations.

What You Need To Know

Meeting the compliance standards for NIS2 will be vital for all organisations that fall within its scope, but particularly so for smaller organisations currently at the behest of hackers looking for easy wins. SMEs invariably pay ransoms at a higher rate due to the severe impact that cyber attacks have on the continuity of their business, because of their lack of recovery protocols. Forward thinking SMEs will focus on preventing attacks before they occur, weatherproofing their company against an increased pace of threat.

NIS operates on a principle-based approach, allowing cybersecurity to become a part of an organisation’s ‘business as usual,’ rather than operating on a set of prescriptive rules. This is similar to multiple international, consensus-driven standards, including ISO/IEC and others, that offer pathways for SMEs and other organisations to develop and implement cybersecurity programs. Organisations understand their business better than an outsider, therefore the principle-based approach allows organisations to make informed decisions on how best to tackle cybersecurity challenges. 

One important change is that, while NIS required significant cyber incidents to be reported, the updated Directive includes a timeline for reporting incidents.

Within 24 hours of identifying any incident with significant impact an early warning should be communicated to the competent authority or CSIRT. This should be followed after 72 hours with a full notification report including the assessment of the incident, severity and impact and indicators of compromise. A final report must be communicated within a month. While detecting incidents is obviously important, the onus for organisations should be on reducing the risks faced and preventing incidents in the first place.

Compliance Does Not Always Equate To Security

Compliance with NIS2 is mandatory, and failure to adhere can result in large fines. However, organisations should not be lulled into a false sense of security that by following frameworks or ticking boxes they are secure.  The reality is that, while adherence with NIS2 principles will strengthen defences, alone it does not equate to being secure. Compliance with the legislation is no substitute for maintaining strong cyber hygiene. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data and critical systems contained.

True cybersecurity requires complete and holistic understanding of the risks that exist within the entire infrastructure. A preventative approach in Industrial cybersecurity is paramount to eliminate many of the core risks associated with the new trends and challenges that are present. When threat actors evaluate a company's attack surface, they're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. 

To mitigate the risks, it is essential to gain full visibility into both IT and OT environments - of IT and OT assets, IoT, Building Management Systems, and everything in between, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist. 

Knowing what is there is only part of the equation as it's imperative to understand how OT devices are interconnected and what interdependencies exist for critical functionality. With that intelligence, security teams then need to identify where weaknesses and vulnerabilities exist and prioritise those assets that could become possible attack paths. From this stance, steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations that could be indicators for attacks.

Gaining this broad visibility can be difficult, challenging security teams to conduct analysis, interpret the findings and identify what steps to take to reduce risk as quickly as possible. AI has the potential to address this. It can be used by cybersecurity professionals to search for patterns, explain what they’re finding in the simplest language possible, and decide what actions to take to reduce cyber risk.  AI is being harnessed by defenders to power preventative security solutions that cut through complexity to provide the concise guidance defenders need to stay ahead of attackers and prevent successful attacks. Harnessing the power of AI enables security teams to work faster, search faster, analyse faster and ultimately make decisions faster.
 
While regulatory compliance can be daunting, particularly for organisations who have never felt the weight of regulatory measures like this before, it is an important exercise. Knowing the adversary means organisations can anticipate cyber attacks, ensuring they are best positioned to defend against today’s emerging threats.

Hackers looking for low-hanging fruit will target smaller organisations whose security practices may be less mature. Raising the security bar should persuade them to move on and find another target.

Bernard Montel is EMEA Technical Director and Security Strategist at Tenable

Image: Ideogram

You Might Also Read: 

EU Updates Its Cyber Solidarity Act:

DIRECTORY OF SUPPLIERS - Governance, Risk & Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« Data Compliance When Using MS Copilot
Two Sides Of AI In The Industrial Internet of Things »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cloudera

Cloudera

Cloudera provide the world’s fastest, easiest, and most secure data platform built on Hadoop.

Backup Technology

Backup Technology

Backup Technology is a world leader in the Online Cloud Backup, Disaster Recovery and Business Continuity market.

UpGuard

UpGuard

UpGuard's discovery engine brings visibility to complex IT environments, enabling teams to identify risk, confirm compliance and make business safer.

Exonar

Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure.

National Forensic Sciences University (NFSU)

National Forensic Sciences University (NFSU)

National Forensic Sciences University is the world’s first and only University dedicated to Digital Forensic and allied Sciences.

Axiomtek

Axiomtek

Axiomtek is a leading design and manufacturing company in the industrial computer and embedded field.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference (AtlSecCon)

Atlantic Security Conference is a non-profit, annual, information security conference located in Halifax, Nova Scotia, Canada.

National CyberWatch Center

National CyberWatch Center

National CyberWatch Center is a cybersecurity consortium working to advance cybersecurity education and strengthen the national workforce.

AttackIQ

AttackIQ

AttackIQ delivers continuous validation of your enterprise security program so you can strengthen your security posture and your response capabilities.

TestArmy

TestArmy

TestArmy CyberForces provide you with a broad spectrum of cybersecurity services to test every aspect of your IT infrastructure security and software development process.

Ross & Baruzzini

Ross & Baruzzini

Ross & Baruzzini delivers integrated technology, consulting, and engineering solutions for safe, sustainable, and resilient facilities.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

Charles IT

Charles IT

Charles IT is your friendly, no-nonsense IT team focused on helping companies make their technology work for them. We focus on building relationships that deliver results.

EtherAuthority

EtherAuthority

EtherAuthority's engineering team has been helping blockchain businesses to secure their smart contract based assets since 2018.

Synoptek

Synoptek

Synoptek is a global systems integrator and managed IT services provider (MSP). We offer comprehensive IT management and consultancy services to organizations worldwide.