What Will The NIS2 Directive Mean For Smaller Organisations?

Uploaded on 2024-04-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

The EU Directive on the security of Network and Information Systems, often shortened to NIS, was first established in July 2016. When introduced it encompassed two groups - the operators of essential services; and relevant digital service providers, with the aim to strengthen cybersecurity resilience.

While somewhat effective, NIS was seen to have limitations particularly the narrow scope of organisations covered.  This was addressed in January 2023, when the European Union adopted a new version of the Directive.

NIS2 expands the scope of entities covered from seven to 18, adding new sectors based on how crucial they are for the economy and society, broken into two categories - essential and important. Any essential organisations, with a headcount of over 250 or in excess of €50 million revenue; and important organisations with a headcount over 50 or in excess of €10 million revenue from the sectors identified in NIS2 will be directly included in the scope. That doesn’t mean small or micro-organisations are excluded.

Each member state can extend the scope to include any organisation (in the identified sectors) deemed to fulfil specific criteria that indicate a key role for society, the economy or for particular sectors or types of service.

All EU member states, and non members trading in the EU, will need to transpose NIS2 into national legislation by October 17, 2024. Although no longer bound by EU regulation, the UK government has confirmed it will also strengthen its NIS regulations.

What You Need To Know

Meeting the compliance standards for NIS2 will be vital for all organisations that fall within its scope, but particularly so for smaller organisations currently at the behest of hackers looking for easy wins. SMEs invariably pay ransoms at a higher rate due to the severe impact that cyber attacks have on the continuity of their business, because of their lack of recovery protocols. Forward thinking SMEs will focus on preventing attacks before they occur, weatherproofing their company against an increased pace of threat.

NIS operates on a principle-based approach, allowing cybersecurity to become a part of an organisation’s ‘business as usual,’ rather than operating on a set of prescriptive rules. This is similar to multiple international, consensus-driven standards, including ISO/IEC and others, that offer pathways for SMEs and other organisations to develop and implement cybersecurity programs. Organisations understand their business better than an outsider, therefore the principle-based approach allows organisations to make informed decisions on how best to tackle cybersecurity challenges. 

One important change is that, while NIS required significant cyber incidents to be reported, the updated Directive includes a timeline for reporting incidents.

Within 24 hours of identifying any incident with significant impact an early warning should be communicated to the competent authority or CSIRT. This should be followed after 72 hours with a full notification report including the assessment of the incident, severity and impact and indicators of compromise. A final report must be communicated within a month. While detecting incidents is obviously important, the onus for organisations should be on reducing the risks faced and preventing incidents in the first place.

Compliance Does Not Always Equate To Security

Compliance with NIS2 is mandatory, and failure to adhere can result in large fines. However, organisations should not be lulled into a false sense of security that by following frameworks or ticking boxes they are secure.  The reality is that, while adherence with NIS2 principles will strengthen defences, alone it does not equate to being secure. Compliance with the legislation is no substitute for maintaining strong cyber hygiene. The onus has to be on every organisation to implement secure working practices that protect their infrastructure and the sensitive data and critical systems contained.

True cybersecurity requires complete and holistic understanding of the risks that exist within the entire infrastructure. A preventative approach in Industrial cybersecurity is paramount to eliminate many of the core risks associated with the new trends and challenges that are present. When threat actors evaluate a company's attack surface, they're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. 

To mitigate the risks, it is essential to gain full visibility into both IT and OT environments - of IT and OT assets, IoT, Building Management Systems, and everything in between, the interdependencies that exist for critical functionality, and determine where weaknesses and vulnerabilities exist. 

Knowing what is there is only part of the equation as it's imperative to understand how OT devices are interconnected and what interdependencies exist for critical functionality. With that intelligence, security teams then need to identify where weaknesses and vulnerabilities exist and prioritise those assets that could become possible attack paths. From this stance, steps can be taken to remediate the risks where possible, or monitor the assets related to the risk for deviations that could be indicators for attacks.

Gaining this broad visibility can be difficult, challenging security teams to conduct analysis, interpret the findings and identify what steps to take to reduce risk as quickly as possible. AI has the potential to address this. It can be used by cybersecurity professionals to search for patterns, explain what they’re finding in the simplest language possible, and decide what actions to take to reduce cyber risk.  AI is being harnessed by defenders to power preventative security solutions that cut through complexity to provide the concise guidance defenders need to stay ahead of attackers and prevent successful attacks. Harnessing the power of AI enables security teams to work faster, search faster, analyse faster and ultimately make decisions faster.
 
While regulatory compliance can be daunting, particularly for organisations who have never felt the weight of regulatory measures like this before, it is an important exercise. Knowing the adversary means organisations can anticipate cyber attacks, ensuring they are best positioned to defend against today’s emerging threats.

Hackers looking for low-hanging fruit will target smaller organisations whose security practices may be less mature. Raising the security bar should persuade them to move on and find another target.

Bernard Montel is EMEA Technical Director and Security Strategist at Tenable

Image: Ideogram

You Might Also Read: 

EU Updates Its Cyber Solidarity Act:

DIRECTORY OF SUPPLIERS - Governance, Risk & Compliance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

« Data Compliance When Using MS Copilot
Two Sides Of AI In The Industrial Internet of Things »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

CyberTech Network

CyberTech Network

CyberTECH is a global cybersecurity, Internet of Things (IoT) and Smart City network ecosystem and incubator operator.

Inseego

Inseego

Inseego provides Enterprise SaaS solutions and IoT & Mobile solutions, which together form the backbone of intelligent, reliable and secure IoT services with deep business intelligence.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

Belkasoft

Belkasoft

Belkasoft is a software vendor providing public agencies, corporate security teams, and private investigators with digital forensic solutions.

Dracoon

Dracoon

DRACOON is market leader in the German-speaking region for secure enterprise file sharing.

Plug and Play Tech Center

Plug and Play Tech Center

Plug and Play is the ultimate innovation platform, bringing together the best startups and the world’s largest corporations.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Russell Reynolds Associates

Russell Reynolds Associates

Russell Reynolds Associates is a global leadership advisory and search firm with functional expertise in Digital Leadership, Data & Analytics, and Compliance.

Aristi Technologies

Aristi Technologies

Aristi provides cybersecurity risk and compliance services to help manage your unique cyber risks, safeguarding your systems and data and complying with government and industry standards.

Digitpol

Digitpol

Digitpol’s Cyber Crime Investigation experts investigate hacking incidents, ransomware, extortion and conduct security audits and IT upgrades.

Polygraph

Polygraph

Polygraph monitors the activities of click fraud gangs, including how they operate, who they target, the techniques they use, and how to detect their fraud.

Digital Intelligence

Digital Intelligence

Digital Intelligence offer a full array of products, forensic and e-discovery consulting services and training.

Blattner Technologies

Blattner Technologies

Blattner Technologies mission is to be the leading provider of predictive transformation services and tools in the Data Analytics, Artificial Intelligence and Machine Learning industry.

ZAG Technical Services

ZAG Technical Services

ZAG Technical Services is an award-winning information technology consulting firm delivering digital transformation solutions, IT assessments, managed services, security, and support.

Future Crime Research Foundation (FCRF)

Future Crime Research Foundation (FCRF)

FCRF is a Non-Profit NGO specializing in Research in Cyber Security, Digital Crime, Fraud Risk Management, Cyber Laws and Cyber Forensics.