What’s the buzz about NIS 2?
The latest version of the Network and Information Security Directive (NIS 2) has severe implications for companies that provide services or carry out activities in the European Union (EU).
NIS 2’s goal is to establish a higher level of security and cyber resilience for member EU states in 18 essential industry sectors. Violations can lead to substantial fines, legal liability and even criminal sanctions on an individual level.
There is plenty of “buzz” about NIS 2, and it’s growing. As we approach the October 2024 deadline (and beyond), companies must finalize their plans to align with this legislative act. But what does NIS 2 mean and is there a best way to approach it? Let’s take a look.
Unpacking NIS 2
The goal of NIS 2 is “…to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents…” (from page 1, line 1 in the NIS 2 Directive).
NIS 2 can be broken into four broad categories:
Risk management has both reactive and proactive elements. An efficient response to a live security incident is reactive. Mitigating vulnerabilities and exposures before they become incidents is proactive.
Business continuity and reporting obligations are possible follow-up actions in the event a cyberattack is successful.
Corporate accountability covers the aftermath of a poor NIS 2 implementation. Companies that do not comply with NIS 2 are likely to receive a fine or other punishment. This includes legal liability for damage caused by a security incident that could have been prevented if the necessary measures had been taken.
Read more about NIS 2 in CyCognito’s compliance learning center and the full directive on the European Union Law website.
Four NIS 2 “Must Haves”
Alignment with NIS 2 means your organization must be able to:
NIS 2 covers a lot of ground, especially for organizations with reactive security workflows.
How are Organizations Preparing for NIS 2?
NIS 2 does not dictate how organizations meet risk management objectives. Instead, companies are given the flexibility to “…choose a governance framework to achieve objectives…” (chapter 2, Article 7). This is a common approach for congressional statutes in the United States, such as Sarbanes-Oxley, HIPAA and Dodd-Frank, or parliamentary acts in the EU, including GDPR.
Flexibility is both a blessing and a curse. To meet NIS 2 requirements many organizations are turning to established standards such as ISO27001, ISO27002, CIS and NIST 800-53 for guidance. However, compliance frameworks are often challenging to interpret and operationalize. It can be unclear how they can be used tactically for early visibility into risk, and how the data enables confident and quick mitigation.
How CyCognito Accelerates NIS 2 Initiatives
Delivered as a service, CyCognito supports your organization’s efforts to meet their NIS 2 objectives around risk management, resilience and reporting.
Proactively reduce exposures
Early visibility into vulnerabilities and exposures enhances your security team’s ability to mitigate potential threats. This reduces the number of emergency incident response, reporting and recovery activities.
With CyCognito, your teams know:
As an example, CyCognito users can filter issues by compliance violation, illustrated in Figure 1. This information is also available via API.
Figure 1: Critical Issues Filtered by Compliance Violations
Respond efficiently to incidents
The NIS 2 requirement to “…mitigate threats to network and information systems…” is best supported with risk-based threat prioritization. Only by knowing the issues that pose the greatest risk can you confidently defend your decision to assign staff to remediation.
Recommended by LinkedIn
CyCognito provides:
For example, you may have an initiative to ensure e-commerce web apps are protected by a web application firewall (WAF) and have CAPTCHA initiated, this is simple in CyCognito, illustrated in Figure 2.
Figure 2: Filter Web Applications by Presence of WAF and CAPTCHA
Read more about CyCognito’s issue prioritization in our blog “Stop remediating backwards – Reactive Approaches Aren’t a Long-Term Solution”.
Deliver prompt, accurate reporting
Sharing threat, vulnerability and even incident data with authorities is critical to building collective resilience. NIS 2’s tight timelines require rapid access to high confidence data that spans business, technology and risk.
CyCognito enables you to meet the directive’s 24 hour, 72 hour and 30-day reporting requirements through:
For example, Figure 3 shows a snapshot of the executive report with the security score of major components during a reporting period.
Figure 3: Executive Report Snapshot With Scoring Breakdown by Component
Objective: Recover quickly
Achieving incident resilience involves regular assessment of exposed network and information systems. “Resilience” refers to the ability of these systems to recover from, and adapt to, adverse conditions, attacks or compromises.
CyCognito is a confident source of information about your exposed attack surface. For example, figure 4 presents a view into some of the details on an asset susceptible to CVE-2019-19781 Unauthenticated Remote Directory Traversal & Code Execution.
Figure 4: Issue Details for Risk Communication
This information also can be used for collaboration between national authorities, member states and between public and private sectors.
Case Study: CyCognito Helps Asklepios Comply with NIS 2
As NIS 2 is translated into national law, CyCognito helps Asklepios, a German hospital company, fulfill its legal requirements by providing visibility and assessment of its IT infrastructure.
“The upcoming NIS 2 is currently just a directive, a European directive, currently translated into a national law. The national law should be published by February this year and should be effective by October this year,” says Daniel Maier-Johnson, Chief Information Security Officer (CISO) of Asklepios.
“CyCognito’s automatic detection of the external attack surface is state-of-the-art and provides transparency, which will help us keep compliant with BSI Act and NIS 2 regulations.”
Shorten your Journey to NIS 2 Compliance with CyCognito
NIS 2 compliance is difficult for any size organization. CyCognito, delivered as an automated service, enables a fast response to this upcoming directive. With CyCognito, your teams are able to:
The result: confident visibility into external risk, faster audit times and lower stress levels for your teams.
Get a demo of the CyCognito platform to see how it can help automate your NIS 2 project for your attack surface.
If you’re interested in learning more about navigating compliance or simplifying compliance initiatives check out some of our related recent resources: