NIS2 is on the horizon, but what should you or your organization do? Which measures need to be taken? Unfortunately the exact guidelines are not known and leave us in a state of uncertainty. The Dutch Ministry of Justice and Security is working on translating NIS2 into the Cybersecurity Act, which will replace the current Network and Information Systems Security Act (Wbni). The new law was initially scheduled end of 2024 and required all companies and organizations to take steps to comply. The start date has been postponed to early 2025.
However, this law will not apply to all organizations. In short, this law will be applicable to all organizations in the critical sector and those that serve these sectors or organizations. To clarify its scope the NIS2 directive categorizes organizations as follows:
⮚ Category 1 (very critical sectors) : Energy; transport; banking; financial market infrastructure; healthcare; drinking water; wastewater; digital infrastructure; management of ICT services; government.
⮚ Category 2 (critical sectors): Postal and courier services; waste management; manufacturing, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers; research.
Preparing for NIS2
Does this mean you should wait before preparing for NIS2? Definitely not. It is important to start preparations as soon as possible. But how do you prepare for guidelines and legislation whose specifics are not known? By looking at the motives of the EU, which means understanding the goal and the problem. The aim of NIS2 is quite straightforward: “the European Union wants to strengthen digital and economic resilience against increasing threats.”.
Rising Cyberattacks
In the first quarter of 2024 Check Point Research (CPR) observed an increase in the average number of cyberattacks per organization per week to 1,308, a 5% rise compared to the first quarter of 2023. The Education/Research sector was the most affected hit hardest, with an average of 2,454 attacks per organization per week, followed by the Government/Military (1,692 attacks per week) and Healthcare (1,605 attacks per organization). This top three indicates an alarming vulnerability in sectors crucial to the functioning of society. More information about the statistics/research can be found at the following link:
Check Point Research. (2022, October 17). Intelligence Reports - Check point research. https://research.checkpoint.com/intelligence-reports or Mei, W. H.-. 0. (2024a, May 7). Aantal cyberaanvallen in Nederland bovengemiddeld hard gegroeid. Dutch IT Channel. https://www.dutchitchannel.nl/news/434527/aantal-cyberaanvallen-in-nederland-harder-gestegen-dan-wereldwijd
The need for NIS2
These alarming trends have prompted the EU to intervene with the NIS2 guidelines. Those guidelines are designed to enhance digital resilience and thus mitigate the impacts of cyber threats. The goal of NIS2 is therefore to better protect companies and organizations against increasing cyber threats. The EU is concerned about disturbing trends such as in 2023 where 50% of UK companies experienced severe issues. Nearly 1 billion emails were exposed globally that year affecting 1 in 5 internet users. Additionally, data breaches cost companies an average of $4.35 million in 2022 . About 236.1 million ransomware attacks were recorded globally in the first half of 2022. These figures underscore the urgent need to improve security within organizations and companies. Therefore the EU has decided to implement the NIS2 guidelines to increase digital security and highlight the urgency and priority of this issue. Through these guidelines the EU hopes to enhance overall security in Europe.
(Imber, D. (2024, July 17). The Latest Cyber Crime Statistics (updated July 2024) | AAG IT Support. AAG IT Services. https://aag-it.com/the-latest-cyber-crime-statistics/)
Lessons from GDPR
Now that we understand the goal and the problem of the NIS2 directive we can conclude that similar challenges have previously occurred with the GDPR (General Data Protection Regulation). Before the GDPR was introduced there were significant issues and shortcomings in the protection of personal data within the EU. The EU observed that data was insufficiently protected with frequent data breaches and misuse of personal data. To address these issues the EU decided to implement the GDPR to create a uniform and robust framework for data protection.
The motivations for introducing the GDPR are closely related to the reasons for the NIS2 directive. Both directives aim to improve safety and protection in their respective domains. Therefore, we can expect that the NIS2 guidelines will complement the existing GDPR rules. Since we are already familiar with the GDPR we can prepare for the NIS2 directive by leveraging the experiences and knowledge gained from the GDPR.
Key aspects to prepare for NIS2
By comparing GDPR with the security requirements and NIS2 we can anticipate and prepare for the following ten aspects:
1) Asset Inventory:
It is important to map out all assets, both physical and digital. This includes not just servers, laptops, office supplies, etc., but also the information we use. Additionally, we need to identify which information will be utilized in specific processes and systems.
2) Zero trust mindset:
NIS2 will mainly focus on defense techniques against hacking through a 'zero-trust' mindset. The following three principles can be applied:
I. Never trust, and always verify;
II. Apply the principle of least privilege and always restrict user access;
III. Assume there is a breach and verify every request at all times.
3) Defense in Depth:
It is highly likely that NIS2 will refer to the Defense in Depth practice. This security strategy involves implementing multiple layers of defenses to protect against threats. The concept is based on the idea that no single security measure is foolproof. Multiple layers of protection are used to ensure that if one layer fails others will still be in place to mitigate or prevent an attack. By spreading out the defenses organizations can reduce the risk of a successful breach and making it more difficult for attackers to penetrate the system and cause harm.
4) Stricter Security Measures:
Companies will be required to implement more robust cybersecurity measures. This could range from advanced firewalls and intrusion detection systems to stricter access control mechanisms to protect sensitive data and critical systems. This should be closely aligned with your policies and concepts such as security-by-design and a zero trust mindset.
5) Incident Response Plans:
Companies must have detailed incident response plans to respond quickly to cyberattacks and other digital disruptions. These plans should clearly describe how the company handles incidents, communicates with relevant authorities and minimizes impact. It should also ensure alignment with the notification obligations established by the government.
6) Notification Obligation:
Under NIS2, companies in Category 1 (link) may be required to report cyber incidents to national authorities within a specified timeframe. This means they must report breaches and disruptions promptly and transparently. The specific criteria and obligations will be developed by the government. Organizations are currently required to notify authorities within 24 hours of becoming aware of an incident. Additionally, they must submit a comprehensive report on the incident within one month. Therefore, we should aim to meet these KPI (Key Performance Indicator) from the outset.
7) Enhanced Collaboration:
NIS2 emphasizes collaboration between public and private parties to effectively address cyber threats. This means working closely with government agencies and sharing information about potential threats and incidents.
8) Regular Evaluations:
Companies will likely need to undergo regular cybersecurity assessments and audits to ensure their security measures remain up-to-date and effective. This does not mean we should simply check/audit for compliance with NIS2, as it is a law that must be upheld. Instead, we should ensure compliance with any (security) framework or baseline that is appropriate for our organization.
9) Leadership and Accountability:
An organization’s management may be held personally liable for non-compliance with the new legislation especially if they cannot demonstrate that they have fulfilled their duty of care and diligence.
10) Supply Chain:
NIS2 also aims to ensure that companies are responsible not only for their own cybersecurity but also for that of all parties they work with. This ensures a broad and collective level of cybersecurity across the entire supply chain.
Relevant Standards and Frameworks
We also note that COBIT 2019, ISO 27001:2022, and ISO 27005:2022 serve as the foundation for NIS2. The ISO certifications form the basis for our (security/risk) controls while COBIT 2019 provides clear insight into the allocation of responsibilities, documented processes and procedures, and available backup plans in case a service needs to be quarantined.
Zeegers, D. (2022, November 14). NIS2 krijgt enkel een duw in de rug met de adoptie van COBIT 2019. NIS2 News. https://nis2.news/nis2-krijgt-enkel-een-duw-in-de-rug-met-de-adoptie-van-cobit-2019/
Our advice is don’t wait too long. Start studying these topics now and familiarize yourself so that you are well-prepared when they become relevant. The fact is that NIS2 is coming—and coming soon! “SO BE PREPARED!”.
In conclusion, NIS2 will specifically apply to critical infrastructure organizations, but it also provides a valuable baseline for all organizations. NIS2 is not merely a guideline; it is a legal requirement that critical organizations must comply with to ensure the security and resilience of our digital infrastructure. Compliance is not optional; it is an obligation that must be met. The best course of action is to prepare thoroughly by mapping out our current landscape, identifying potential vulnerabilities and adopting a proactive, shift-left approach to cybersecurity. By doing so, we can not only meet NIS2 requirements but also bolster our defenses against the increasing threat of cyberattacks. The time to act is now—let's prepare for what lies ahead.
https://www2.deloitte.com/nl/nl/pages/risk/articles/nis2-richtlijn.html https://www.ncsc.nl/over-ncsc/wettelijke-taak/wat-gaat-de-nis2-richtlijn-betekenen-voor-uworganisatie
https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/ https://www.digitaleoverheid.nl/nieuws/dit-moet-je-weten-over-de-nis2-richtlijn/ https://eur-lex.europa.eu/legal-content/NL/TXT/PDF/?uri=CELEX:32022L2555&from=EN https://www.digitaltrustcenter.nl/wat-gaat-de-nis2-richtlijn-betekenen-voor-jouw-organisatie
Comments