What is NIS2?
10th of November 2022, the European Parliament approved an update to the existing EU's Network and Information Security Directive ("NIS Directive"). The update is known as "NIS2" and replaces the original NIS Directive, which was the EU's first piece of cybersecurity legislation when adopted in 2016.
NIS2 will cover a larger share of the EU economy and introduce additional security and reporting requirements for EU member states that will be translated into national executive orders, having the force of law and must without exception be followed by organizations in the respective EU countries.
Why is NIS2 being implemented?
With the increase in digitalization and the constant rise in cyber-attacks, NIS2 aims to protect critical organizations and infrastructure within the EU from cyber threats, by creating a common set of cybersecurity requirements and practices for effective collaboration between relevant authorities in each member state.
Who is affected by NIS2?
The authorities will expand the supervision both in depth and breadth. In depth, as the authorities are now obliged to enforce the requirements of the directive. In breadth, as the scope of the directive has been extended to apply to several additional sectors.
NIS2 therefor significantly expands the scope of sectors affected and opens the door for inspections from the authorities. Authorities are now obliged to conduct inspections as defined by the new directive, based on sector categorization in which the organization belongs.
Essential Entities (EE)
• Energy - supply, distribution, transmission and sale of energy
• Transport via air, rail, road and sea
• Finance - credit, trade, market and infrastructure
• Health - research, production, providers and manufacturers of equipment
• Drinking- and wastewater
• Digital infrastructure - DNS, trust services, data center services, cloud computing, communication services (telecom and network), providers of managed services and managed security services
• Public administration, municipalities and regions
• Space - software and service
Important Entities (IE)
• Postal and parcel service
• Waste management
• Chemical products - manufacturing and distribution
• Food - manufacture, distribution and production
• Manufacture/production of pharma, electronics, optical equipment, machinery, vehicles
• Providers of online marketplaces, search engines, social platforms
Essential entities – inspections will be handled ex-ante, meaning inspections will proactively take place and organizations can expect ongoing audits, reporting and peer reviews.
Important entities – inspections will be handled ex-post, meaning inspections will mainly take place if there is a suspicion that the organization is not meeting the requirements.
NIS2 operates with a minimum, which means that "small" and "micro" organizations are not covered by the legislation, which is defined by less than 50 employees or an annual turnover of less than 10 million euros.
Organizations must find out for themselves whether they are covered by NIS2 or not.
How will NIS2 affect my organisation?
The NIS2 directive establishes requirements for management, business continuity, reporting to authorities, and risk management:
Management – The leadership within the company must be familiar with the NIS2 requirements and the risk management practices. They are directly responsible for ensuring that cyber risks are identified and addressed and that the requirements are met.
Business continuity – Organizations needs to have a plan in place if affected by a significant cyber incident. This includes plans for system restore, emergency procedures, etc.
Reporting to authorities – The requirement is now to have an established processes in place for reporting to authorities. This includes the requirement to report major incidents within 24 hours (for Danish companies on virk.dk).
Risk management – Increased requirements meaning that organizations must manage their risks and implement both damage prevention and mitigation measures to reduce both risks and the potential consequences.
The minimum requirements are:
• HR security
• Management of assets
• Incident Management
• Vulnerability management
• Securing Supply Chains and IT contingency planning
• Network security
• Security in development processes
• Access control
What are the NIS2 sanctions?
The directive includes guidelines for minimum financial penalties for organizations that do not follow the NIS2 requirements. The size and type of the organization determines the amount of the fine. For instance, if an organization fails to comply with the NIS2, it may be fined 10 million EUR or 2% of the organization's gross annual global revenue (similar to a GDPR fine for a less severe violation).
Additionally, sanctioning may include forced audits, sanctioning of management, etc. and the leadership of non-compliant organizations can be held personally liable for any NIS2 breaches.
Services that help your organisation with NIS2
Emergency Incident Response Retainer
With our Emergency Incident Response Retainer, your organisation has access to incident response services on an ongoing basis and gets:
Emergency assistance – In the event of a cyber incident, time is of the essence. With an Emergency Incident Response Retainer in place from CSIS, your organisation can quickly access the expertise and resources it needs to respond to and manage the incident.
Tailored guidance and support – Our Emergency Incident Response Retainer gives your organisation access to our team of experts who through the retainer service are familiar with your organisation's systems and processes and can provide tailored guidance and support.
Cost savings – Our Emergency Incident Response Retainer is more cost-effective than paying for incident response services on an ad-hoc basis and you can rely on our team experts to be available 24/7.
Active Directory Health Check
With our Active Directory Health Check, your organisation receives a 360 analysis of your Active Directory’s security posture and gets:
Proactive detection – Our Active Directory Health Check identifies issues with your organisations Active Directory before they become a major problem, by providing your organisation with full a report of all current vulnerabilities and misconfigurations.
Actionable recommendations – Our Active Directory Health Check provides all the recommended actions and detailed mitigation techniques provided by our team of experts for easy adaptation and implementation.
Swiftly improved security posture – Our Active Directory Health Check is fast and provided minimum effort from your organisation. In a matter of days, you will receive a report that quickly and significantly will improve your security posture if implemented.
With our Compromised Assessment, your organisation receives a comprehensive overview of the security posture of your endpoints and network, and gets:
Proactive detection – Our Compromise Assessment helps prevent future cyber-attacks from occurring by addressing vulnerabilities and weaknesses in an organisation's systems. Our service identifies issues with your organisations Operating System-level security settings and misconfigurations before they become a major problem, it provides a full overview of any indicators of malware present in your organisations network, and what risks your network is exposed to that could pave the way for malicious actors to gain access.
Actionable recommendations – Our Compromise Assessment provides all the recommended actions and detailed mitigation techniques, with pin-pointed computer findings, provided by our team of experts for easy adaptation and implementation.
Swiftly improved security posture – Our Compromise Assessment is fast and provided with minimum effort from your organisation. In a matter of days, you will receive a report that quickly and significantly will improve your security posture if implemented.
With our GAP analysis, your organisation receives the foundation to build and maintain a cyber security strategy and gets:
Holistic overview – Our GAP Analysis provides a holistic overview of your organisation's performance, by identifying unknown cyber security risks, based on SANS CIS controls v8 and covering more than 150 questions.
Prioritized efforts – Our GAP Analysis provides a suggested and prioritized plan for projects that will increase your organisation’s security level, aligned with efforts and budget.
Improved reputation and compliance – Our GAP analysis can help your organisation enhance compliance with relevant regulations and industry standards, improve customer trust by demonstrating a commitment to security, and better manage risks.
Securing Supply Chains and IT contingency planning
Incident Response Tabletop Exercise
With our Incident Response Tabletop Exercise, your organisation gets to test and evaluate your organisation's incident response plan and procedures based on real-life scenarios, and get:
Identify weaknesses – Our Incident Response Tabletop Exercise helps your organisation identify weaknesses by testing and evaluating your incident response plan and procedures
Hands-on experience – Our Incident Response Tabletop Exercise gives your team hands-on experience by practicing their roles and responsibilities by executing the current plan with real-life scenarios.
Improved reputation and compliance – Our Incident Response Tabletop Exercise helps your organisation demonstrate its commitment to incident response and cybersecurity and assists in complying with relevant regulations and industry standards (e.g. NIS2: Securing Supply Chains and IT contingency planning)
Managed Detection and Response / Endpoint Detection and Response
With our Managed Detection and Response service, your organisation gets 24/7 monitoring for cyber threats, and gets:
Reduced risks – Our Managed Detection and Response service reduces your organisation's exposure to cyber threats with 24/7 monitoring of your systems and networks. You will have access to our team of security experts who can provide tailored guidance to increase your security posture, and when necessary, perform extensive remediation of potential attacks before they turn into full-blown security incidents.
Increased efficiency - Instead of constant in-house monitoring of security alerts your organisation can rest assured that you are protected with our 24/7 Managed Detection and Response service. Focus on your organisation's core mission and let our team alleviate the burden of the detection and response to potential threats or attacks while offering tailored advice to harden your overall security posture.
Cost savings – Many organisations dealing with a critical security incident have been breached unknowingly for months. Having our Managed Detection and Response service can reduce the risk of a full-blown security breach by detecting potential indicators of attack quickly and effectively. If a breach does occur, our team will quickly identify and remediate the threat, minimizing the impact on your organisation's operations and reducing any downtime or loss of productivity.
Cyber Defence Feed
With our Cyber Defence Feed, your organisation gets comprehensive visibility into malicious domains and IP addresses, and gets:
Block malicious web content – The Internet is becoming an increasingly bigger security threat, with more than 22% of all new domains created for illegal purposes. Your employees’ day-to-day use of the Internet presents a challenge because it is impossible for ordinary users to tell which sites are safe. For example, malicious code is often found in banners on entirely legitimate websites.
Prevent data leakage – Our Cyber Defence Feed will not only help prevent internet-based exploits and malware downloads, but it can also mitigate communication from existing malware intrusions and prevent them from leaking data. This can be accomplished by implementing the corresponding rules in the on-premise security solution.
Detect advanced malware – our Cyber Defence Feed can help detect advanced malware that is managed to infect network devices by circumvention of locally deployed security products. This happens because the feed data does not rely on signatures or behavior but reveals the infrastructure that the malware attempts to communicate with.
How can CSIS help?
NIS2 is not just another compliance requirement and as cyber security specialist to the core, we do not believe in “one-size-fits-all”. We have therefor specialized our services within specific areas of the NIS2 directive, for specific sectors and fitted to your organization’s needs within:
• Incident Management
• Vulnerability management
• Securing Supply Chains and IT contingency planning
• Network security
Call us for more information about NIS2 and find out how we can help you.