Understanding the EU NIS2 Directive: Tips and traps

The EU Network and Information Security (NIS2) Directive is a comprehensive regulatory framework aimed at enhancing the cybersecurity landscape across the European Union. It entered into force on 16 January 2023, and European Union member states were given 21 months, until 17 October 2024, to transpose its measures into national law.

NIS2 imposes stringent requirements on risk management capabilities and incident reporting obligations for essential and important entities. This article provides an overview of NIS2 and tips to start your NIS2 journey, without stepping into common traps.

At the time of this writing, some EU Member States have produced proposals for country-specific legislation, thus it is important to validate security requirements at a local level and treat this document as a first dive into the world of NIS2.

Risk management

Scope:

NIS2 mandates a broad scope for risk management, encompassing not only IT assets or critical services but also the entire operations and services of the concerned entity. This includes:

• The physical environment
• Network and information systems, focusing on the availability, authenticity, integrity, and confidentiality of data stored, transmitted, or processed
• Services offered by, or accessible via, those network and information systems.

Aim:

The primary goal is to prevent and minimize the impact of incidents.

All-hazard approach:

NIS2 requires risk-management measures to be based on an all-hazard approach, addressing potential threats like sabotage, theft, fire, flood, telecommunication or power failures, unauthorized physical access, and similar. This comprehensive approach ensures robust defense against a wide range of incidents.

Minimum requirements:

Entities must implement the following measures as a minimum:

Requirement	Description
Policies on risk analysis and information system security	Establish clear policies for analyzing risks and securing information systems.
Incident handling	Develop procedures for effective incident response.
Business continuity	Implement strategies for backup management, disaster recovery, and crisis management.
Supply chain security	Secure relationships with suppliers and service providers, considering vulnerabilities and their cybersecurity practices.
Security in acquisition, development, and maintenance	Ensure security throughout the lifecycle of network and information systems, including vulnerability handling and disclosure.
Assessment policies	Regularly evaluate the effectiveness of cybersecurity risk-management measures.
Basic cyber hygiene and training	Promote fundamental cybersecurity practices and provide necessary training.
Use of cryptography	Develop policies for cryptography use, including encryption where appropriate.
Human resources security	Implement access control policies and manage assets securely.
Authentication and communication security	Use multi-factor and/ or continuous authentication and ensure secure communication channels.

Auditing:

Audits by third parties may be performed, and by default, the party that will be audited will be responsible for cost, unless otherwise decided by the competent authority.

Incident reporting

Significant incident definition:

An incident is deemed significant if it causes severe operational disruption or financial loss, or if it affects other individuals or entities by causing considerable material or non-material damage.

Reporting types:

NIS2 outlines a three-tiered reporting structure for significant incidents:

Reporting Type	Requirement
Early warning	Notify the computer security incident response team (CSIRT) within 24 hours of detecting the incident. Include indications of whether the incident is suspected to be unlawful or malicious and if it could have cross-border impacts.
Incident notification	Provide a detailed notification within 72 hours (24 hours for trust service providers) of becoming aware of the incident. Include updates from the early warning and an initial assessment of the incident’s severity and impact, along with indicators of compromise.
Final report	Submit a comprehensive report to the competent CSIRT or authority within one month of the incident notification or provide a progress report if the incident is ongoing. The final report should detail the incident’s severity, impact, root cause, mitigation measures, and any cross-border effects.

Common traps

Although the NIS2 directive comes into force on October 17, 2024, many vendors and cyber security consultancy companies are profiling themselves as NIS2 experts, claiming to offer solutions that will resolve your NIS2 compliance.  Given the fact that there may be upcoming requirements to potentially use certified products or services, consider making any strategic commitments towards products and services based on understanding your risks, mitigating and responding to them in case of incidents. Additionally, it’s worth considering the following actions to avoid some of the common pitfalls associated with adopting any new frameworks, outlined below.

Overcomplication

A company may be fully compliant with the strictest standards and certifications yet be totally insecure. This is often a result of over-complicated policies, heavy frameworks, and point technology solutions that are never used to their fullest effectiveness. Such an outcome is usually driven by generalization and extending security requirements across one’s entire organization instead of assets related to critical data and processes.

Organizational underestimation

Based on the existing information, achieving NIS2 compliance is a technical and management-level effort that will affect company employees’ user experience. And, this exercise cannot be done in isolation from key business decision-makers and needs strong company management support. Allocate sufficient resources, and get the necessary mandate and time to drive the NIS2 initiative in your organization. Don’t consider this as a compliance exercise but instead treat it as a company maturity journey in information security. In most of the successful frameworks I’ve seen companies adopting, the starting point was cultural change, with executive sponsorship.

Snake oil

Many technology vendors will claim to resolve your NIS2 compliance challenges. Avoid this trap. Consider your technology strategy only after you know your key business processes, associated assets, and risk tolerance.

Over-investment in technology

As a guiding principle, having a highly heterogeneous technology stack with limited operating resources usually leads to overinvestment in technology, thereby reducing budget from other essential tasks. This, however, may not be true in your case. When making security technology-related decisions, consider an approach where you have a key technology platform that covers most of your requirements, followed by auxiliary technologies that can be integrated with your main technology platform. Additionally, evaluate your operational capabilities. This will have an impact on your technology selection, resource allocation/ budgeting, and uncovers a potential need for external partner support.

Practical tips

Fundamentally, the aim of the directive focuses on understanding, preparing, and mitigating risks associated with the availability, authenticity, integrity, and confidentiality of critical data, networks, and systems. While there will surely be more concrete requirements and expectations set by the competent authorities in member states, it makes sense to be proactive by going through the following checklist, which will help you get started and become accustomed to any guidelines and requirements that may come down the line.

Identify critical assets and processes:

You know best how your business operates. Think of your key business processes that may impact your or your customers’ availability, authenticity, integrity, and confidentiality. Then think of all assets related to those. Map them to create one asset inventory. Additionally, map how any third party is related to those assets. Are some of the critical assets managed by a partner?

Doing this phase well enables an optimized approach to NIS2 conformance and overall security.

Think evil and evaluate risk:

Once you have mapped your critical assets, networks, physical environment, supply chain, and documented how those relate to critical processes, run a set of workshops to understand what risks are associated with those. Your tools for this could be threat modeling, and any lightweight method for business impact- and business continuity assessment. Just remember to stay within the borders of identified assets and third parties associated with them. However, think broadly (all-hazard approach): physical sabotage, power outage (your data centers or a hyper scaler’s availability region), etc. This stage will reveal relevant vectors that can lead to compromise, which will help your evaluation and defense strategy. As you will know what will happen under which threat, you can evaluate the impact of a compromise from at least economic, legal, social, and environmental perspectives. In other words, at this stage, you will know your key assets, their environment, how they can be compromised, and what will the damage look like to you, your partners, and your customers.

Create a risk register:

A risk register is meant for collecting, maintaining, and prioritizing risks related to your key processes, assets, and partners. If you have taken the aforementioned steps, you should be in a position to document everything in a risk register and start evaluating priorities. While there are plenty of frameworks for building a risk register to choose from and free guides available (like EU Risk Management Toolbox by ENISA) at a very minimum, you should be now able to:

• Identify risks and related assets/ environments/ supply chain
• Identify the risk status
• Analyze its probability, impact if a risk is realized, and a priority, as there might be multiple risks that will be realized at the same time
• Identify risk owners and have them accept their responsibility. This step is highly crucial if you want to get anything done in case of prevention, detection, and response.
• Assess and decide the risk treatment, if any, with the risk owner(s).

Risk treatment:

Typically, this stage reveals your needs for technology, processes, and procedures. Try to keep the paperwork to a minimum, as the more processes and procedures you have, the harder it will be for you to navigate security in your environment. Additionally, in times of crisis, complex processes are typically the first ones to be found in a trash bin.

When it comes to technology solutions, it is preferable to design a security architecture before selecting your security stack. You know your main attack vectors, critical assets, and their environment, as well as their impact. Think about how you can protect, detect, and respond, as well as to continuously improve your cyber hygiene with the least technologies possible. Consider using platform solutions to ensure a smooth learning curve and feasible operational cost.