Listen to post:
Getting your Trinity Audio player ready...
|
In 2023, the European cybersecurity landscape painted a concerning picture. According to a report[1] from ITGovernance.eu, sectors such as energy, utilities, manufacturing, and healthcare were the most breached, indicating a strategic targeting by cybercriminals. Meanwhile, IBM’s alarming metrics[2] in detection, response, and mitigation further emphasized that enterprise cybersecurity implementations were falling short .
The European Community established the Network and Information Security Directive 2 (NIS 2) to bolster cybersecurity resilience across the EU, driven by several critical objectives:
- Enhanced Cybersecurity Resilience: improve the overall resilience of critical infrastructure and services against cyber threats and attacks.
- Uniform Security Standards: create a standardized framework for cybersecurity practices across the EU, ensuring a consistent level of security and risk management.
- Improved Incident Reporting: establish more stringent reporting requirements for cybersecurity incidents, allowing for quicker and more coordinated responses to threats.
- Broadened Scope: expand the scope of the original directive to include more sectors and services that are critical to the economy and society, reflecting the evolving nature of cyber threats.
- Better Cooperation: enhance cooperation and information sharing between member states, promoting a more unified and effective approach to cybersecurity.
- Supply Chain Security: address security concerns within supply chains, ensuring that third-party vendors and service providers meet the necessary cybersecurity standards.
In a nutshell, the NIS 2 directive obligates organizations to implement appropriate and proportional technical, operational, and organizational measures to manage risks posed to the security of network and information systems. The goal is to prevent or minimize the impact of incidents on service recipients and other interconnected services.
NIS 2 is coming. Are You Ready? | Watch Now!Key Areas of Focus in NIS 2
Four crucial topics emerge from the directive:
- risk assessment and management
- corporate accountability
- reporting obligations
- business continuity
By October 17th 2024, European member states European member states must adopt into law and publish the measures to comply with NIS2, and by April 17, 2025, they must establish a list of essential and important entities.
NIS 2 is a significant enhancement over its predecessor, NIS 1, addressing its shortcomings such as insufficient cyber resilience, disparate implementations across member states, and lack of a joint crisis response team. NIS 2 expands coverage to sectors like food and beverage, digital service providers, and postal services, acknowledging the digital systemic risks associated with cybersecurity. This directive is expected to impact over 160,000 companies.
Organizations Impacted and Obligations
Organizations fall into two categories under NIS 2: (1) essential and (2) important entities.
Essential entities, which include sectors like energy, transport, and water supply, must have at least 250 full-time employees and an annual turnover of €50 million or higher. They will undergo continuous auditing by the competent authority within the country they operate in.
Important entities, on the other hand, include sectors such as digital providers and postal services , with a minimum of 50 employees and an annual turnover of €10 million. They will be subjected to audits only after an incident has occurred.
Figure 1- Organization Sectors impacted by NIS 2 (courtesy of nis2directive.eu)
Out of the 144 preambles, 46 articles, 3 annexes and more than 270 pages, organizations should focus on these key obligations:
- Full accountability for outsourced services (Preamble 83)
- Defined competencies for supervisors (Preamble 125)
- Personal accountability at the C-suite level for approving cybersecurity measures and ensuring continuous training (Article 20)
- Adopting technical, operational, and organizational measures (Article 21).
Mapping NIS 2 with the NIST Cybersecurity Framework
While NIS 2 sets forth comprehensive obligations, it lacks a clear list of actionable items. This is where adopting a security blueprint like the NIST Cybersecurity Framework (CSF) can help organizations prepare effectively for NIS 2 compliance.
Figure 2 – NIST cybersecurity frameworkä[3]
The framework’s core is organized around five key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly-added Govern function. When considered together, these functions provide a comprehensive view of the life cycle for managing cybersecurity risk.
Govern Function: this function provides outcomes to inform what an organization may do to achieve and prioritize the outcomes of the other five functions. It aligns with NIS 2 requirements for organizations to have appropriate management policies, in the context of its mission and stakeholder expectations.
Identify Function: controls for asset management, risk assessment, aligning with NIS 2’s requirements for organizations to identify assets and assess their associated risks.
Protect Function: This includes controls related to identity management, access control, data and network security, zero trust, and multi-factor authentication. These controls align with the NIS 2 measures that must be taken by Member states to protect their critical infrastructure against identified risks.
Detect Function: The CSF’s detect function includes controls for incident and anomaly detection, network monitoring, and supply chain security, aligning with NIS 2’s requirement for early warning systems to detect incidents.
Respond Function: This function includes controls for incident response planning, communication, and coordination, ensuring organizations have plans to respond to incidents affecting critical infrastructure.
Recover Function: The recover function includes controls for business continuity and disaster recovery planning, ensuring organizations can recover from incidents affecting their critical infrastructure.
Challenges and Solutions
Organizations face several challenges in achieving NIS 2 compliance. These include monitoring blind spots, managing fragmented security solutions, dealing with alert fatigue, overcoming patch management backlogs, and addressing shadow IT. Moreover, coordination between network and security teams often poses delays in incident detection and response.
To address these challenges, a comprehensive approach leveraging the NIST CSF can provide detailed security controls mapping into NIS 2 requirements. These controls include using a single-pass software stack for full visibility of digital assets, automated device inventory dashboards, comprehensive risk assessment tools, and a unified management application for security and network incident detection and correlation.
Investing in trusted partners with ISO 27001 certification can also help manage supply chain security and governance, ensuring a reliable approach to cybersecurity. Continuous training, adopting zero trust models, and integrating advanced threat detection and response mechanisms are critical to meeting NIS 2 obligations.
In conclusion, while NIS 2 presents a complex set of requirements, adopting a cybersecurity blueprint like the NIST CSF can streamline compliance efforts and enhance the overall security posture of organizations. By focusing on comprehensive risk management, continuous monitoring, and robust incident response, organizations can set their cybersecurity house in order and mitigate the impact of potential cyber threats.
The right network and security platform can help
Cato Networks offers a comprehensive solution and infrastructure that can greatly assist companies in achieving NIS 2 compliance. By leveraging Cato’s Secure Access Service Edge (SASE) platform, organizations can enhance the security and resilience of their network and information systems.
If you want to know more on how Cato Networks can help achieve NIS 2 compliance, please check our Webinar “NIS 2 is coming. Are you ready?’
[1] https://www.itgovernance.eu/blog/en/data-breaches-and-cyber-attacks-in-europe-in-december-2023-100884532-records-breached
[3] Copyright of NIST