Business

What Does The NIS2 Directive Mean for Cybersecurity in the EU?

Internxt

7 min read
NIS2

With the growing cyberattacks threatening business and customer data, Chief Information Security Officers (CISO) are working to implement the NIS2 Directive into their organization to strengthen their digital security.

NIS2 is mandatory for all medium-sized and large organizations within vital sectors in the EU. As a result, business leaders, IT experts, and CISOs must thoroughly understand NIS2 to ensure compliance, avoid penalties, and implement the proper cybersecurity protocols that protect sensitive data, maintain operational continuity, and build trust with stakeholders.

To fully grasp NIS2, this article will focus on the regulated sectors, their requirements, and what security providers can do to help these sectors prepare and comply with NIS2.

Table of contents

  1. Align practices
  2. Conduct a risk assessment
  3. Understand compliance requirements
  4. Develop an incident response plan
  5. Regularly monitor and audit
  6. Train employees
  1. Penetration testing
  2. Attack surface discovery
  3. Red teaming
  4. Automated security testing

What is the NIS2 Directive?

The NIS2 (Network and Information Security Directive 2), formerly known as Directive (EU) 2022/2555, was legislation that came into effect in January 2023 to enforce a high-level cybersecurity standard within organizations and minimize disruptions.

NIS2 is a revision of NIS1, the EU’s first cybersecurity legislation, introduced in 2016. However, due to the narrow scope and evolution of cyberattacks, the Directive was updated to address cybersecurity in a more comprehensive way.

NIS2, therefore, is a directive that applies to EU states to ensure a safe digital space protected from hackers, ransomware, system failures, or even natural disasters.

Key features of NIS2 include:

  • Increased security requirements: Companies must implement stricter cybersecurity measures such as risk assessments, encryption, incident reporting, security audits, and employee training.
  • More vigorous enforcement and accountability: Senior management must ensure compliance, address violations, conduct regular audits and inspections, or face significant fines.
  • Improved cooperation: This involves joint investigations and threat intelligence sharing so member states can cooperate in real time if a cyberattack affects multiple countries to manage and mitigate the impact.

To which sectors does NIS2 apply?

The revision of NIS2 has a much broader scope than it did in 2016 and now applies to a wider range of entities that are categorized as Essential or Important. Organizations are categorized depending on their size, sector, and criticality.

Internxt Object Storage is an affordable solution to store large scale data

Entities are also divided into two groups, the first being “Sectors of High Critically” and “Other Critical Sectors,” which must meet the exact requirements, the only difference being governing measures and penalties.

NIS2 defines Essential and Important entities as such:

  • Essential Entities: Energy, healthcare, transport, and banking are defined as essential entities, as they would cause significant harm to society if they were disrupted. Essential entities are required to implement strict cybersecurity measures to protect against cybersecurity risks.
  • Important Entities: While less important, these are categorized as digital service providers, such as cloud computing services, public administrations, manufacturers, and social media platforms. They are required to meet cybersecurity standards, although they are less stringent than those of essential entities.

Additional entities are defined as follows:

  • Large Entities: >= 250 employees or more than 50M in revenue.
  • Medium Entities: 50 to 249 employees or more than 10M in revenue.
  • Small & Micro Entities.
  • Lex Specialis: May apply where sectoral regulations are at least equivalent.
  • CER: Entities designated as Critical entities under Directive (EU) 2022/2557, (CER Directive) shall be considered Essential entities under NIS2.

How to comply with the NIS2 Directive

NIS2 required EU Member States to legally amend their national legislation by October 17, 2024. If you’re currently in the process of compliance or need to catch up, here’s what your company needs to do for your cybersecurity measures.

Align practices

Cybersecurity measures must be tailored to address the most significant threats, which is the responsibility of the CISO or senior management. Evaluate your current security practices and ensure measures are in place to identify and mitigate threats against businesses.

Conduct a risk assessment

Identify all critical assests in your organization, like data, hardware, software, and personnel, and assess the potential threats and vulnerabilities that could allow these threats to exploit your systems.

Once identified, consider the financial, reputational, and operational impact. If the risk is identified as a high priority, develop the necessary strategies to reduce or eliminate them. To mitigate risks, consider controls such as firewalls, encryption, and regular updates.

Understand compliance requirements

Be clear on whether your organization falls under NIS2 as an Essential or Important entity. This defines your obligation and means you can review how your country implements NIS2 so you can follow guidance from cybersecurity authorities to ensure compliance.

Develop an incident response plan

An incident response plan gives a clear and structured procedure to follow if a cyber incident occurs. Someone in your company should be assigned to the role of leading the response of a team, handling communication, and managing the technical aspects of the response plan.

Internxt cloud storage for business plans

The plan should outline the steps for containing the incident to prevent further damage, isolate affected systems, and secure networks.

NIS2 also requires clear internal communication with external customers, stakeholders, and relevant authorities. All businesses must report breaches within 24 hours, including the nature of the breach, potential impact, and what actions were taken.

What’s more, all plans should also include steps for recovery, such as restoring systems from backups and verifying that systems are secure before returning to normal operations.

Once the incident is resolved, the team should conduct a post-incident review to establish and analyze what worked well and what needs to be improved and updated in the plan for continuous improvement and protection against future threats.

Regularly monitor and audit

To limit the chance of being fined, establish a schedule to audit your security measures to keeps documentation up-to-date and compliant with NIS2. These areas should assess access controls, incident response effectiveness, and data protection.

All of these audits should be documented thoroughly; this not only demonstrates compliance with NIS2 but also ensures company transparency and accountability.

Train employees

Insider threats or human threats are also another threat that businesses face. As a result, all employees, regardless of seniority, must have at least a basic knowledge of cybersecurity practices to reduce or respond to risks.

These training programs should be carried out regularly to stay up to date with the evolving threats in cybersecurity.

Security solutions with NIS2

The following data security measures may help organizations meet and support NIS2 requirements.

Penetration testing

Penetration testing simulates real-world attacks and can uncover vulnerabilities to help businesses address these weaknesses before attackers exploit them.

This helps with NIS2 as it meets the requirements for ongoing tests and risk assessments to increase security measures and the overall defense of the company against cyberattacks.

Attack surface discovery

Attack surface identifies potential entry points hackers may use to gain access and move across systems to steal data or introduce malware or ransomware within systems. This method uses tools to categorize exposed assets and vulnerabilities so they can be tested further.

This helps with NIS2 compliance as it helps prevent and reduce the impact of potential cybersecurity incidents.

Red teaming

Red teaming is part of an ethical hacking practice where certified cybersecurity experts work within or for an external company to simulate hacking attacks on companies to test and attempt to bypass its security systems.

For NIS2 compliance, this helps companies with their incident response plan and also tests their security effectiveness, which can be documented for audits to establish potential areas for continuous improvement.

Automated security testing

Companies can also implement automated tools that continuously scan for vulnerabilities and misconfigurations within systems, which can lead to security incidents such as zero-day attacks. This will reduce human error and save businesses a lot of money by having 24/7 security monitoring systems and staying ahead of cybersecurity threats.

Internxt sustainable cloud storage

Using cloud storage to help comply with the NIS2 directive

Internxt cloud storage offers a GDPR-compliant and encrypted cloud storage solution that allows Essential and Important Entities to store files in complete privacy with end-to-end and zero-knowledge encryption.

Small and medium-sized businesses can use Internxt’s cloud storage for business , which offers 2TB of storage for up to 100 users, with annual plans costing just €30/user/year with the following features:

  • Maximum account security with 2FA;
  • Post-quantum cryptography to protect against quantum computers hacking and stealing sensitive information;
  • Secure file sharing between departments;
  • Session management to prevent unauthorized access;
  • Activity logs can help with auditing by tracking who signed in, uploaded, or modified files.
  • Multiple backups of files for increased redundancy for backup and disaster recovery of files.

Internxt also offers S3 storage, offering larger organizations a platform to manage huge amounts of data with object storage for easier file management and quicker data retrieval.

Internxt S3 offers the same high-security standards as its business plans and is a 100% hot storage solution with superior speed for quick access time and handling of large volumes of data.

One significant advantage for companies is that Internxt S3 has data transfer fees, and its pay-as-you-go model is a fixed rate of €7/TB/month, up to 80% cheaper than its competitors.

Internxt Object Storage is an affordable solution to store large scale data

You can contact us at Internxt to speak with one of our sales experts and get started with the best cloud storage. This storage prevents data breaches, saves businesses money, and helps with NIS2 and other compliance laws.

Protect your privacy with Internxt