A Comprehensive Guide to NIS2 Directive 2023

The European Union passed the Directive on Security of Networks and Information Systems, the NIS Directive. It was the first cybersecurity legislation passed in 2016. The directive was adopted to optimize and enhance the security of network and information security across all EU Member States.

 

The NIS Directive paved the way to bring a mindset shift in people and introduced new ways to mitigate risks. However, with time, technology has been evolving at a pace like never before. While the world is getting faster and more technologically advanced, it has also opened up vulnerabilities and scope for threats and introduced challenges.

 

To counter these challenges of cyberattacks, the European Union emerged with a response to the NIS2 Directive as its solution. The Directive came into light with the simple goal of solving these problems through protocols and enforcement within the EU to fight cyber threats.

 

Keep reading ahead to find out more about the NIS2 Directive.

What is the NIS2 Directive?

Just like its predecessor, the NIS Directive implemented in 2016, the NIS2 Directive is a piece of legislation, meticulously crafted to enhance the way people fight cyber risks and secure the EU members. With the introduction of a standardized set of prerequisites to be followed by the organizations in the member states, the NIS2 Directive is set to enhance cybersecurity and counteract all cyber threats.

 

The Directive entered into force in January 2023, while the Parliament adopted NIS2 in November 2022. Giving the member states 18 months to adopt the new NIS2 Directive. Stringent penalties for non-compliance will be enforced if any member state fails to adapt to the new policy. With almost a year left to adopt the Directive, the organizations must acquaint themselves with what the NIS2 Directive is all about.

How is the NIS2 Directive different from the NIS Directive?

NIS2 is an expanded plan to its predecessor, the NIS Directive, with an intricate and extensive scope of set of requirements, tailormade to fight the form of cyberattacks against EU critical infrastructure in recent years.

 

With the additional set of requirements framework, the NIS2 elevates and enhances the level of cyber-resilience and optimizes the response capacities of all the business members operating in the EU. It also significantly magnifies the scope with the addition of new sectors like manufacturing of certain critical products, food, and waste management. It has mandated the compliance of security rules by medium and large-sized entities. Notably, it has also demolished the customization flexibility for the member states, which was previously offered in the NIS directive. Furthermore, it has also introduced reporting obligations for a few sectors such as energy and health.

Who does NIS2 apply to?

NIS2 applies to all member states of the European Union. It primarily pertains to critical national infrastructures. The directive has categorized the sectors that have to adapt to the NIS2 Directive. To protect network and information systems, the essential sectors like energy and healthcare and the important sectors like manufacturing and food are compelled to implement the following specific measures in response to incidents that occur:

 

Policies on risk analysis and information system security.


Incident handling such as prevention and response to incidents.


Crisis management and business continuity, such as backup.


Supply chain security.
Security in network and information systems acquisition, development, and maintenance.


Policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures.


Basic cyber hygiene practices and cybersecurity training.


Policies and procedures regarding the use of cryptography and, where appropriate, encryption.


Human resources security, access control policies, and asset management.

Use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate

Penalties for non-compliance of the NIS2 Directive

The management bodies of the essential and vital entities who disregard the stipulated requirements of the NIS2 Directive may be held liable for noncompliance.

 

The penalties vary based on the entity’s category. Essential entities will face penalties in the form of fines up to €10 million or at least 2% of the total annual worldwide turnover of the entity in the previous fiscal year. While important entities will face penalties in the form of fines up to €7 million or at least 1.4% of the total annual worldwide turnover in the previous fiscal year.

 

To ensure seamless compliance, it is advised that organisations collaborate with trusted advisors for guidance on how to effectively adhere to the NIS2 Directive.

Claroty’s Support of the NIS2 Directive

roty’s cyber-physical systems (CPS) cybersecurity portfolio not only supports but also simplifies NIS2 compliance. It offers robust monitoring, protection, and other cyber risk management controls to all CPS; not only to the essential sectors but to all entities deemed in scope for the NIS2.

 

Claroty offers help by providing support in the above-mentioned ten key measures to manage and mitigate cyber risks. Following is how it does the same:

Policies on risk analysis and information system security:

 

Claroty uncovers and evaluates assets, systems, vulnerabilities, as well as cyber and operational threats in the CPS environments. It then uses this extensive visibility to analyze and then define and suggest enforcement of policies to secure the network and mitigate the risk exposure.

 

Incident handling such as prevention and response to incidents:


The system monitors around the clock to find early indicators of threats, and to optimize procedures by alarming the organization of the upcoming possibility of threat, which ensures seamless planning. It also integrates with SIEM, SOAR, and related solutions to extend existing SOC workflows across all CPS.

Crisis management and business continuity, such as backup:


The system offers real-time inventory access and management. It also offers ready-made integrations with backup and recovery tools to manage the crisis seamlessly.


Supply chain security:
Provide secure and seamless remote access to OT for all internal and third-party users to ensure.


Security in network and information systems acquisition, development, and maintenance:

Clarity correlates all CPS against the latest CVEs and tracks everything in real time to ensure complete development and maintenance as and when needed.
Policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures:


By proactively monitoring and assessing everything, Claroty offers a risk scoring mechanism to ensure optimized risk management procedures and flexible reporting to simplify processes and manage risk.


Basic cyber hygiene practices and cybersecurity training:
It offers recommendations on daily hygiene and training needs. The SRA solution enables role-based access controls and other cyber hygiene practices.

Policies and procedures regarding the use of cryptography and, where appropriate, encryption:
It encrypts all system-related data following NIS2, GDPR, and other regulatory requirements. It also alerts when there is a breach in meeting the regulatory requirements.


Human resources security, access control policies, and asset management:
It offers risk mitigation recommendations to help you prioritize cyber hygiene and access control policies. It also seamlessly integrates with related solutions enabling easy extension of asset management workflows.


Use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate:
Claroty’s SRA offers Zero Trust-based access controls along with secure remote and on-site access to all CPS with full recordings and audits to ensure security.

Conclusion

With the rise of cyber risks, it is imperative to take measures. The NIS2 Directive is a great initiative by the EU to keep the organizations of its member states safe from such risks. It is advised to these organisations to work in collaboration with trusted advisors for guidance on how to effectively adhere to the NIS2 Directive.

 

With the help of a trusted advisor, like Claroty, organizations will not only ensure seamless compliance with the NIS2 Directive, but also secure the OT assets, along with the Internet of Things, the devices, Management systems, and Internet of Medical Things(IoMT) devices that underpin their critical environments.

Leave a Reply