What is NIS/NIS2?

10 Min Read

May 2, 2023

By: Per Häggdahl

Works as CSO/CISO. Has worked with the delivery of secure systems to banks, central banks, stock exchanges, and central securities depositories for over 20 years.

What is NIS/NIS2?

The NIS Directive, short for Network and Information Systems Directive, is an EU legislation aimed at improving the cybersecurity of critical infrastructure and essential services such as energy, transport, banking, and healthcare in EU member states in order to protect citizens and businesses from the increasing threat of cyber attacks. Here, organizations are required to execute appropriate measures to ensure the security of their network and information systems, prevent and minimize the impact of cyber attacks, and report significant incidents to the relevant authorities.

The European Union (EU) passed the NIS Directive in 2016 and it became effective in May 2018. The Directive was supposed to be implemented by the member states of the EU into their national laws by the 9th of May, and 21 more months were given to fully comply with the Directive’s requirements.

Due to increased threats, the EU issued NIS2 Directive 2022/2555 in November 2022 when it had the requirement to better prepare the member states for cyber attacks.

WHAT are the major differences between the NIS and NIS2 Directives?

NIS2 is a revision of the original NIS Directive, updating and expanding the scope of the original Directive to cover a wider range of essential services and digital service providers. NIS2 builds on the original NIS Directive but significantly expands the categories of organizations that fall within the scope of the law, imposes new and more granular security and incident reporting rules, and creates a stricter enforcement regime. The member states of the EU are required to implement the NIS2 Directive into their national laws.

The main differences between the original NIS Directive (passed in 2016 and already in place) and the NIS2 Directive (passed in 2022) are:

Scope: The NIS2 Directive is an expansion of the scope of the original NIS Directive to cover a wider range of essential services and digital service providers, including cloud computing services, online marketplaces, and search engines, among others.
Incident reporting: The NIS2 Directive introduces a harmonized reporting obligation for serious incidents across all EU member states, with clear criteria for what constitutes a serious incident. The original NIS Directive only required reporting of incidents affecting essential services.
Coordination and cooperation: The NIS2 Directive establishes a stronger coordination and cooperation framework between EU member states, the European Union Agency for Cybersecurity (ENISA), and the European Commission.
Cybersecurity certification: The NIS2 Directive introduces a voluntary cybersecurity certification scheme for digital service providers and operators of essential services.

WHEN does NIS2 come into force?

The new EU-wide cyber law, Directive 2022/2555 (NIS2), entered into force on Monday, January 16, 2023. Member states now have until October 18, 2024, to transpose the new directive into their respective national laws. Unlike GDPR, which is a regulation that is the same for all of the EU, NIS2 will be implemented differently in all member states.

WHO does NIS2 apply to?

The NIS2 Directive applies to operators of essential services and digital service providers in the European Union (EU) member states.

Operators of essential services include companies and organizations in sectors like energy, transportation, health, banking, water supply, waste management, and others that are critical to the functioning of society and the economy.

Digital service providers comprise search engines, online marketplaces, and cloud computing services that play a critical role in the functioning of the digital single market.

The Directive intends at improving the overall cybersecurity posture of the EU and protecting citizens and the economy from harm caused by cyber attacks by mandating these organizations to take appropriate measures to secure their network and information systems and to report serious incidents to the relevant authorities.

HOW does NIS2 apply to city governments, government authorities, and the public sector in general?

An average city government is necessitated to take the required steps to protect its information systems and networks that support the delivery of essential services to citizens under the NIS2 Directive. This may include implementing security controls, conducting risk assessments, and having incident response plans in place to deal with cyber incidents.

In certain ways, NIS2 is not largely deviated from the first NIS directive, but it has resulted in a renewed focus on cybersecurity issues. Failure to comply with the NIS2 Directive could result in significant fines, and more importantly, loss of public trust and confidence in the city’s ability to deliver essential services securely. The NIS2 Directive also mandates city governments to report serious cyber incidents to the relevant authorities.

What are the major steps in becoming NIS2 compliant?

To become compliant with the NIS2 directive several key steps must be followed:

Assessment: Assess your current network and information systems comprehensively to identify any vulnerabilities and assess the current level of security.
Risk management: Implement a risk management program that includes risk assessment, risk mitigation, and risk monitoring.
Implementation of security measures: Implement appropriate technical and organizational measures to secure your network and information systems, such as access controls, encryption, incident response planning, and security awareness training. (Appropriate measures are explained further down in the following chapters)
Regular security testing: Regularly test the effectiveness of your security measures, such as penetration testing, vulnerability scanning, and security audits.
Incident response planning: Develop and implement an incident response plan to ensure that you are prepared to respond quickly and effectively to security incidents.
Monitoring and review: Continuously monitor your network and information systems to identify any new threats or vulnerabilities, and regularly review and update your security measures to ensure they remain effective.
Documentation: Keep accurate and up-to-date documentation of your security measures and security incidents.

It is worth noting that this is not a one-time activity but should rather be an ongoing process to maintain compliance with the NIS2 directive. Organizations must review and update their security measures continuously to ensure they remain effective in the face of evolving security threats.

What are the challenges when implementing NIS2?

Implementing the NIS2 Directive could present several challenges for organizations and governments:

Compliance costs: Organizations may face significant costs in complying with the NIS2 Directive’s requirements, including the implementation of appropriate technical and organizational measures to ensure the security of their network and information systems. eBuilderSecurity offers many of the necessary preventive security measures as a service, thereby reducing costs. Buying preventive measures as a service reduces the cost of expensive licenses.
Technical complexity: Implementing the NIS2 Directive’s requirements could be technically complex, especially for organizations with large and complex information systems and networks. eBuilderSecurity offers many of the necessary preventive security measures as a service, thereby moving the technical complexity from the customer to eBuilder Security.
Harmonization: The implementation of the Directive’s requirements may vary between countries. Therefore ensuring harmonization of the implementation of the NIS2 Directive across EU member states may be challenging. Different member states may interpret the directives differently as they are implemented into the local laws of the member states.
Incident reporting: Implementing the NIS2 Directive’s incident reporting requirements could be challenging, especially for organizations that have not previously had incident reporting procedures in place.
Cybersecurity certification: Implementing the NIS2 Directive’s voluntary cybersecurity certification scheme may also be challenging, as organizations need to demonstrate compliance with the Directive’s requirements and undergo a rigorous evaluation process.

In summary, implementing the NIS2 Directive could be challenging for organizations due to compliance costs, technical complexity, harmonization, incident reporting, and cybersecurity certification requirements. However, these challenges should be outweighed by the benefits of improved cybersecurity and protection. The complexity can also be reduced by procuring many of the “appropriate measures” as a service. Prevention is always a lot cheaper than recovery.

What is meant by “Appropriate Measures”?

The term “appropriate measures” in the NIS2 Directive signifies technical and organizational measures that are to be implemented by organizations to ensure the security of their network and information systems. These measures help reduce and prevent the impact of security incidents, such as cyber attacks, on their operations and the personal data of their users.

Examples of appropriate measures include:

Security Awareness Training – Human error often acts as a significant factor in security incidents, like data breaches. Organizations are able to reduce the risk of security incidents caused by human error, by offering employees trainings on how to identify and respond to potential security threats.
Application Vulnerability Scanning – Application vulnerability scanning is the process of identifying security vulnerabilities in software applications, such as web applications and mobile apps. By conducting application vulnerability scanning, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.
Network Penetration Testing – the process of simulating an attack on an organization’s network and information systems to identify security vulnerabilities. By conducting network penetration testing, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.
End Point Protection – Endpoint protection helps organizations prevent, detect, and respond to security incidents that occur on their endpoints. Its importance lies in the fact that endpoints are often the first point of entry for malicious actors who try to gain access to an organization’s network and information systems.
Access control – Implementing procedures and controls to manage who has access to network and information systems, and what actions they can perform.
Encryption – Encrypting sensitive data, such as personal data, to protect it from unauthorized access or theft.
Firewall – Implementing firewalls to control access to and from the organization’s network and information systems.
Software updates – Keeping software up-to-date with the latest security patches and updates to address known vulnerabilities.
Incident response planning – Developing and implementing a plan to respond to security incidents, such as cyberattacks, and minimize their impact.
Regular security assessments – Regularly assessing the security of the organization’s network and information systems, identifying vulnerabilities, and taking steps to remediate them.
Penetration Testing – Penetration testing involves simulating an attack on a network or system in order to identify any security weaknesses that an attacker could exploit. By performing regular penetration testing, organizations can identify and address security risks before they are exploited by attackers.

To summarize, ‘appropriate measures’ are technical and organizational measures that must be implemented by organizations to ensure the security of their network and information systems and prevent and minimize the impact of security incidents, such as cyber attacks. The specific appropriate measures will depend on the specific risks faced by the organization and the data it processes, but shortly, it is difficult to see a scenario where the above measures are not required.

Security Awareness Training

Security awareness training is a typical ‘appropriate measure’ and a low-hanging fruit in implementing the NIS2 Directive.

Security awareness training is important because human error is often a significant factor in security incidents, such as data breaches. By providing employees with training on how to identify and respond to potential security threats, organizations can reduce the risk of security incidents caused by human error.

For example, security awareness training can cover topics such as phishing, password management, and the proper handling of sensitive information, among others. By providing employees with the knowledge and skills to recognize and respond to potential security threats, organizations can strengthen their overall security posture and reduce the risk of security incidents caused by human error.

Online security awareness training for all staff is a cost-efficient way to improve the security posture of any organization. eBuilder Security is offering online security awareness training that is based on nano-trainings i.e., short videos that can be viewed on essentially any mobile phone, tablet, or computer. Coupled with regular friendly Phishing attacks to measure the effectiveness of the training the security posture of the organization can be improved drastically.

Endpoint Protection

Endpoint protection refers to the security measures and technologies that protect an organization’s endpoints, such as computers, laptops, smartphones, and other internet-connected devices. These measures can include antivirus and antimalware software, firewalls, and endpoint detection and response (EDR) solutions, among others.

Organizations can prevent, detect, and respond to security incidents that occur on their endpoints, can reduce the risk of security incidents caused by malicious code, and strengthen their overall security posture by implementing endpoint protection. This is particularly important as endpoints are often the entry point for malicious actors looking to access the network and information systems of an organization.

Preventing malware from being installed on an endpoint, detecting malicious activity on the endpoint, and responding to security incidents by isolating infected endpoints and removing malicious code are some examples of endpoint protection solutions.

Traditional endpoint protection solutions often rely on signature-based detection methods, which can be less effective against newer and more sophisticated security threats. CrowdStrike is considered a next-generation endpoint protection solution, due to its cloud-based architecture, use of artificial intelligence and machine learning, and its focus on real-time threat detection and response.

There can be several ways in which next-generation endpoint protection solutions differ from traditional endpoint protection solutions. Next-generation endpoint protection solutions are often cloud-based, which enables organizations to receive real-time protection updates and provides the ability to respond to security incidents quickly. They also use advanced technologies such as artificial intelligence and machine learning to detect and prevent security threats, which helps to improve their accuracy and speed of response.

CrowdStrike’s cloud-based approach, use of artificial intelligence and machine learning, and focus on real-time threat detection and response make it a good example of a next-generation endpoint protection solution.

eBuilder Security offers Crowdstrike’s endpoint protection as a service. You should consider replacing your traditional endpoint protection with a more modern next generation AI-based endpoint protection.

Application Penetration Testing

Application Penetration testing (pentesting) is the process of simulating an attack on an application in order to identify any security weaknesses that an attacker could exploit. Organizations can identify and address security risks before they are exploited by attackers, by performing regular penetration tests.

In addition, organizations should also implement other technical and organizational measures to protect their applications such as access controls, encryption, incident response planning, regular vulnerability scanning, and security awareness training, in order to comply with the NIS2 directive.

Organizations must ensure that their penetration testing is performed by qualified and experienced professionals and that their testing is carried out in accordance with industry best practices and ethical guidelines. eBuilder Security performs in depth penetration tests for numerous organizations in the Nordics.

Network Penetration Testing

Network penetration testing is the process of simulating an attack on an organization’s network and information systems to identify security vulnerabilities. By conducting network penetration testing, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.

Attempting to exploit known vulnerabilities, probing for vulnerabilities, and attempting to gain unauthorized access to systems and data are examples of some techniques that can be involved in network penetration testing.

Network penetration testing is an important component of a comprehensive cybersecurity program and can play a critical role in ensuring the security of an organization’s network and information systems. eBuilder Security offers Network Penetration Testing as a service. Scans can be run on a regular basis without a large investment in licenses.

Application Vulnerability Scanning

Application vulnerability scanning is the process of identifying security vulnerabilities in software applications, such as web applications and mobile apps. By conducting application vulnerability scanning, organizations can identify security weaknesses and take steps to remediate them before they are exploited by malicious actors.

Probing for vulnerabilities, attempting to exploit known vulnerabilities, and attempting to gain unauthorized access to systems and data are some examples of techniques that can be involved in application vulnerability scanning.

Application vulnerability scanning is an important component of a comprehensive cybersecurity program and can play a critical role in ensuring the security of an organization’s network and information systems. eBuilder Security offers Application Vulnerability Scanning as a service. There are no expensive licenses to be paid and no complex setup and maintenance of the scanning application. eBuilder Security handles all that for you as part of the service.

Security Review & Audit

A security review & audit functions as a maturity check for your organization. It gives you an action plan for the future and helps improve your posture. Companies that perform regular audits have shown to be more perceptive of their risks. Thus in case of a security incident, they are better placed to identify the most vulnerable places and immediately mitigate any issues as they are more competent in handling the situation.

Doing a review or an audit is not only a compliance check, but it also gives you a deeper understanding of your risks and indicates where you should focus your efforts most on.

Regularly testing the effectiveness of your security measures is an important step in becoming NIS2 compliant. eBuilder Security offers security review & audit which will be an important first step in evaluating the effectiveness of your existing processes and controls and identifying gaps in your current setup. Based on ISO 27001 standard and CIS controls, eBuilder Security’s audit process is complemented by our own unique methodology to achieve an end result that indicates your position with regards to ISO 27001 requirements as well as in overall cybersecurity hygiene.

Be NIS2 compliant with eBuilder Security

When implementing ‘appropriate measures’ to secure your cyber assets you ought to try for the best solution available. But affording the best can be challenging.

Partnered with the best in the industry, eBuilder Security prides itself on envisioning affordable top-notch Security as a Service (SECaaS) solutions, on tap, for all enterprises. Not just help you become compliant, but we also provide a number of tailored solutions carefully selected and gathered to cater to all your security needs.