Navigating the NIS 2 Directive: Strengthening EU Cybersecurity

Blog Cloud Infrastructure Cloud Security

The EU Network and Information Security (NIS) Directive will be update to a newer version, NIS2 on 17 October 2024.  NIS1 was signed exactly 8 years ago, on July 2016 with the aim of achieving “a high common level of security of network and information systems across the Union”. However, during the 8 years that have passed with then, the technological landscape, and with it, the cyber threat landscape, has changed dramatically, which drove the EU legislative council to update the original directive. The main factors effecting the decision to overhaul the directive were the Evolving Threat Landscape, increased Digital Transformation, limited scope and Inconsistent Implementation of the original directive, Insufficient Reporting Mechanisms and Enforcement Mechanisms, alignment with other EU regulations (like GDPR) and lessons learned from 8 years of relentless cyber attack against EU entities, including notable attacks exploiting the supply chain.

NIS2 has addressed all these issues to create a comprehensive, EU-wide cybersecurity framework.

Key Changes in NIS 2

The main changes from the previous version include:

  • Scope: NIS2 expands the sectors and industries covered to include additional types of critical infrastructure and digital services. It categorizes entities into two main groups: “essential entities” and “important entities.” This categorization is done according to the entity’s criticality to the economy and society.
    • Essential Entities include the Water and Energy sectors, Transportation, Banking and Financial Services and infrastructure, Healthcare, Digital infrastructure (the backbone of the internet) and ICT companies, public administration (including Central and Regional governments) and Space.
    • Important Entities include Postal services, Chemicals, Waste management, Food production and distribution, Manufacturing, Research organizations and Digital providers (such as Online marketplaces, search engines and social media platforms). EU member countries can add additional entities as essential or important based on national risk assessments and enforce the directive upon them as well.
  • Risk management: the Directive requires entities to identify and document potential vulnerabilities and threats and implement appropriate technical and organizational measures to manage these risks.
  • Incident reporting: the directive aims to standardize reporting procedures across the Union, with an emphasis on prompt and accurate reporting. Any incident having a significant impact on the provision of services and incidents that could potentially cause substantial operational disruption or financial losses must be reported to the designated national Computer Security Incident Response Team (CSIRT), and in cases where end-users are effected, to them as well.
    • The first report should be Within 24 hours of becoming aware of a significant incident, a more comprehensive report (“Initial report”) with 72 hours and the Final Report should be release Within one month of the incident. These reporting times are very challenging and will surely force organizations to invest more in improving their reporting capabilities (and hopefully- their cyber defences as well..)
  • Supply chain security: Given the recent flux of supply chain attacks, it is no wonder that NIS2 emphasizes the importance of securing supply chains and addressing risks from third-party providers.
  • Penalties: All this comprehensive regulation wouldn’t have been effective without stringent enforcement mechanisms, including potential fines for non-compliance. These are no mere “slap on the wrist fines”. In accordance with other EU regulations (such as GDPR), these fines can be extremely significant. For essential entities: Up to €10 million or 2% of the total worldwide annual turnover (whichever is higher), For important entities: Up to €7 million or 1.4% of the total worldwide annual turnover. These fines can be applied against entities for various reasons, including failure to implement appropriate security measures or failure to report incidents. The size of the fine will depend on the severity and duration of the infringement, levels of negligence.

These fines are public and can be imposed personally (as temporary bans) on managerial functions or individuals at the highest management level.

Implications for Cloud Security

NIS2 Directive doesn’t exclusively focus on cloud security (the word “cloud” appears a mere 7 times in the document) and takes a technology-neutral approach that focuses on outcomes and risk management rather than discussing specific technologies, infrastructure or architecture. Organizations are required to apply the general principles detailed by the NIS2 directive to their cloud environments as part of their overall cybersecurity and risk management strategy.

However, Cloud services are considered an important part of digital infrastructure and are thus included in the directive as “essential entities”, meaning they are subject to the directive’s requirements.

The directive acknowledges the shared responsibility model in cloud computing, and emphasizes the risk of supply chain attacks, many of which have been conducted via cloud services and applications. This means that organizations using cloud services (and in most likelihood, all essential and important entities use cloud in one way or the other) must consider the security of their cloud providers as part of their overall supply chain risk management. The same goes for NIS2’s emphasis on data protection, which applies also to data stored and processed in cloud environments.

Potential pitfalls for cloud users:

2 areas in which regulated entities can fall short (and suffer subsequent fines) are Risk Assessment and Incident Reporting. We know that many organizations have difficulties scoping their cloud security risks. They are using tools that scan and present numerous vulnerabilities but fail to identify the “crown jewels” and the actual risk to them. Incident reporting will also be a challenge, given that actual scope (“blast radius”) of Cloud-related security incidents are difficult to assess at the very first steps of identification, especially if the organization is trying to do so with traditional, non-AI-based means. Finally, technology providers who are themselves part of the supply chain will find it extremely difficult to gauge the potential damage to users in case of a cyber incident. Combine all these challenges with extremely short reporting times and daunting fines, and we can only speculate that it will hasten the adoption of AI-based cloud security simulation, risk assessment and detection tools to allow organization to adhere to these guidelines (or- at least show they have done enough).

 

Unlock Your Cloud Security Insights – Free Purple Team Assessment. Learn more here.

Blog

We may have recently been exposed to the largest cyber campaign of all times, in which China managed to completely penetrate the communications infrastructure of its great rival, the United States.In doing so, gained access to huge amounts of invaluable

Cloud Breach
Blog

The global cloud market continues to grow rapidly, growing 23% year-over-year. This year, Google captured 13%, up from 10% last year. Google complements this impressive growth rate with an emphasis on privacy and security. The commitment to security is clear,

Cloud BreachCloud SecurityCSPM
Blog

Re:Invent has come to a close and we had a great week! We kicked off the week with our product announcement. Did you know that most threat actors (70%) are logging into the cloud – they are not “breaking in”.

Cloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security is proud to announce the expansion of its cloud threat detection and response capabilities with Interactive CDR. This new capability expands the team that can verify if an activity is malicious or not, by going to the alleged

AICloud BreachCloud SecurityThreat Detection
Blog

Skyhawk Security announces the availability of new features and integrations of its Autonomous Purple Team, aimed at extending detection and improving security validation as well as pre-validating threat detection alerts, to effectively manage the security of your cloud. The company

AICloud BreachCloud SecurityThreat Detection
Blog

By Asaf Shahar, VP, Product at Skyhawk Security Securing cloud environments presents unique challenges due to their constantly evolving nature. CERT-IL’s alert on public cloud threats (ALERT-CERT-IL-W-1810) underscores common vulnerabilities—exposed credentials, service misconfigurations, and inadequate tenant isolation—frequently exploited by attackers.

AICloud BreachCloud SecurityThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.