Navigating the NIS 2 Directive: Strengthening EU Cybersecurity

Blog Cloud Infrastructure Cloud Security

The EU Network and Information Security (NIS) Directive will be update to a newer version, NIS2 on 17 October 2024.  NIS1 was signed exactly 8 years ago, on July 2016 with the aim of achieving “a high common level of security of network and information systems across the Union”. However, during the 8 years that have passed with then, the technological landscape, and with it, the cyber threat landscape, has changed dramatically, which drove the EU legislative council to update the original directive. The main factors effecting the decision to overhaul the directive were the Evolving Threat Landscape, increased Digital Transformation, limited scope and Inconsistent Implementation of the original directive, Insufficient Reporting Mechanisms and Enforcement Mechanisms, alignment with other EU regulations (like GDPR) and lessons learned from 8 years of relentless cyber attack against EU entities, including notable attacks exploiting the supply chain.

NIS2 has addressed all these issues to create a comprehensive, EU-wide cybersecurity framework.

Key Changes in NIS 2

The main changes from the previous version include:

  • Scope: NIS2 expands the sectors and industries covered to include additional types of critical infrastructure and digital services. It categorizes entities into two main groups: “essential entities” and “important entities.” This categorization is done according to the entity’s criticality to the economy and society.
    • Essential Entities include the Water and Energy sectors, Transportation, Banking and Financial Services and infrastructure, Healthcare, Digital infrastructure (the backbone of the internet) and ICT companies, public administration (including Central and Regional governments) and Space.
    • Important Entities include Postal services, Chemicals, Waste management, Food production and distribution, Manufacturing, Research organizations and Digital providers (such as Online marketplaces, search engines and social media platforms). EU member countries can add additional entities as essential or important based on national risk assessments and enforce the directive upon them as well.
  • Risk management: the Directive requires entities to identify and document potential vulnerabilities and threats and implement appropriate technical and organizational measures to manage these risks.
  • Incident reporting: the directive aims to standardize reporting procedures across the Union, with an emphasis on prompt and accurate reporting. Any incident having a significant impact on the provision of services and incidents that could potentially cause substantial operational disruption or financial losses must be reported to the designated national Computer Security Incident Response Team (CSIRT), and in cases where end-users are effected, to them as well.
    • The first report should be Within 24 hours of becoming aware of a significant incident, a more comprehensive report (“Initial report”) with 72 hours and the Final Report should be release Within one month of the incident. These reporting times are very challenging and will surely force organizations to invest more in improving their reporting capabilities (and hopefully- their cyber defences as well..)
  • Supply chain security: Given the recent flux of supply chain attacks, it is no wonder that NIS2 emphasizes the importance of securing supply chains and addressing risks from third-party providers.
  • Penalties: All this comprehensive regulation wouldn’t have been effective without stringent enforcement mechanisms, including potential fines for non-compliance. These are no mere “slap on the wrist fines”. In accordance with other EU regulations (such as GDPR), these fines can be extremely significant. For essential entities: Up to €10 million or 2% of the total worldwide annual turnover (whichever is higher), For important entities: Up to €7 million or 1.4% of the total worldwide annual turnover. These fines can be applied against entities for various reasons, including failure to implement appropriate security measures or failure to report incidents. The size of the fine will depend on the severity and duration of the infringement, levels of negligence.

These fines are public and can be imposed personally (as temporary bans) on managerial functions or individuals at the highest management level.

Implications for Cloud Security

NIS2 Directive doesn’t exclusively focus on cloud security (the word “cloud” appears a mere 7 times in the document) and takes a technology-neutral approach that focuses on outcomes and risk management rather than discussing specific technologies, infrastructure or architecture. Organizations are required to apply the general principles detailed by the NIS2 directive to their cloud environments as part of their overall cybersecurity and risk management strategy.

However, Cloud services are considered an important part of digital infrastructure and are thus included in the directive as “essential entities”, meaning they are subject to the directive’s requirements.

The directive acknowledges the shared responsibility model in cloud computing, and emphasizes the risk of supply chain attacks, many of which have been conducted via cloud services and applications. This means that organizations using cloud services (and in most likelihood, all essential and important entities use cloud in one way or the other) must consider the security of their cloud providers as part of their overall supply chain risk management. The same goes for NIS2’s emphasis on data protection, which applies also to data stored and processed in cloud environments.

Potential pitfalls for cloud users:

2 areas in which regulated entities can fall short (and suffer subsequent fines) are Risk Assessment and Incident Reporting. We know that many organizations have difficulties scoping their cloud security risks. They are using tools that scan and present numerous vulnerabilities but fail to identify the “crown jewels” and the actual risk to them. Incident reporting will also be a challenge, given that actual scope (“blast radius”) of Cloud-related security incidents are difficult to assess at the very first steps of identification, especially if the organization is trying to do so with traditional, non-AI-based means. Finally, technology providers who are themselves part of the supply chain will find it extremely difficult to gauge the potential damage to users in case of a cyber incident. Combine all these challenges with extremely short reporting times and daunting fines, and we can only speculate that it will hasten the adoption of AI-based cloud security simulation, risk assessment and detection tools to allow organization to adhere to these guidelines (or- at least show they have done enough).

 

Unlock Your Cloud Security Insights – Free Purple Team Assessment. Learn more here.

Blog

What can we learn from recent cloud security breaches?

Over the past year there have been several prominent cyber incidents involving the cloud. These incidents have illustrated the dependency of organizations on the cloud, the vulnerability of the cloud and the motivation of attackers to utilize this to their

AICloud BreachCloud SecurityThreat Detection
Blog

Cloud Hacking, From Russia with Love

Russian hackers are shifting their interest to the cloud, and have successfully breached cloud infrastructure. This is what a joint advisory issued by the U.K.’s National Cyber Security Centre (NCSC), the NSA, CISA, the FBI, and cybersecurity agencies from Australia,

AICloud BreachCloud SecurityThreat Detection
Blog

What does the new NIST password guidelines mean for cloud security?

The common joke around security folks is that everyone knows what a password is, but not many remember their own passwords. But even so- passwords are an essential security mechanism and now, NIST is updating its recommendations regarding passwords policy,

AICloud BreachCloud SecurityThreat Detection
Blog

Real Customer Scenarios: See how Skyhawk Security Stopped the Breach

When evaluating a cloud security solution, it is imperative to know how well it will detect threats in time to prevent a breach. Here are three examples out of many in which our customers were able to detect an incident

AICloud BreachCloud SecurityThreat Detection
Blog

For Cybersecurity Month, you can try Skyhawk for free!

In honor of Cybersecurity month, Skyhawk Security is offering a free 30-day subscription to the complete platform.   Why try Skyhawk Security?  Your Security and Development teams are overwhelmed with the number of CNAPP findings. There is a constant argument between

AICloud BreachCloud SecurityThreat Detection
Blog

The Rationale behind Autonomous Purple Team Technology

When Skyhawk set out to develop a new cloud security solution it was already clear that traditional security paradigms were not appropriate for cloud environments. Traditional security was built to secure on-premises environment. These environments were protected by numerous security

AICloud BreachCloud SecurityThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

Continue
See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.