Navigating the NIS 2 Directive: Strengthening EU Cybersecurity

Blog Cloud Infrastructure Cloud Security

The EU Network and Information Security (NIS) Directive will be update to a newer version, NIS2 on 17 October 2024.  NIS1 was signed exactly 8 years ago, on July 2016 with the aim of achieving “a high common level of security of network and information systems across the Union”. However, during the 8 years that have passed with then, the technological landscape, and with it, the cyber threat landscape, has changed dramatically, which drove the EU legislative council to update the original directive. The main factors effecting the decision to overhaul the directive were the Evolving Threat Landscape, increased Digital Transformation, limited scope and Inconsistent Implementation of the original directive, Insufficient Reporting Mechanisms and Enforcement Mechanisms, alignment with other EU regulations (like GDPR) and lessons learned from 8 years of relentless cyber attack against EU entities, including notable attacks exploiting the supply chain.

NIS2 has addressed all these issues to create a comprehensive, EU-wide cybersecurity framework.

Key Changes in NIS 2

The main changes from the previous version include:

  • Scope: NIS2 expands the sectors and industries covered to include additional types of critical infrastructure and digital services. It categorizes entities into two main groups: “essential entities” and “important entities.” This categorization is done according to the entity’s criticality to the economy and society.
    • Essential Entities include the Water and Energy sectors, Transportation, Banking and Financial Services and infrastructure, Healthcare, Digital infrastructure (the backbone of the internet) and ICT companies, public administration (including Central and Regional governments) and Space.
    • Important Entities include Postal services, Chemicals, Waste management, Food production and distribution, Manufacturing, Research organizations and Digital providers (such as Online marketplaces, search engines and social media platforms). EU member countries can add additional entities as essential or important based on national risk assessments and enforce the directive upon them as well.
  • Risk management: the Directive requires entities to identify and document potential vulnerabilities and threats and implement appropriate technical and organizational measures to manage these risks.
  • Incident reporting: the directive aims to standardize reporting procedures across the Union, with an emphasis on prompt and accurate reporting. Any incident having a significant impact on the provision of services and incidents that could potentially cause substantial operational disruption or financial losses must be reported to the designated national Computer Security Incident Response Team (CSIRT), and in cases where end-users are effected, to them as well.
    • The first report should be Within 24 hours of becoming aware of a significant incident, a more comprehensive report (“Initial report”) with 72 hours and the Final Report should be release Within one month of the incident. These reporting times are very challenging and will surely force organizations to invest more in improving their reporting capabilities (and hopefully- their cyber defences as well..)
  • Supply chain security: Given the recent flux of supply chain attacks, it is no wonder that NIS2 emphasizes the importance of securing supply chains and addressing risks from third-party providers.
  • Penalties: All this comprehensive regulation wouldn’t have been effective without stringent enforcement mechanisms, including potential fines for non-compliance. These are no mere “slap on the wrist fines”. In accordance with other EU regulations (such as GDPR), these fines can be extremely significant. For essential entities: Up to €10 million or 2% of the total worldwide annual turnover (whichever is higher), For important entities: Up to €7 million or 1.4% of the total worldwide annual turnover. These fines can be applied against entities for various reasons, including failure to implement appropriate security measures or failure to report incidents. The size of the fine will depend on the severity and duration of the infringement, levels of negligence.

These fines are public and can be imposed personally (as temporary bans) on managerial functions or individuals at the highest management level.

Implications for Cloud Security

NIS2 Directive doesn’t exclusively focus on cloud security (the word “cloud” appears a mere 7 times in the document) and takes a technology-neutral approach that focuses on outcomes and risk management rather than discussing specific technologies, infrastructure or architecture. Organizations are required to apply the general principles detailed by the NIS2 directive to their cloud environments as part of their overall cybersecurity and risk management strategy.

However, Cloud services are considered an important part of digital infrastructure and are thus included in the directive as “essential entities”, meaning they are subject to the directive’s requirements.

The directive acknowledges the shared responsibility model in cloud computing, and emphasizes the risk of supply chain attacks, many of which have been conducted via cloud services and applications. This means that organizations using cloud services (and in most likelihood, all essential and important entities use cloud in one way or the other) must consider the security of their cloud providers as part of their overall supply chain risk management. The same goes for NIS2’s emphasis on data protection, which applies also to data stored and processed in cloud environments.

Potential pitfalls for cloud users:

2 areas in which regulated entities can fall short (and suffer subsequent fines) are Risk Assessment and Incident Reporting. We know that many organizations have difficulties scoping their cloud security risks. They are using tools that scan and present numerous vulnerabilities but fail to identify the “crown jewels” and the actual risk to them. Incident reporting will also be a challenge, given that actual scope (“blast radius”) of Cloud-related security incidents are difficult to assess at the very first steps of identification, especially if the organization is trying to do so with traditional, non-AI-based means. Finally, technology providers who are themselves part of the supply chain will find it extremely difficult to gauge the potential damage to users in case of a cyber incident. Combine all these challenges with extremely short reporting times and daunting fines, and we can only speculate that it will hasten the adoption of AI-based cloud security simulation, risk assessment and detection tools to allow organization to adhere to these guidelines (or- at least show they have done enough).

 

Unlock Your Cloud Security Insights – Free Purple Team Assessment. Learn more here.

Blog

The EU Network and Information Security (NIS) Directive will be update to a newer version, NIS2 on 17 October 2024.  NIS1 was signed exactly 8 years ago, on July 2016 with the aim of achieving “a high common level of security

Cloud SecurityCloud BreachData BreachDDoS
Blog

At the RSA conference there was a CISO panel, talking about the perils of becoming a CISO. Joe Sullivan, the CISO of Uber who just avoided jail time but did have to pay a $50,000 fine has noticed a real

ManagementAICloud BreachCloud SecurityData BreachThreat Detection
Blog

Euro 2024 viewership has been strong throughout the event and millions of visitors and viewers of the games themselves are also expected. Berlin alone is expected to host 2.5 million tourists during the month of the games. Such a large

Cloud SecurityAICloud BreachData BreachThreat Detection
Blog

According to Gartner, 75% of organizations have a Continuous Threat Exposure Management program in place or are evaluating it. Why are so many organizations embracing this approach? In our opinion, it is the embracing of continuous feedback. As Skyhawk focuses

Cloud SecurityAICloud BreachData BreachThreat Detection
Blog

One of the reasons security teams are not successful is they are always looking back, looking back at the breach or the exposure or the alert. They are not able to look forward to prevent the breach, exposure, or alert

Cloud SecurityAICloud BreachData BreachData ScienceThreat Detection
Blog

At Skyhawk, we have always known that CSPM, and even the next-gen of CSPM known as CNAPP, is not enough.  In fact, by 2026, 50% of the attack surface will not be patchable, meaning CSPM/CNAPP solutions will not be effective.

Cloud SecurityAICloud BreachData BreachData ScienceThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at asafshachar@gmail.com

See the Purple Team
See the breach before it happens
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.