What Happened

The European Union has issued a new cybersecurity directive known as the Network and Information Security Directive 2 (NIS2). Adopted on November 28, 2022, this directive aims to bolster cybersecurity across the EU. It mandates that critical infrastructure operators improve their cyber resiliency to protect against increasing cyber threats. Target sectors include energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, public administration, and space.

The directive extends beyond the previous NIS Directive, now applicable to a broader range of sectors. This update comes after recognizing the growing sophistication and frequency of cyberattacks targeting critical infrastructure sectors across the EU.

Technical Details

NIS2 stipulates several technical requirements for compliance. Entities must adopt risk management practices that include the implementation of multi-factor authentication (MFA), incident response protocols, and vulnerability handling procedures. The directive highlights patch management, advocating for prompt application of security updates to mitigate known vulnerabilities with CVE IDs.

Industries affected must utilize intrusion detection and protection systems to identify Indicators of Compromise (IOCs) promptly. They must conduct regular security training for employees to recognize and prevent social engineering attacks. Encryption of data both at rest and in transit is required to safeguard sensitive information against potential breaches.

Additionally, organizations are to maintain logs and ensure their availability for potential investigation by relevant authorities. Effective coordination within and across sectors is emphasized to facilitate information sharing about emerging threats and vulnerabilities.

Impact

Approximately 160,000 entities across multiple sectors in the EU are affected by NIS2. The directive applies to medium and large enterprises that provide essential services and digital services. The ripple effect may also extend to suppliers and partners of these entities, necessitating broader compliance across supply chains.

Failure to comply with NIS2 could result in significant financial penalties and reputational damage. Organizations might face fines reaching 2% of their annual global turnover or up to 10 million Euros, whichever is higher.

What To Do

  • Conduct comprehensive security audits to align with NIS2 requirements.
  • Implement multi-factor authentication across all access points.
  • Deploy and regularly update intrusion detection and prevention systems.
  • Conduct regular training sessions for employees on cybersecurity best practices and threat awareness.
  • Develop and test incident response plans to quickly address potential breaches.
  • Establish strong vulnerability management practices, including timely patching of systems.
  • Implement data encryption for data at rest and in transit.
  • Collaborate with sector-specific organizations to share threat intelligence.

Organizations must act swiftly to bring their cybersecurity practices in line with NIS2 standards. Performing a gap analysis can help identify areas needing immediate attention. Enhancing monitoring and response capabilities is essential to comply with this directive and mitigate the risk of severe penalties and reputational harm.

Related: