The EU’s original Directive on Network and Information Security (NIS) was established in July 2016. Its aim was to improve cyber-resilience throughout the European Union by regulating baseline cybersecurity measures, strengthening national cybersecurity capabilities, and improving cybersecurity-related collaboration between EU Member States.
By 17 October 2024, however, the NIS will officially be replaced in EU Member States’ law by a newer, fresher version, creatively named NIS2.
What is NIS2 and why is it being introduced?
The Network and Information Security Directive 2 (NIS2) expands the original baseline of cybersecurity risk management measures and reporting obligations to include a wider range of sectors and critical organisations. It also imposes greater accountability through more serious sanctions/penalties for compliance shortfalls.
The tighter controls NIS2 brings are not without cause, however. They come at a time of rapid evolution in Europe’s cybersecurity threat landscape.
The latest edition of Microsoft’s Digital Defense Report shows a significant increase in member state attacks since the onset of the war in Ukraine. Attackers have become more sophisticated, using automation and remote access technologies to increase their target range. Vulnerabilities in IT supply chains have become favoured entry points, providing rapid access to critical infrastructure. The median time for an attacker to begin moving within a corporate network is now less than two hours – a terrifying statistic when considering average incident response times.
Key features of NIS2
We won’t dive too deeply into the specifics of the new NIS2 requirements in this article. Suffice to say it includes risk assessments, multifactor authentication, and security
procedures for employees with access to sensitive data, and introduces new requirements around supply chain security, incident management and business recovery plans.
The framework is, undoubtedly, more comprehensive than its predecessor, bringing:
- Stricter requirements across a wider scope of sectors.
- A focus on securing business continuity (including supply chain security).
- Improved and streamlined reporting obligations.
- More severe repercussions for transgressions (including fines and legal liability for
management). - Localised enforcement in all EU Member States.
How to prepare for NIS2
Preparing for NIS2 may take considerable effort for organisations still working through their digital transformation. Any successful approach will need to consider:
- People: Improving cybersecurity training, employee security procedures, the use of cryptography and multi-factor authentication, and augmenting cybersecurity talent.
- Planning: Understanding vulnerabilities and implementing effective safeguards and incident response handling.
- Partners: Choosing trusted technology solutions and service providers that prioritise security by design.
Who needs to comply with NIS2?
NIS2 applies to a broader range of entities compared to the original NIS Directive, with size thresholds that differ between group 1 and 2. It covers:
- Essential Entities – entities in sectors that are considered critical for the economy and society, including energy, transport, finance, public administration, health, space, water supply and digital infrastructure.
- Important Entities – entities in sectors that, while not deemed essential, still play a significant role and whose disruption could have a substantial impact, including postal services, waste management, chemicals, research, foods, manufacturing, digital providers.
Why NIS2 matters to everyone (even those outside affected sectors)
Registration and strict adherence to NIS2 may not be necessary for your organisation. Nonetheless, the regulations and principles behind NIS2 form an important basis of best practice for cybersecurity.
As security specialists, trust us when we say this is something all modern organisations should be prioritising. Regardless of regulations, the risks and repercussions of cybersecurity breaches grow substantially every day.
As such, we strongly suggest all Microsoft-based organisations take the following steps to boost their cyber-resilience as soon as possible:
- Control access to sensitive data and monitor insider threats. This can be done by fast-tracking deployment of Microsoft Purview Data Loss Prevention, Information Protection and Insider Risk.
- Transform your workforce into cybersecurity champions. Social engineering accounts for 98% of all cyberattacks – your people are your first (and often weakest) line of defence.
- Make the most of AI-powered tools to augment the skills and experience of your cybersecurity teams. Security Copilot draws on Microsoft’s global threat intelligence and over 65 trillion daily signals to deliver insights that dramatically increase the quality of threat detection and decrease incident response times.
Does your organisation need to be NIS2 ready? Are you looking to improve your general cyber-resilience and reduce your risk profile? Our Cloud Essentials security and compliance specialists are ideally positioned help you boost your cybersecurity defences and response capabilities using Microsoft Purview’s powerful features. Get in touch.