NIS2: Build compliance with the Network and Information Security Directive 2

NIS Directive 2 aims to increase cybersecurity in the EU by introducing incident reporting obligations. Organizations must implement risk management measures and have business continuity plans in place. Corporate management is responsible for approving and monitoring these measures.
NIS2

The Network and Information Security Directive – NIS2 provides a legal measures in order to increase the general level of cybersecurity within the European Union (EU), as well as ensuring the resilience of networks and information systems of critical entities operating in the EU. Special emphasis is placed on cybersecurity incident response. Obligation to report incidents and share this information between EU Member States’ cybersecurity incident response teams is foreseen. The NIS 2 Directive comes into force on 17 October 2024 and will replace the Network and Information Systems (NIS) Directive in force since May 2018.

NIS2: NEW ORGANISATIONAL REQUIREMENTS

To achieve an increased overall level of cyber security in the EU, the NIS2 Directive introduces new requirements and obligations for organizations in four main areas:

RISK MANAGEMENT

Organizations covered by NIS2 must take measures to minimize cyber risks, including incident management, supply chain security, enhanced network security, access control, and encryption.

CORPORATE ACCOUNTABILITY

Establish responsibilities for corporate management, including monitoring and approving cybersecurity measures, developing and implementing strategies to address cyber risks, and being trained on cybersecurity best practices.

PROCESSING AND REPORTING OF INCIDENTS

Primary and critical entities must have processes for immediate reporting of security incidents that should service delivery or beneficiaries.

BUSINESS CONTINUITY

Organizations should develop and implement a business continuity plan in the case of a cyber incident. This plan includes backup, system recovery, emergency procedures, and establishing a crisis response team.

NIS2: TEN MINIMUM MEASURES

In addition, minimum security measures are mandatory for essential entities toaddress specific forms of likely cyber threats. These include:

Implementation of risk analysis and information system security policies

01

Implement a plan for handling and reporting security incidents

02

Implement a plan to manage business operations during and after a security incident (business continuity)

03

Implement policies and procedures to assess the effectiveness of cybersecurity risk management measures

04

Supply chain security, including the relationship between each entity and its direct suppliers or service providers

05

Security in the acquisition, development, and maintenance of networks and information systems

06

Conduct periodic training on cyber security and basic cyber hygiene practices

07

Implement policies and procedures regarding the use of cryptography and, where applicable, encryption

08

Implementation of solutions for multi-factor or continuous authentication, encryption of voice, video, and text, and encrypted internal communication

09

Implementation of HR security procedures, access control, and asset management policies

10

Previous slide
Next slide

NIS2: APPROACH TO INCIDENT REPORTING

The new Directive provides for a multi-stage approach to incident reporting. Affected organizations have 24 hours from the first time they have become aware of the incident to submit an early warning to the national information security incident response team or the competent national authority. This will also allow them to seek assistance (guidance or operational advice to implement possible mitigation measures). Early warning should be followed by notification of an incident within 72 hours of becoming aware of the incident and a final report no later than one month.

NIS2: CONTROLS AND SANCTIONS

European Committee is achieved accord for significant sanctions for the organisations, which no observe the requirements of NIS2. They can the obtain administrative fine digital size to 10 million. euro, or 2 % ) the general global annual income for essential sectors or to 7 million. euro or 1,4 % ) the general global annual income for important sectors, as well as the potential removal of the organization‘s senior management.

NIS2: TO WHICH SECTORS APPLY?

Any medium and large enterprise with more than 50 employees or with an annual turnover of more than EUR 10 million in the listed high criticality and other critical sectors falls under the scope of NIS 2.. Based on the sector and the importance of the entities (organizations), they will be classified as basic and important subjects. The main distinction between core and important entities is in terms of the supervisory and enforcement measures and the sanctions that will apply to them:

  • The main is a subject from a highly critical sector, which will be subject to comprehensive ex-ante and ex-post controls by the competent authorities.
  • An entity falling within the scope of NIS2 but not classified as material is important and will only be subject to ex-post supervision.

Even if your organization is not physically located in the EU, it may be subject to NIS2 provided it provides services in any EU Member State.

According to Article 2, NIS2 applies to all medium-sized enterprises or larger entities in the sectors listed in Annexes I and II of the Directive.

NIS2: HIGH CRITICALITY SECTORS

ENERGETICS

supply, distribution, transmission and sale of electricity, oil, gas, oil, central heating, cooling, hydrogen

HEALTHCARE SECTOR

public and private healthcare providers, medical equipment and drug manufacturers, medical insurance providers, and other important health-related services

DIGITAL INFRASTRUCTURE & IT SERVICES

telecommunications, data centers, registries, cloud service providers, managed and security services, ICT

WATER SUPPLY AND SEWER

drinking water suppliers and wastewater operators

PUBLIC ADMINISTRATION

central, regional, and local

FINANCE SECTOR

credit, trade, markets, and infrastructure

TRANSPORT

air, rail, road, and water (incl. sea freight and port shipping)

COSMOS

ground infrastructure operators

NIS2: OTHER CRITICAL SECTORS

POSTAL & COURIER SERVICES

multiple organizations involved in mail and parcel delivery, from national postal services to small niche courier companies

SCIENTIFIC RESEARCH

research organisations

MANUFACTURING

medical devices and medical devices for in vitro diagnostics; computers, electronic and optical products; electrical equipment; motor vehicles, trailers and semi-trailers; machinery and equipment n.e.c.; other transport equipment

FOOD & TASTE SECTOR

industrial production, processing, and wholesale distribution

SECTOR CHEMISTRY

production, preparation, and distribution of chemicals

DELIVERY OF DIGITAL SERVICES

search engines, online stores, social platforms

WASTE MANAGEMENT

Solutions to building and maintaining compliance with the NIS2 Directive

1. Risk analysis and information system security
Oneidentity logo 600x300px

One Identity and OneLogin Identity and Access Management (IAM)

The solution helps organizations assess the risks associated with identity and access to critical resources. It gives users access to only the data and applications they need to meet uptime requirements. Conducts access control and identity audits as needed.

OpenText Logo

NetIQ Identity and Access Management (IAM)

An identity and access management solution that helps organizations control access to critical resources and reduce the risk of privilege abuse. The solution provides identity and role management, Single Sign-On, multi-factor authentication, and automated access management.

2. Incident handling and reporting
3. Business continuity
Quest logo 600x300px

NetVault Plus

Solution for centralized foundation of backup of many systems users and applications.. Supports both physical and virtual servers, data prevention users and file systems.

Quest logo 600x300px

QoreStore

A software solution for optimization of data storage and increase of the backup speed. ercan be integrated with different solutions for backup, including Veeam.

OpenText Logo

Data Protector

Solution for centralized foundation of backup of many systems users and applications.. Maintains both physical and virtual servers, data prevention users and file systems.

4. Supply chain security
Cyberint logo 600x300px

Supply Chain Intelligence

Cyberint’s Supply Chain Intelligence continuously identifies an organization’s suppliers and technologies, monitors and assesses third-party risks, and generates real-time alerts for serious risks and breaches; Organizations are given enhanced reporting capabilities to inform stakeholders of relevant supply chain risks.

OpenText Logo

Fortify

Solution, which offers the most comprehensive static users and dynamic technologies for testing of the of the applications, providing monitoring users and protection of the applications during time of time. Detection of risks digital the users and license risks, digital the software ) third parties.

5. Security in the acquisition, development, and maintenance of networks and information systems
macmon logo 600x300px

Network Access Control (NAC)

Solution, which provides complete visibility of all familiar users and strangers devices digital the local network. Andlimits or block the use of external or not configured devices connecting more to network. It does not require a change to the existing infrastructure or the configuration of the existing network.

OpenText Logo

Fortify

Solution, which offers the most comprehensive static users and dynamic technologies for testing of the of the applications, providing monitoring users and protection of the applications during time of time. Detection of risks digital the users and license risks, digital the software ) third parties.

6. Evaluation of the effectiveness of cyber security risk management measures
OneLogin_logo_small

Access Management

A solution that offers access control, single-sign-on, multi-factor, and adaptive authentication with various password-less authentication options. Allows pre-testing of application changes and updates in a controlled environment, minimizing the risks associated with deployment. It has a threat detection system that generates risk information and automatically configures user login flows, monitoring for anomalies in real-time.

OpenText Logo

Access Management

A solution that offers single sign-on authentication and access control across the organization, single sign-on, API security, and remote access to web and API-based applications. The solution supports Zero Trust security models. Provides information on the value at risk of data and the level of protection of sensitive information, upon request, audit, or need to demonstrate regulatory compliance.

OpenText Logo

Voltage

The solution provides the ability to analyze structured and unstructured data based on artificial intelligence and identify sensitive data and associated risks. The ability to detect and appropriately mask personal data (e.g., credit card information, passport photo, or CCTV footage outside of the public domain) protects businesses from fines, loss of reputation, and potential leaks of personal data.

7. Basic practices for cyber hygiene and cyber security training
8. Policies and procedures regarding the use of cryptography and, where applicable, encryption
Quest_logo

ApexSQL

The solution provides security and compliance tools that enable database administrators, developers, and security experts to classify, detect, check for vulnerabilities, and protect personal and sensitive data in their SQL Server databases and throughout their DevOps CI/CD lifecycle. Database administrators can implement comprehensive audit policies with alerting and reporting to minimize a business’s exposure to regulatory non-compliance or data breaches. The solution also allows masking of sensitive data.

OpenText Logo

Voltage

A data protection solution where the access policy moves with the data itself, allowing encryption and tokenization without changes to the format or integrity of the data. Eliminates the cost and complexity of issuing and managing certificates and symmetric keys. The solution capabilities include format-preserving encryption; support for all data types; preservation of referential data integrity; and NIST-approved encryption standard – FF1 AES encryption. The solution is compatible with different systems and platforms, allowing integration into the existing infrastructure.

9. HR security, access control policies, and asset management
OpenText Logo

Identity and Access Management (IAM)

An identity management solution that helps organizations automate their identity and access management processes. This solution offers a single point of management for users, groups, and roles, as privilege and access management, streamlining processes, and reducing the risk of unauthorized access.

Privileged Access Management (PAM)

A privileged access management solution that can help organizations control access to critical resources and reduce the risk of privilege abuse. The solution offers privileged access monitoring, password management, access management, behavioral analysis, and complete user action reporting.

OpenText Logo

Asset Management

Solution for inventory of hardware users and software assets, foundation of licenses users and patches, detection of changes digital the configuration.

10. Multi-factor authentication or continuous authentication solutions
OneSpan Logo 300x600px

Hardware OTP tokens, Mobile OTP tokens, FIDO hardware authenticators

Multi-factor authentication (MFA) solutions that enhance the security of data and application access. These solutions can be physical devices that generate one-time passwords (OTP), software applications installed on mobile devices, and hardware public/private keys.

OneLogin_logo_small

Access Management

An access management solution that provides single sign-on, multi-factor authentication, active directory integration, LDAP and other external directories, user provisioning, endpoint management, and more.

OpenText Logo

Access Management

An access management solution that provides single sign-on, multi-factor authentication, active directory integration, LDAP and other external directories, user provisioning, endpoint management, and more.

Escom Bulgaria has a team of experienced information and cyber security experts who can help you comply with Directive NIS 2.

Share:

More Articles:

Bulgarian Identity Conference

BULGARIAN IDENTITY CONFERENCE 2024

BULGARIAN IDENTITY CONFERENCE 2024: Key Aspects of Cyber Security and Legal Initiatives The sphere of identity management (IDM) and cybersecurity constantly evolves, with new challenges

Contact us

Contacts

If you need technological expertise, as well as discussing project ideas, please contact us

IT решения, които работят за Вас:
безгрижно, сигурно и ефективно, всеки ден!

Връзка с нас:

Последвайте ни:

IT решения, които работят за Вас:
безгрижно, сигурно и ефективно, всеки ден!

Меню

Използваме бисквитки

Този сайт използва “бисквитки” (cookies) за подобряване потребителското изживяване. 

IT solutions that work for you:
carefree, safe and efficient, every day!

Contact us:

Follow us:

IT solutions that work for you:
carefree, safe and efficient, every day!

Menu

We use cookies

This site uses cookies to improve user experience.