The Network and Information Security Directive – NIS2 provides a legal measures in order to increase the general level of cybersecurity within the European Union (EU), as well as ensuring the resilience of networks and information systems of critical entities operating in the EU. Special emphasis is placed on cybersecurity incident response. Obligation to report incidents and share this information between EU Member States’ cybersecurity incident response teams is foreseen. The NIS 2 Directive comes into force on 17 October 2024 and will replace the Network and Information Systems (NIS) Directive in force since May 2018.
NIS2: NEW ORGANISATIONAL REQUIREMENTS
To achieve an increased overall level of cyber security in the EU, the NIS2 Directive introduces new requirements and obligations for organizations in four main areas:
RISK MANAGEMENT
Organizations covered by NIS2 must take measures to minimize cyber risks, including incident management, supply chain security, enhanced network security, access control, and encryption.
CORPORATE ACCOUNTABILITY
Establish responsibilities for corporate management, including monitoring and approving cybersecurity measures, developing and implementing strategies to address cyber risks, and being trained on cybersecurity best practices.
PROCESSING AND REPORTING OF INCIDENTS
Primary and critical entities must have processes for immediate reporting of security incidents that should service delivery or beneficiaries.
BUSINESS CONTINUITY
Organizations should develop and implement a business continuity plan in the case of a cyber incident. This plan includes backup, system recovery, emergency procedures, and establishing a crisis response team.
NIS2: TEN MINIMUM MEASURES
In addition, minimum security measures are mandatory for essential entities toaddress specific forms of likely cyber threats. These include:
01
02
03
04
05
06
07
08
09
10
NIS2: APPROACH TO INCIDENT REPORTING
The new Directive provides for a multi-stage approach to incident reporting. Affected organizations have 24 hours from the first time they have become aware of the incident to submit an early warning to the national information security incident response team or the competent national authority. This will also allow them to seek assistance (guidance or operational advice to implement possible mitigation measures). Early warning should be followed by notification of an incident within 72 hours of becoming aware of the incident and a final report no later than one month.
NIS2: CONTROLS AND SANCTIONS
European Committee is achieved accord for significant sanctions for the organisations, which no observe the requirements of NIS2. They can the obtain administrative fine digital size to 10 million. euro, or 2 % ) the general global annual income for essential sectors or to 7 million. euro or 1,4 % ) the general global annual income for important sectors, as well as the potential removal of the organization‘s senior management.
NIS2: TO WHICH SECTORS APPLY?
Any medium and large enterprise with more than 50 employees or with an annual turnover of more than EUR 10 million in the listed high criticality and other critical sectors falls under the scope of NIS 2.. Based on the sector and the importance of the entities (organizations), they will be classified as basic and important subjects. The main distinction between core and important entities is in terms of the supervisory and enforcement measures and the sanctions that will apply to them:
- The main is a subject from a highly critical sector, which will be subject to comprehensive ex-ante and ex-post controls by the competent authorities.
- An entity falling within the scope of NIS2 but not classified as material is important and will only be subject to ex-post supervision.
Even if your organization is not physically located in the EU, it may be subject to NIS2 provided it provides services in any EU Member State.
According to Article 2, NIS2 applies to all medium-sized enterprises or larger entities in the sectors listed in Annexes I and II of the Directive.
NIS2: HIGH CRITICALITY SECTORS
supply, distribution, transmission and sale of electricity, oil, gas, oil, central heating, cooling, hydrogen
public and private healthcare providers, medical equipment and drug manufacturers, medical insurance providers, and other important health-related services
telecommunications, data centers, registries, cloud service providers, managed and security services, ICT
drinking water suppliers and wastewater operators
central, regional, and local
credit, trade, markets, and infrastructure
air, rail, road, and water (incl. sea freight and port shipping)
ground infrastructure operators
NIS2: OTHER CRITICAL SECTORS
multiple organizations involved in mail and parcel delivery, from national postal services to small niche courier companies
research organisations
medical devices and medical devices for in vitro diagnostics; computers, electronic and optical products; electrical equipment; motor vehicles, trailers and semi-trailers; machinery and equipment n.e.c.; other transport equipment
industrial production, processing, and wholesale distribution
production, preparation, and distribution of chemicals
search engines, online stores, social platforms
Solutions to building and maintaining compliance with the NIS2 Directive
One Identity and OneLogin Identity and Access Management (IAM)
The solution helps organizations assess the risks associated with identity and access to critical resources. It gives users access to only the data and applications they need to meet uptime requirements. Conducts access control and identity audits as needed.
NetIQ Identity and Access Management (IAM)
An identity and access management solution that helps organizations control access to critical resources and reduce the risk of privilege abuse. The solution provides identity and role management, Single Sign-On, multi-factor authentication, and automated access management.
A SIEM solution for analyzing Internet signals that detect malicious traffic performs real-time event correlation, monitors for future attacks, and detects hostile behavior and early signs of attacks.
NetVault Plus
Solution for centralized foundation of backup of many systems users and applications.. Supports both physical and virtual servers, data prevention users and file systems.
QoreStore
A software solution for optimization of data storage and increase of the backup speed. ercan be integrated with different solutions for backup, including Veeam.
Data Protector
Solution for centralized foundation of backup of many systems users and applications.. Maintains both physical and virtual servers, data prevention users and file systems.
Supply Chain Intelligence
Cyberint’s Supply Chain Intelligence continuously identifies an organization’s suppliers and technologies, monitors and assesses third-party risks, and generates real-time alerts for serious risks and breaches; Organizations are given enhanced reporting capabilities to inform stakeholders of relevant supply chain risks.
Fortify
Solution, which offers the most comprehensive static users and dynamic technologies for testing of the of the applications, providing monitoring users and protection of the applications during time of time. Detection of risks digital the users and license risks, digital the software ) third parties.
Network Access Control (NAC)
Solution, which provides complete visibility of all familiar users and strangers devices digital the local network. Andlimits or block the use of external or not configured devices connecting more to network. It does not require a change to the existing infrastructure or the configuration of the existing network.
Fortify
Solution, which offers the most comprehensive static users and dynamic technologies for testing of the of the applications, providing monitoring users and protection of the applications during time of time. Detection of risks digital the users and license risks, digital the software ) third parties.
Access Management
A solution that offers access control, single-sign-on, multi-factor, and adaptive authentication with various password-less authentication options. Allows pre-testing of application changes and updates in a controlled environment, minimizing the risks associated with deployment. It has a threat detection system that generates risk information and automatically configures user login flows, monitoring for anomalies in real-time.
Access Management
A solution that offers single sign-on authentication and access control across the organization, single sign-on, API security, and remote access to web and API-based applications. The solution supports Zero Trust security models. Provides information on the value at risk of data and the level of protection of sensitive information, upon request, audit, or need to demonstrate regulatory compliance.
Voltage
The solution provides the ability to analyze structured and unstructured data based on artificial intelligence and identify sensitive data and associated risks. The ability to detect and appropriately mask personal data (e.g., credit card information, passport photo, or CCTV footage outside of the public domain) protects businesses from fines, loss of reputation, and potential leaks of personal data.
Conduct periodic training to enhance information security and cyber hygiene in organizations.
ApexSQL
The solution provides security and compliance tools that enable database administrators, developers, and security experts to classify, detect, check for vulnerabilities, and protect personal and sensitive data in their SQL Server databases and throughout their DevOps CI/CD lifecycle. Database administrators can implement comprehensive audit policies with alerting and reporting to minimize a business’s exposure to regulatory non-compliance or data breaches. The solution also allows masking of sensitive data.
Voltage
A data protection solution where the access policy moves with the data itself, allowing encryption and tokenization without changes to the format or integrity of the data. Eliminates the cost and complexity of issuing and managing certificates and symmetric keys. The solution capabilities include format-preserving encryption; support for all data types; preservation of referential data integrity; and NIST-approved encryption standard – FF1 AES encryption. The solution is compatible with different systems and platforms, allowing integration into the existing infrastructure.
Identity and Access Management (IAM)
An identity management solution that helps organizations automate their identity and access management processes. This solution offers a single point of management for users, groups, and roles, as privilege and access management, streamlining processes, and reducing the risk of unauthorized access.
Privileged Access Management (PAM)
A privileged access management solution that can help organizations control access to critical resources and reduce the risk of privilege abuse. The solution offers privileged access monitoring, password management, access management, behavioral analysis, and complete user action reporting.
Asset Management
Solution for inventory of hardware users and software assets, foundation of licenses users and patches, detection of changes digital the configuration.
Hardware OTP tokens, Mobile OTP tokens, FIDO hardware authenticators
Multi-factor authentication (MFA) solutions that enhance the security of data and application access. These solutions can be physical devices that generate one-time passwords (OTP), software applications installed on mobile devices, and hardware public/private keys.
Access Management
An access management solution that provides single sign-on, multi-factor authentication, active directory integration, LDAP and other external directories, user provisioning, endpoint management, and more.
Access Management
An access management solution that provides single sign-on, multi-factor authentication, active directory integration, LDAP and other external directories, user provisioning, endpoint management, and more.
Escom Bulgaria has a team of experienced information and cyber security experts who can help you comply with Directive NIS 2.