NIS 2: From Obligation to Opportunity

By Jacques de La Rivière, CEO, Gatewatcher

The world of cybersecurity is constantly evolving; not only in talent, products, and technologies, but also in regulatory requirements. As cyber threats evolve and advance, the spotlight has fallen on the European Commission to focus on regulatory issues, to address this threat. Consequently, we have seen the Cyber Resilience Act (CRA); the AI Act; the Digital Operational Resilience Act (DORA), and most pressing, the second Network and Information Security framework – NIS 2.

NIS 2: a necessary evolution of the regulatory framework

Going well beyond the objectives of NIS 1, which provided a minimum of adequate security conditions for entities and sectors targeted by cyber attacks, the objective of NIS is to strengthen resilience by addressing new sectors and entities.

This is a necessary development in view of the growing threats, targeting local authorities, public health establishments, higher education establishments and all parties in the supply chain, not included in NIS 1.

For EU Member states, NIS2 will also address the lack of coherence and fragmentation in the treatment of cyber attacks for sensitive sectors on a European scale.

The new regulatory framework, will also deliver:

• Harmonisation of the implementation of the Directive across Europe, with more precise regulations.
• Stronger overall security, with strict and proportional criteria depending on the categorisation of the given organisation, between essential or important entities.
• Increased responsibility and powers of supervision, control, and sanction for the Member States to ensure proper implementation of these measures.
• A delegation of this responsibility to businesses, who must manage their own risks.

The question businesses therefore now face is how to meet these compliance challenges quickly and with minimal disruption.

This is frustrated by the fact that currently, no binding measures have yet been taken (other than notification of contact persons, incident reporting procedures and the potential sharing of information). The Member States are currently in the process of transposing the directive at national level.

However, there are elements that must be considered, based on NIS 1.

• A governance policy must be in place to ensure adequate risk management. This needs to include audit, risk analysis, security indicators, accreditation, and mapping.
• The consideration of key protection elements in relation to security policies linked to the architecture itself: this needs to account for administration, access, and maintenance.
• Appropriate and reinforced detection measures, as well as incident response and management measures, must be in place to maintain business continuity in a crisis should a cyber attack occur.

NIS 2 considers these areas, but there is a delay for details at European and national level, particularly in terms of integration with other legislation.

However, it is possible to translate these demands into a workable strategy to begin now. There are five pillars to consider:

• Identifying and protecting the risks
• Protecting data and sensitive information
• Investing in or strengthening cybersecurity technologies
• Implementing incident management and CSIRT notification measures
• Training and awareness-raising for employees

Primarily, it is essential to develop, enhance or maintain complete visibility of the information system. This means an inventory and mapping of all assets and user behaviours on the network.

Once the risks and challenges are identified, especially those around sensitive data, it is important to control access and comply with security policies, especially on restricted and confidential networks.

This has made NDR a core of successful strategies, integrated with a comprehensive cybersecurity ecosystem. The goal here is proactive research; easy, rapid qualification and remediation of incidents by experts.

Compliance, an ongoing journey

Today, compliance must be a strategic opportunity for companies, not an additional constraint or tick box exercise to merely meet new regulatory standards.

We need to take a long-term view. Achieving compliance is not only reactive, enabling a business to establish a comprehensive, up-to-date response to compliance needs, but also to anticipate future regulatory developments.

Beyond compliance, NDR enables organisations to raise overall levels of cybersecurity and optimise investments for the most effective detection of and response to threats. Building a cybersecurity strategy with NDR as a cornerstone means choosing a long-term cyber path, with anticipation as the keystone. For cyber-attackers and defenders alike, time is of the essence. The aim is to be able to respond effectively to potential future threats, thanks to an adapted and responsive defence system.

Think of NIS 2 as a guide to identifying and prioritizing the risks and areas of weakness, as well as cybersecurity strengths, to draw up a dynamic strategy to combat attacks. When approached strategically, compliance transforms from a necessity into a real opportunity and competitive advantage.

About the Author

Jacques de la Riviere is CEO of Gatewatcher. Gatewatcher is a leader in the detection of cyber threats, and has been protecting the critical networks of worldwide large companies and public institutions since 2015. Combining Network Detection and Response (NDR) and Cyber Threats Intelligence (CTI) solutions, with AI-powered, dynamic analysis techniques, Gatewatcher delivers a real-time 360-degree view of threats, covering both cloud and on-premise infrastructures.

Jacques can be reached online via LinkedIn and at the company website https://www.gatewatcher.com/en/