NIS 2 is here. The requirements of the EU-wide cybersecurity directive are very high. Here you can find out what you need to pay attention to when implementing the directive.
What is NIS 2?
The Network and Information Security Directive or NIS 2 Directive represents a significant further development of cyber security regulations in the European Union. The NIS 2 Directive was published at the end of 2022 and had to be transposed into national law by the EU member states by 17 October 2024.
Why does NIS 2 exist?
The main aim of NIS 2 is to make more European companies more resilient to the growing threat of cyber attacks. The new requirements therefore apply not only to organisations in the CRITIS sector (critical infrastructure) , but also to a large number of companies of a certain size.
Does NIS 2 also apply to your organisation?
According to German Federal Office for Information Security (BSI), there are around 30,000 ‘particularly important’ and ‘important’ organisations in Germany alone that are now subject to registration, verification and reporting obligations for the first time.
If you would like to know whether your company has to fulfil the NIS 2 requirements, you can for example consult an BSI online tool. The German BSI’s NIS 2 compliance check provides you with an automated initial assessment, but this is not legally binding.
What are the consequences of NIS 2?
Does your company or organisation have to comply with NIS 2? Then you need to implement comprehensive IT security measures! These include, for example
Taking stock
If information security has played a subordinate role in your organisation to date, you should carry out a cyber risk check.
Risk management
Risk analyses must be carried out regularly to identify weaknesses in your IT systems and assess them professionally. Countermeasures must also be taken to eliminate the security gaps.
Technical measures
Protect your systems against cyber attacks and the (usually expensive) consequences of compromises – including System Hardening.
Organisational measures
Introduce an Information Security Management System (ISMS). And there must always be business continuity management (BCM) in place to ensure ongoing operations at all times.
Reporting obligations
Reporting obligations are a key aspect of the NIS 2 directive. If you have a cyber incident, this must be reported within 24 hours.
Supply chain security
As part of NIS 2, your company must also ensure that your suppliers and service providers fulfil the high security standards. This is to ensure the protection of supply chains.
Sanctions
If your organisation or company does not comply with the NIS 2 requirements, you could face heavy fines. Depending on the severity of the offence, these can amount to up to 10 million Euros or 2% of global annual turnover.
How do you implement the NIS 2 requirements?
This question is not so easy to answer, as fulfilling NIS 2 is a complex challenge. However, to put it simply, you can follow the guidelines in ISO 27001:2022 to fulfil the majority of the requirements. This standard describes how you should design an ISMS so that you can optimally fulfil current cybersecurity regulations and laws such as NIS 2.
An essential aspect of the ‘new’ ISO 27001 is the reduction of attack surfaces by means of configuration management. This involves numerous measures that are also known as Secure Configuration or System Hardening.
System hardening according to NIS 2: examples of implementation
Secure passwords
Systems and devices are often delivered with default passwords that are easy to guess. A Secure Configuration requires these passwords to be changed and two-factor or multi-factor authentication to better protect a system, such as a Windows server.
Configuration policies
Your organisation must ensure that there are binding guidelines for the Secure Configuration of IT systems and services. You must create these guidelines and monitor them on an ongoing basis. This is because every new piece of software or hardware creates new potential attack surfaces that hackers can exploit.
Unnecessary applications
Every unnecessary programme is a potential gateway for attackers. You should therefore uninstall unnecessary applications as quickly as possible. And deactivate unnecessary and/or insecure services and open ports that are not absolutely necessary.
Outdated systems
Systems that are unpatched or for which updates are no longer released are not state of the art. They must be updated, replaced or specially secured immediately.
In other, simpler words: Imagine your IT systems are a house. Close all the windows and doors so that burglars cannot get in.
Conclusion
If you have to fulfil the requirements of NIS 2, you have to deal with System Hardening and Secure Configuration. Without this preventive security measure, you will not be able to fulfil the very high requirements.
And that’s a good thing! Because in the end, it’s not about fulfilling compliance requirements, but about arming your IT systems for the ‘cyber war’ in the best possible way. Every successful attack threatens your ‘data treasures’ and the survival of your organisation. Always be aware of this.
Do you need support with Secure Configuration or System Hardening in accordance with NIS 2? We are here for you!
Image: Freepik