As October 2024 approaches, so does the implementation of the NIS2 Directive, assured to make significant waves across various sectors. The NIS2 (Network and Information Systems) Directive, an extension of the original NIS Directive, aims to enhance the cybersecurity and resilience of critical infrastructure within the European Union. Its implications extend far beyond just compliance, touching the core operations of numerous businesses. As a reminder, and because money talks, in 2023 cybercrime cost the world $8 trillion USD. That number is expected to reach $10.5 trillion USD in 2025. In this blog, we will take a look at the repercussions of NIS2 and provide actionable steps for companies to avoid being a part of that huge number.

Understanding NIS2

NIS2 builds upon the foundation laid by its predecessor, NIS Directive, which was enacted in 2016, which aimed to enhance the cybersecurity and resilience of critical infrastructure sectors across the European Union. NIS2 introduces several crucial updates to adapt to the dynamic cybersecurity challenges.

Key highlights of NIS2 include:

1. Expanded Scope: NIS2 broadens the scope beyond traditional critical infrastructure sectors to include digital service providers, online marketplaces, and search engines. This expansion means that more companies fall under its regulatory purview.
2. Stricter Security Requirements: NIS2 mandates higher cybersecurity standards and incident reporting obligations for covered entities. It emphasizes risk management, incident response, and cooperation among stakeholders.
3. Enhanced Management Obligations: There is a new emphasis on the role of management, with specific training requirements introduced to ensure they can effectively identify and mitigate cybersecurity risks.
4. Penalties and Consequences for Non-Compliance: Companies failing to comply with NIS2 may face hefty fines, reputational damage, and operational disruptions. The directive underscores the importance of robust cybersecurity measures as a business imperative, not just regulatory compliance.
   • Fines: Substantial fines up to €10 million or 2% of global annual turnover for essential companies, and up to €7 million or 1.4% for important companies.
   • Legal Ramifications: Management teams can be held accountable for failing to meet NIS2 requirements, highlighting the importance of compliance at all organizational levels.

Repercussions Across Sectors

The impact of NIS2 will have an impact across various sectors, including but not limited to:

1. Healthcare: Hospitals, clinics, and healthcare providers must fortify their digital infrastructure to safeguard patient data and critical medical systems from cyber threats.
2. Financial Services: Banks, insurance companies, and fintech firms face increased scrutiny to protect sensitive financial information and ensure the uninterrupted functioning of payment systems.
3. Energy and Utilities: Power plants, water treatment facilities, and other utilities must strengthen defenses against cyber attacks that could disrupt essential services and infrastructure.
4. Digital Service Providers: Cloud service providers, e-commerce platforms, and social media networks must adhere to stricter security standards and promptly report cyber incidents to regulatory authorities.

Other impacted sectors are Online Marketplaces, Search Engines and Core Internet Infrastructure Services.

Preparing Your Company for NIS2 Compliance

To navigate the complexities of NIS2 and mitigate potential risks, companies can take proactive measures. First things first, they can visit the NIS2 Directive website.

Here’s a step-by-step guide:

1. Conduct a Comprehensive Cybersecurity Audit: Begin with a thorough assessment of your current cybersecurity measures. Identify any vulnerabilities that may need addressing under the new directive.
2. Understand the Expanded Scope: Familiarize yourself with the extended sectors the NIS 2 Directive covers. Ensure your organization falls within its jurisdiction and understand the specific obligations that now apply.
3. Update Cybersecurity Policies and Procedures: Revise your existing policies to align with the NIS 2 Directive’s requirements. This may include enhancing incident response plans, risk management strategies, and business continuity plans.
4. Invest in Advanced Cybersecurity Technologies: Consider upgrading your cybersecurity infrastructure with robust and proven solutions that meet the directive’s standards. This investment not only aids in compliance but also strengthens your defenses.
5. Train Management and Staff: Organize comprehensive training sessions for management and employees, focusing on the new regulations and their roles in maintaining cybersecurity. Special emphasis should be on risk assessment and mitigation strategies.
6. Develop a Reporting and Compliance Framework: Establish clear processes for incident reporting as mandated by the directive. Make sure that these processes are well integrated into your overall cybersecurity strategy.
7. Engage with Cybersecurity Experts: Seek advice from cybersecurity consultants or legal experts who specialize in EU regulations. Their expertise can provide valuable insights and help navigate the complexities of compliance.
8. Stay Informed: Regularly consult the official NIS2 Directive resources and updates to stay up-to-date of any changes or additional guidance provided by the EU.

Aligning with NIS2 Using RCDevs’ Security Solutions

In the NIS2 Directive, it is stated that:

“The measures shall be based on an “all-hazards approach” that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include “at least” the following:

(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.”

RCDevs’ security products can help companies comply with the directive, especially regarding points (g), (h) and (j).

• Multi-factor authentication with OpenOTP Authentication Server: For over 15 years, this RCDevs’ solution has provided a flexible and robust multi-factor authentication (MFA) system. To respond to market trends, it is offered On Premise and as a SaaS solution.
  • By implementing MFA on VPN access, on Windows login, on cloud and legacy applications, etc…, companies can ensure that access to sensitive information and critical systems is securely controlled.
  • To ease the impact on their employees, they can authenticate using today’s technologies and available methods (FIDO2, Passkeys, Voice Biometrics, Push notifications or regular OTP, PKI, etc…). This is a huge step towards meeting NIS2’s stringent access control requirements.
• Comprehensive Security with OpenOTP Security Suite: This suite expands on the capabilities of the OpenOTP Authentication Server by offering additional layers of security, including risk-based authentication, conditional access (strengthened by Zero Trust policies) and mobile token support. Such comprehensive security measures are essential for protecting against the increasing sophistication of cyber threats, in line with NIS2’s call for advanced cybersecurity defenses.
• Linux Server Access Management with SpanKey: SpanKey focuses on managing SSH keys, which are vital for secure system administration and access. Proper management and control of SSH keys help in preventing unauthorized access, a critical aspect of cybersecurity emphasized by NIS2.

As the deadline (October 17th 2024) for NIS2 compliance approaches slowly but surely, companies across diverse sectors must prioritize cybersecurity to mitigate the potential repercussions of non-compliance. Investing in strong security measures is crucial. Solutions like OpenOTP Security Suite provide a comprehensive approach, integrating Identity and Access Management (IAM), Multi-Factor Authentication (MFA), Single Sign-On (SSO), Network Access Control (NAC), and Public Key Infrastructure (PKI). By adopting these tools, organizations can enhance their resilience against cyber threats and ensure business continuity in an increasingly digital world.