A few months since his Takes effect in October 2024, the NIS 2 (Network and Information Security) directive represents a significant change in IT security rules aimed at better protection against increasingly advanced cyber-attacks. This initiative comes as a necessary response to rapidly evolving cyber threats and the need for improved network visibility.
Faced with the increasing level of sophistication of cyber attackers, who have increasingly innovative tools at their disposal, targeting an increasing number of organizations, the directive broadens its objectives and scope to prescribe a better level of protection.
But for many it remains difficult to understand. This raises many questions, ranging from the companies affected to how incidents should be reported or even the risks taken in the event of non-compliance.
To understand its scope of application and steps to follow to get ready first it is necessary to know the reliable sources of information to which it is advisable to turn.
NIS 2 decryption
The very essence of NIS 2 is to strengthen the security of networks and information systems at the heart of the European Union. This new legislative chapter focuses on so-called “core” sectors such as health, energy and transport, which are the backbone of the functioning of society and therefore require robust protection and broad cooperation on a European scale.
The directive precisely demarcates its scope of application by expressly excluding certain public administrative entities directly related to national security, public safety, defense or law enforcement. Indeed, it recognizes that the management of cyber security in these areas is the exclusive competence of Member States. However, it includes other entities of the public administration which, although far from these sensitive areas, play an important role in maintaining essential services and are therefore subject to the obligations of the directive.
The implications of NIS 2 for businesses and organizations are far-reaching, pushing them to adopt stronger security measures to defend against cyberattacks, including strengthening network visibility and preparing for different forms of attacks.
Understanding these requirements may seem complicated, but accurate and up-to-date information is available through official sources such as ANSSI, Légifrance or EUR-Lex. Collaboration with cybersecurity experts is also essential to ensure compliance approaches are well understood and properly implemented.
Need for action and transparency
Depending on their size and sector, organizations must act differently in the face of the new EU NIS 2 rule. Large organizations, especially those in key industries such as healthcare and transportation, or those that use the cloud and generate large revenues, must adapt quickly to avoid security issues and fines.
Small businesses with less than 50 employees and lower turnover, less dependent on the cloud and outside Europe are not affected. However, all organizations must be proactive to ensure their security and comply with this European directive.
The incident reporting process, often perceived as complex and restrictive, is critical with NIS 2. It is no longer just a matter of compliance, but a central element of organizations’ security strategy. With this new version, incidents, whether small or large, must be reported quickly (within 24 hours) and right after an incident is detected to mitigate potential impacts.
This first notification should be followed within 72 hours by a detailed assessment of the incident, providing an overall view of the extent of the damage and facilitating the coordination of response efforts.
A final report detailing the incident (within one month), with reasons, responses provided and lessons learned is also required. Overall, this is important reporting to improve organizational security and the sector’s resilience to cyber threats.
Security and management implications
The consequences of not complying with the requirements of NIS 2 are not limited to significant financial penalties. They can also damage a company’s reputation, lead to a loss of trust from customers and partners, and in the most serious cases, compromise the continuity of business operations.
Facing fines of up to €10m or 2% of global annual turnover for core businesses and €7m or 1.4% of turnover for important businesses, the stakes are high. These incentives are intended to foster a more robust and proactive cybersecurity culture within organizations.
Navigating the complex landscape of NIS 2 requires strong IT security management, characterized by a well-defined strategy and establishing processes that enable rapid threat detection and coordinated response. Adopting a Single Source of Truth (SSOT) and automating incident responses are cornerstones in building a sustainable security posture.
In this regard, the exploitation of tools such as SIEM to collect and analyze security related events SOAR for incident response orchestration and automation and EDR for complete endpoint protection, turns out to be essential. However, for these tools to be fully effective, broad network visibility is essential.
Role of network visibility
In the context of NIS 2, strengthening network visibility takes on vital importance as it forms the foundation upon which organizations’ ability to effectively comply with regulations rests.
This deep visibility into network activities is critical to effectively detect threats, respond to incidents with agility, and meet the directive’s demanding security standards. Real-time monitoring not only facilitates the proactive detection of unusual behavior, packet losses, bandwidth delays or bottlenecks such as potential intrusion attempts.
Moreover, this visibility turns out to be important for documentation and certifies compliance with regulations of NIS 2, enabling effective cybersecurity risk management and continuous adaptation to new threats. In fact, it is impossible to secure and manage what we cannot see.
After all, strategically integrating a robust network visibility strategy is a key step in strengthening organizations’ resilience to evolving cyber threats, while complying with European regulatory expectations such as NIS2.
Transatlantic challenge and global vision
Beyond the borders of the European Union, the NIS 2 directive also presents a significant challenge for companies operating internationally, especially those operating on both sides of the Atlantic. The coexistence of different regulations between the EU and the United States requires a strategic and adaptive approach to ensure transatlantic compliance.
Organizations need to be flexible, integrate best practices and regulatory frameworks from each region, while maintaining overall consistency in their cybersecurity policy.
How then can we use international cooperation and knowledge sharing to navigate this new directive?
By aligning with recognized standards such as NIST, CIS and MITER ATT&CK, and by fostering ongoing dialogue with regulators, companies can navigate this complex regulatory landscape with greater ease. This holistic approach is not just about compliance; it is also synonymous with strengthening digital security on a global scale.
In conclusion, the implementation of NIS 2 represents an opportunity for organizations to improve their cybersecurity infrastructure. The inclusion of increased network visibility plays a key role in this, enabling faster and more effective incident detection and response.
By taking a proactive approach, surrounding themselves with experts and implementing robust governance, businesses can not only meet regulatory requirements, but also strengthen their resilience in the face of an ever-changing cyber threat landscape.
Therefore, the emphasis on network visibility is not only a response to NIS 2 obligations, but also a key strategy for anticipating and defending against future cyberattacks. The future of cybersecurity is a collaborative journey that requires unwavering commitment from all stakeholders to navigate this digital age in a safe and secure manner.