Q: What is the purpose of the NIS2 Directive, why is it needed and what outcomes are regulators trying to achieve? 

As its name suggests, NIS2 follows from the original EU Directive on network security, adopted in 2016. The original Directive laid down the basis for the first common cybersecurity standards among EU Member States. NIS2 recognizes the growing importance of protecting essential digital data and services. 

NIS2 aims to ensure common, high levels of cybersecurity across the EU’s networks and information systems, particularly those that provide essential services to critical sectors, such as gas and electricity distribution networks, transport networks, or banking and financial infrastructures.

Q: What key obligations does the NIS2 Directive place on businesses in scope? 

NIS2 is a Directive, which is a type of EU legislation used to set minimum standards and/or mandate an outcome. A Directive gives the Member States the freedom to reach (or exceed, should they wish to) such standards or goals in whichever way they see fit. As such, it doesn’t impose direct obligations on private operators but does set out the broad lines of the national measures that the Member States must adopt by 17 October 2024. 

For businesses in scope, the key aspect will be the implementation of the cyber security risk management measures and reporting obligations, which will require entities in scope to:

Adopt, and train management on, cybersecurity management measures, which must include, at a minimum, under Article 21 of the Directive:

  • Risk analysis and information systems security policies.
  • Incident handling.
  • Business continuity, such as backup management and disaster recovery, and crisis management.
  •   Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers’ or service providers’ security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
  • Basic cyber hygiene practices and cybersecurity training.
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
  • Human resources security, access control policies and asset management.
  •   The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

Businesses must also notify the competent authorities of any significant cybersecurity incident (on this point, the Commission has recently published its draft implementing regulation setting out the criteria for “significant incidents”, which you can consult here).

Q: What should businesses expect in terms of actual requirements imposed upon them? What should businesses consider when assessing backup and disaster recovery capabilities? 

The minimum security management measures listed above are about as much detail as we can expect at this stage – we’ll have to wait until individual Member States adopt their respective implementing legislation to know more – especially since the Directive specifically allows them to impose higher standards and requirements. The European Commission has also started publishing guidelines that will provide helpful directions – for example, the first of these documents indicates that DORA (the EU Digital Operational Resilience Act, which applies to financial entities and entered into force in 2023) is of “equivalent effect” to NIS2, therefore businesses can take inspiration from the measures recommended to comply with this sector-specific regulation in preparing for compliance with NIS2.  

From a technology perspective, to achieve the critical requirements outlined in Article 21 of the Directive, I’d advise picking a solution that provides:

1

Secure infrastructure

Is built on a decentralized and secure infrastructure, such as GCP or AWS - SaaS products also have the added benefits of sharing the responsibility for certain security measures with your vendor, provided you have appropriate contractual terms in place.
2

Ownership & control

Offers control over where your data and backups reside.
3

Immutability & encryption

Is built with immutability and encryption security measures at rest and in flight.
4

Industry-leading backup

Automates backups at a regular frequency appropriate to the needs of your business, with the ability to restore data quickly and securely, mitigating the impact of any incident.
5

Comprehensive reporting & auditing

Provides comprehensive logs and reports to assist with reporting requirements and auditing compliance with policies and procedures.
6

User & activity records

Controls and records user access to the backup infrastructure, as well as all activity.
7

Regular testing & updates

Enables regular testing and updates to ensure suitability and compliance with regulatory and business requirements.

Q: What advice would you give businesses as they plot a path to NIS2 compliance? 

You’ll notice that I didn’t spend much time talking about the criteria to establish whether a specific business is in scope for NIS2, even though the Directive will not apply to all businesses – the point is, that you should consider your cybersecurity strategy whether NIS2 will apply to your business or not. It just makes good business sense!

I would recommend considering the specific risks applicable to your business, the likelihood that these risks will materialize, and the potential costs in such an event, be they purely monetary, or in terms of reputation, market trust, etc. 

This can then inform the specific measures you take, and there isn’t a one-size-fits-all approach here. I’d expect any cyber security strategy to include a mix of appropriate tools to help you automate and monitor backup and security requirements, and policies and procedures to limit the human risk factor and ensure there is always a plan B.

Become NIS2 compliant today

Latest resources

Blog

Choosing a software solution: Eight things to consider for the NIS2 directive

November 15, 2024

Find out more
Customer Story

Seamless integration of Google Workspace tenants transforms Atlassian post-acquisition

November 13, 2024

Find out more
Product

Product update: more flexibility for your offboarding workflows and email signatures in CloudM Automate

November 12, 2024

Find out more
  • Choosing a software solution: Eight things to consider for the NIS2 directive

    November 15, 2024

  • Seamless integration of Google Workspace tenants transforms Atlassian post-acquisition

    November 13, 2024

  • Product update: more flexibility for your offboarding workflows and email signatures in CloudM Automate

    November 12, 2024

Back to Resources