Are You Prepared for the EUs updated NIS2 Cyber Security Directive?

On October 17, 2024, the new Network and Information Systems (NIS) directive will be enforced. Businesses were supposed to begin transitioning to new regulations in January 2023, but it’s an official European Union (EU) law in October. If you haven’t already made plans to enforce regulations on your systems, here is what you need to know to take the proper steps toward compliance. Non-compliance comes with hefty fines, so any EU business should ensure they have the appropriate infrastructure to follow regulations.

For managed service providers (MSP) or resellers working with clients in the EU, you will need to provide solutions that guarantee their compliance with the new directive.

What is NIS2?

NIS has been in place for several years, but new regulations are meant to help businesses adapt to the new cybersecurity landscape. Recent socioeconomic changes brought about by COVID-19 and global conflict introduced new cyber-attacks. Government cyberattacks continue to increase, and governments and businesses residing in the EU are primary targets. Data from a compromise can be used in identity theft or account takeover of critical services.

The second iteration of the NIS directive is meant for businesses to improve their cybersecurity resilience and data protection. Most businesses focus on risk management, which is traditionally poorly thought out. Focusing on proactive security optimizes resilience against the latest threats and stops many attacks commonly used for data theft. NIS2 works to address these concerns and better protect consumer data.

Focusing on proactive security optimizes resilience against the latest threats and stops many attacks commonly used for data theft.

Who Should Be Concerned with NIS2?

All businesses in the EU must be concerned with NIS2, but not every business performs its own cybersecurity in-house. Managed service providers often oversee cybersecurity for small businesses, so they, too, should be concerned about NIS2. A managed service provider performing cybersecurity for businesses in the EU should take the time to review new NIS2 regulations to ensure that their clients are compliant.

An SMB with a small operations department doing business in the EU should also be concerned with changes to NIS2. The penalties are much more expensive than the time and infrastructure investment. Protecting user data should be a primary concern for any business, but staying compliant manages risks too.

Key New NIS2 Requirements You Need to Know

DNS (Domain Name System) is a critical backbone for the internet, and NIS2 focuses on establishing reliable DNS. DNS is the translation protocol that turns a friendly domain name into an IP address. When you type a URL into a browser, the first step in opening a web page is translating the domain name to an IP address. NIS2 requires businesses to protect the integrity of the DNS protocol. Interruption of DNS stops communication for any online system, and DNS poisoning leads to data theft and communication interception.

Risk management is another large focus for NIS2. The Internet is a system of interconnected servers, and many of today’s businesses incorporate third-party libraries, data, and APIs into their own. A supply chain compromise can distribute malware and other nefarious content to critical systems. Businesses can oversee third-party systems using a risk management strategy. NIS2 requires enterprises to understand their risks better and perform analysis and background checks on a third-party vendor. If businesses work with a third-party vendor, a risk analysis on the vendor controls the possibility of threats in the supply chain.

Incident response must be performed after a compromise, and one step is reporting a data breach to the public. Businesses must notify affected individuals so that they can take the necessary next steps to protect their identities. After 24 hours of a data breach, businesses must offer a first warning to the public with preliminary information about the incident. Within 72 hours, companies must provide much more details about the incident. The final 72-hour notification must include an assessment of the incident and the severity of the impact.

An investigation is the final step in incident response, and businesses must communicate findings within a month after a data breach. Investigations often result in analyzing the threat, the attack vector, any users involved in the compromise, and the aftermath. Internally, businesses must contain and eradicate the threat, but the way a threat is removed from the system can be kept confidential. The critical part of the public notification is the impact of the threat and what the business plans to do to stop additional data breaches.

Training in risk management and cybersecurity is also a requirement. Management must take accountability for any data breaches or compromising mishaps. Cybersecurity systems might still stop threats, but new policies will help avoid newer ones. For example, email filters might stop phishing messages from being sent to employees. Email filters are great for cybersecurity and data protection, but they don’t stop a third-party vendor from being compromised. Risk management with background checks on vendors can help identify those who do not have the right cybersecurity policies to protect their and their customers' data.

Cybersecurity training helps employees stop common threats, including social engineering and phishing. Everyone in the organization should be trained to identify threats, especially since phishing and social engineering are two of the primary attack strategies in the wild. They can be devastating to organizations, and spear-phishing attacks target executives. Executives, especially people with sensitive data access, should be trained to identify common threats.

What are the Penalties for Non-Compliance with NIS2?

As with any compliance penalty, the NIS2 carries hefty fines for businesses that do not have the right risk management and cybersecurity protections in place. Penalties are based on business revenue, so fines can run into seven figures.

• Larger businesses could be charged up to €10,000,000 or 2% of annual turnover, whichever is higher.
• Small businesses could be charged up to €7,000,000 or 1.4% of annual turnover, whichever is higher.

More details available at the NIS2 Directive website.

How TitanHQ Can Help

TitanHQ can enhance your cybersecurity resilience by strengthening your incident prevention, detection, and response capabilities. We offer solutions to increase your visibility into both internal and external attacks and provide staff training to elevate their security awareness.

Email security is essential for NIS2 compliance, as it safeguards confidentiality, data protection, business continuity, and the reputation of both public and private entities operating within the EU. Additionally, security awareness plays a crucial role in NIS2 compliance by addressing the human element in cybersecurity, mitigating the risk of phishing and social engineering attacks, and enhancing overall cybersecurity resilience.

To learn more about how TitanHQ can help you meet NIS2 Directive requirements, get in touch today.