NIS2 (Network and Information Security Directive 2)

(DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2022/2555 of December 14, 2022 on measures for a high common level of cyber-security within the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive) [Network and Information Security]) It was promulgated by the European Union and will be effective as of October 18, 2024. NIS2 updates the original 2016 NIS Directive and aims to strengthen cybersecurity across the European Union. NIS2 includes extending the scope of regulation to new sectors, such as cloud service providers, and introducing new requirements for cyber incident reporting, cooperation between member states and increased sanctions for IT security breaches. The goal of NIS2 is to improve the resilience of digital infrastructure to cyber threats and increase the preparedness of member states to counter attacks in cyberspace.

1 Risk analysis and information systems security policy;
2. Incident handling;
3. Business continuity (e.g., backup and disaster recovery management) and crisis management;
4. Supply chain security, including security-related aspects of the relationship between each entity and its direct suppliers or service providers;
5. Security in the acquisition, development and maintenance of networks and information systems, including handling and disclosure of vulnerabilities;
6. Policies and procedures for evaluating the effectiveness of cyber security risk management measures;
7. Basic cyber hygiene practices and cyber security training;
8. Policies and procedures for the use of cryptography and, where applicable, encryption;
9. Human resources security, access control policies and asset management;
10. Where applicable, the use of multi-factor or continuous authentication, secure voice, text and video communications, and secure communications systems within the entity during emergencies.

We know the attributes of information in an Information Security Management System called the CIA Triad (Confidentiality, Integrity, Availability). It is also important that information used in cyber security processes involving business continuity or incident management issues has three additional attributes that determine its usefulness meaning that it must be:
1. truthful/reliable
2. available quickly
3. immediately usable

OpenBIZ teams prefer Tenable® software because it ensures that the information has these characteristics.

As in the case of the DORA regulation, if the implementation of NIS2 is to be done in the right way, technical teams should cooperate with legal teams. Bringing these two disparate worlds together is not easy but with the use of the right tools, possible.

Conducting a proper security inventory is key in determining where an organization is at and where to focus first when implementing NIS2 requirements. By combining S.C.+ and GIS, we get both the technical data from Tenable's systems and the business information collected in the GIS system. This helps gather information about the most important technical risks and key business processes.