Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. More...
The latest version of the Network and Information Security Directive (NIS 2) has severe implications for companies that provide services or carry out activities in the European Union (EU).
NIS 2’s goal is to establish a higher level of security and cyber resilience for member EU states in 18 essential industry sectors. Violations can lead to substantial fines, legal liability and even criminal sanctions on an individual level.
There is plenty of “buzz” about NIS 2, and it’s growing. As we approach the October 2024 deadline (and beyond), companies must finalize their plans to align with this legislative act. But what does NIS 2 mean and is there a best way to approach it? Let’s take a look.
Unpacking NIS 2
The goal of NIS 2 is “…to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents…” (from page 1, line 1 in the NIS 2 Directive).
NIS 2 can be broken into four broad categories:
Risk management (Chapter IV, article 21)
Business continuity (Chapter IV, article 21)
Reporting obligations (Chapter IV, article 23)
Corporate accountability (Chapter VII, supervision and enforcement)
Risk management has both reactive and proactive elements. An efficient response to a live security incident is reactive. Mitigating vulnerabilities and exposures before they become incidents is proactive.
Business continuity and reporting obligations are possible follow-up actions in the event a cyberattack is successful.
Corporate accountability covers the aftermath of a poor NIS 2 implementation. Companies that do not comply with NIS 2 are likely to receive a fine or other punishment. This includes legal liability for damage caused by a security incident that could have been prevented if the necessary measures had been taken.
Alignment with NIS 2 means your organization must be able to:
Proactively reduce exposures. This is top priority because it reduces (or even eliminates) the number of occurrences of followup incident response and recovery activities.
Respond efficiently to incidents. This requires accurate issue prioritization and issue context.
Deliver prompt, accurate reporting. With timelines as short as 24 hours, it is critical to quickly assess what happened and if it was important.
Recover quickly. Resilience is key to maintaining business continuity. EU entities must have incident response plans that detail their response to cyber threats.
NIS 2 covers a lot of ground, especially for organizations with reactive security workflows.
How are Organizations Preparing for NIS 2?
NIS 2 does not dictate how organizations meet risk management objectives. Instead, companies are given the flexibility to “…choose a governance framework to achieve objectives…” (chapter 2, Article 7). This is a common approach for congressional statutes in the United States, such as Sarbanes-Oxley, HIPAA and Dodd-Frank, or parliamentary acts in the EU, including GDPR.
Flexibility is both a blessing and a curse.To meet NIS 2 requirements many organizations are turning to established standards such as ISO27001, ISO27002, CIS and NIST 800-53 for guidance. However, compliance frameworks are often challenging to interpret and operationalize. It can be unclear how they can be used tactically for early visibility into risk, and how the data enables confident and quick mitigation.
How CyCognito Accelerates NIS 2 Initiatives
Delivered as a service, CyCognito supports your organization’s efforts to meet their NIS 2 objectives around risk management, resilience and reporting.
Proactively reduce exposures
Early visibility into vulnerabilities and exposures enhances your security team’s ability to mitigate potential threats. This reduces the number of emergency incident response, reporting and recovery activities.
With CyCognito, your teams know:
All exposed assets are continuously identified, validated and actively tested
New business structures and related exposed assets will be added automatically, without manually entered seed information or prompts
If issues are in violation six cybersecurity frameworks (including ISO, NIST and CIS)
All exposed web apps are safely tested for OWASP top 10 and more (using DAST)
If there is attacker interest in the vulnerability, through integrated threat intelligence
This includes CISA known exploited vulnerabilities (KEV).
Asset business function and business owner for lower mean time to remediation (MTTR)
Asset location details – for example, autonomous system number (ASN)
As an example, CyCognito users can filter issues by compliance violation, illustrated in Figure 1. This information is also available via API.
Figure 1: Critical Issues Filtered by Compliance Violations
Respond efficiently to incidents
The NIS 2 requirement to “…mitigate threats to network and information systems…” is best supported with risk-based threat prioritization. Only by knowing the issues that pose the greatest risk can you confidently defend your decision to assign staff to remediation.
CyCognito provides:
Issues that represent true risk to your organization
Detailed risk grading and scoring per asset, per subsidiary and per brand
Evidence that supports risk scores
The discoverability and attractiveness of the asset
The division/team that owns the asset
Remediation instructions and an estimate of remediation effort
The ability to confidently find assets based by search criteria – whether business, technical or risk based
Validation that an issue was remediated
For example, you may have an initiative to ensure e-commerce web apps are protected by a web application firewall (WAF) and have CAPTCHA initiated, this is simple in CyCognito, illustrated in Figure 2.
Figure 2: Filter Web Applications by Presence of WAF and CAPTCHA
Sharing threat, vulnerability and even incident data with authorities is critical to building collective resilience. NIS 2’s tight timelines require rapid access to high confidence data that spans business, technology and risk.
CyCognito enables you to meet the directive’s 24 hour, 72 hour and 30-day reporting requirements through:
On-demand and scheduled executive reports that communicate the state of your external attack surface
Issue and asset details that includes business context, attacker interest, threat intelligence (see Figure 4)
Dashboards that quantify risk tolerance and goals (exportable to pdf)
Remediation planning workflows with steps to reach a security grade
Remediation progress, including time to completion, per business unit, geography and more
For example, Figure 3 shows a snapshot of the executive report with the security score of major components during a reporting period.
Figure 3: Executive Report Snapshot With Scoring Breakdown by Component
Objective: Recover quickly
Achieving incident resilience involves regular assessment of exposed network and information systems. “Resilience” refers to the ability of these systems to recover from, and adapt to, adverse conditions, attacks or compromises.
CyCognito is a confident source of information about your exposed attack surface. For example, figure 4 presents a view into some of the details on an asset susceptible to CVE-2019-19781 Unauthenticated Remote Directory Traversal & Code Execution.
Figure 4: Issue Details for Risk Communication
This information also can be used for collaboration between national authorities, member states and between public and private sectors.
Case Study: CyCognito Helps Asklepios Comply with NIS 2
As NIS 2 is translated into national law, CyCognito helps Asklepios, a German hospital company, fulfill its legal requirements by providing visibility and assessment of its IT infrastructure.
“The upcoming NIS 2 is currently just a directive, a European directive, currently translated into a national law. The national law should be published by February this year and should be effective by October this year,” says Daniel Maier-Johnson, Chief Information Security Officer (CISO) of Asklepios.
“CyCognito’s automatic detection of the external attack surface is state-of-the-art and provides transparency, which will help us keep compliant with BSI Act and NIS 2 regulations.”
Shorten your Journey to NIS 2 Compliance with CyCognito
NIS 2 compliance is difficult for any size organization. CyCognito, delivered as an automated service, enables a fast response to this upcoming directive. With CyCognito, your teams are able to:
Respond to issues before they become incidents
Understand which issues pose the greatest threat to your organization
Align issues with compliance standards such as ISO 27001, ISO 27002 and NIST 800-53
Work from a high-confidence inventory of your external attack surface
Communicate efficiently with full issue details, asset details and issue evidence
Validate remediation efforts automatically
The result: confident visibility into external risk, faster audit times and lower stress levels for your teams.
If you’re interested in learning more about navigating compliance or simplifying compliance initiatives check out some of our related recent resources:
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.