What’s the buzz about NIS 2?

The latest version of the Network and Information Security Directive (NIS 2) has severe implications for companies that provide services or carry out activities in the European Union (EU).

NIS 2’s goal is to establish a higher level of security and cyber resilience for member EU states in 18 essential industry sectors. Violations can lead to substantial fines, legal liability and even criminal sanctions on an individual level.

There is plenty of “buzz” about NIS 2, and it’s growing. As we approach the October 2024 deadline (and beyond), companies must finalize their plans to align with this legislative act. But what does NIS 2 mean and is there a best way to approach it? Let’s take a look.

Unpacking NIS 2

The goal of NIS 2 is “…to build cybersecurity capabilities across the Union, mitigate threats to network and information systems used to provide essential services in key sectors and ensure the continuity of such services when facing incidents…” (from page 1, line 1 in the NIS 2 Directive).

NIS 2 can be broken into four broad categories:

• Risk management (Chapter IV, article 21)
• Business continuity (Chapter IV, article 21)
• Reporting obligations (Chapter IV, article 23)
• Corporate accountability (Chapter VII, supervision and enforcement)

Risk management has both reactive and proactive elements. An efficient response to a live security incident is reactive. Mitigating vulnerabilities and exposures before they become incidents is proactive. 

Business continuity and reporting obligations are possible follow-up actions in the event a cyberattack is successful.

Corporate accountability covers the aftermath of a poor NIS 2 implementation. Companies that do not comply with NIS 2 are likely to receive a fine or other punishment. This includes legal liability for damage caused by a security incident that could have been prevented if the necessary measures had been taken.

Read more about NIS 2 in CyCognito’s compliance learning center and the full directive on the European Union Law website.

Four NIS 2 “Must Haves”

Alignment with NIS 2 means your organization must be able to:

1. Proactively reduce exposures. This is top priority because it reduces (or even eliminates) the number of occurrences of followup incident response and recovery activities.
2. Respond efficiently to incidents. This requires accurate issue prioritization and issue context.
3. Deliver prompt, accurate reporting. With timelines as short as 24 hours, it is critical to quickly assess what happened and if it was important.
4. Recover quickly. Resilience is key to maintaining business continuity. EU entities must have incident response plans that detail their response to cyber threats.

NIS 2 covers a lot of ground, especially for organizations with reactive security workflows. 

How are Organizations Preparing for NIS 2?

NIS 2 does not dictate how organizations meet risk management objectives. Instead, companies are given the flexibility to “…choose a governance framework to achieve objectives…” (chapter 2, Article 7). This is a common approach for congressional statutes in the United States, such as Sarbanes-Oxley, HIPAA and Dodd-Frank, or parliamentary acts in the EU, including GDPR.

Flexibility is both a blessing and a curse. To meet NIS 2 requirements many organizations are turning to established standards such as ISO27001, ISO27002, CIS and NIST 800-53 for guidance. However, compliance frameworks are often challenging to interpret and operationalize. It can be unclear how they can be used tactically for early visibility into risk, and how the data enables confident and quick mitigation.

How CyCognito Accelerates NIS 2 Initiatives

Delivered as a service, CyCognito supports your organization’s efforts to meet their NIS 2 objectives around risk management, resilience and reporting.

Proactively reduce exposures

Early visibility into vulnerabilities and exposures enhances your security team’s ability to mitigate potential threats. This reduces the number of emergency incident response, reporting and recovery activities.

With CyCognito, your teams know:

• All exposed assets are continuously identified, validated and actively tested
• New business structures and related exposed assets will be added automatically, without manually entered seed information or prompts
• If issues are in violation six cybersecurity frameworks (including ISO, NIST and CIS)
• All exposed web apps are safely tested for OWASP top 10 and more (using DAST)
• If there is attacker interest in the vulnerability, through integrated threat intelligence
  • This includes CISA known exploited vulnerabilities (KEV). 
  • Read more about CISA KEV integration in our blog CyCognito operationalizes CISA known exploited vulnerabilities catalog
• Asset business function and business owner for lower mean time to remediation (MTTR)
• Asset location details – for example, autonomous system number (ASN)

As an example, CyCognito users can filter issues by compliance violation, illustrated in Figure 1. This information is also available via API.

Figure 1: Critical Issues Filtered by Compliance Violations 

Respond efficiently to incidents

The NIS 2 requirement to “…mitigate threats to network and information systems…” is best supported with risk-based threat prioritization. Only by knowing the issues that pose the greatest risk can you confidently defend your decision to assign staff to remediation. 

CyCognito provides:

• Issues that represent true risk to your organization
• Detailed risk grading and scoring per asset, per subsidiary and per brand
• Evidence that supports risk scores
• The discoverability and attractiveness of the asset
• The division/team that owns the asset
• Remediation instructions and an estimate of remediation effort
• The ability to confidently find assets based by search criteria – whether business, technical or risk based
• Validation that an issue was remediated

For example, you may have an initiative to ensure e-commerce web apps are protected by a web application firewall (WAF) and have CAPTCHA initiated, this is simple in CyCognito, illustrated in Figure 2.

Figure 2: Filter Web Applications by Presence of WAF and CAPTCHA

Read more about CyCognito’s issue prioritization in our blog “Stop remediating backwards – Reactive Approaches Aren’t a Long-Term Solution”.

Deliver prompt, accurate reporting

Sharing threat, vulnerability and even incident data with authorities is critical to building collective resilience. NIS 2’s tight timelines require rapid access to high confidence data that spans business, technology and risk.

CyCognito enables you to meet the directive’s 24 hour, 72 hour and 30-day reporting requirements through:

• On-demand and scheduled executive reports that communicate the state of your external attack surface
• Issue and asset details that includes business context, attacker interest, threat intelligence (see Figure 4)
• Dashboards that quantify risk tolerance and goals (exportable to pdf)
• Remediation planning workflows with steps to reach a security grade
• Remediation progress, including time to completion, per business unit, geography and more

For example, Figure 3 shows a snapshot of the executive report with the security score of major components during a reporting period.

Figure 3: Executive Report Snapshot With Scoring Breakdown by Component

Objective: Recover quickly

Achieving incident resilience involves regular assessment of exposed network and information systems. “Resilience” refers to the ability of these systems to recover from, and adapt to, adverse conditions, attacks or compromises.

CyCognito is a confident source of information about your exposed attack surface. For example, figure 4 presents a view into some of the details on an asset susceptible to CVE-2019-19781 Unauthenticated Remote Directory Traversal & Code Execution.

Figure 4: Issue Details for Risk Communication

This information also can be used for collaboration between national authorities, member states and between public and private sectors. 

Case Study: CyCognito Helps Asklepios Comply with NIS 2

As NIS 2 is translated into national law, CyCognito helps Asklepios, a German hospital company, fulfill its legal requirements by providing visibility and assessment of its IT infrastructure.

“The upcoming NIS 2 is currently just a directive, a European directive, currently translated into a national law. The national law should be published by February this year and should be effective by October this year,” says Daniel Maier-Johnson, Chief Information Security Officer (CISO) of Asklepios.

“CyCognito’s automatic detection of the external attack surface is state-of-the-art and provides transparency, which will help us keep compliant with BSI Act and NIS 2 regulations.”

Shorten your Journey to NIS 2 Compliance with CyCognito

NIS 2 compliance is difficult for any size organization. CyCognito, delivered as an automated service, enables a fast response to this upcoming directive. With CyCognito, your teams are able to:

• Respond to issues before they become incidents
• Understand which issues pose the greatest threat to your organization
• Align issues with compliance standards such as ISO 27001, ISO 27002 and NIST 800-53
• Work from a high-confidence inventory of your external attack surface
• Communicate efficiently with full issue details, asset details and issue evidence
• Validate remediation efforts automatically

The result: confident visibility into external risk, faster audit times and lower stress levels for your teams.

Get a demo of the CyCognito platform to see how it can help automate your NIS 2 project for your attack surface.

If you’re interested in learning more about navigating compliance or simplifying compliance initiatives check out some of our related recent resources: 

• Blog Post: Navigating Compliance Challenges Across Your External Attack Surface
• Use Case: Simplify Compliance Initiatives
• Learning Center: Security Frameworks and Compliance Standards Defined

Disclaimer: This is meant as guidance only. For more details, refer to the NIS 2 directive and GRC specialist.