The world of cybersecurity is constantly evolving. This applies to talent, products, technologies, and regulatory requirements. As cyber threats evolve and advance, the spotlight has fallen on the European Commission to focus on regulatory and compliance issues to address this threat.
Consequently, we have seen the Cyber Resilience Act (CRA), the AI Act, the Digital Operational Resilience Act (DORA), and most pressing, the second Network and Information Security Framework – NIS2.
NIS2: a necessary evolution of the regulatory framework
NIS 2 goes well beyond the objectives of NIS1. It provided a minimum of adequate security conditions for entities and sectors targeted by cyber attacks. The objective of NIS2 is to strengthen resilience by addressing new sectors and entities.
This is a necessary development in view of the growing threats. These target local authorities, public health establishments, higher education establishments and all parties in the supply chain, not included in NIS 1.
For EU Member states, NIS2 will also address the lack of coherence and fragmentation in the treatment of cyber attacks for sensitive sectors on a European scale.
What will the new regulatory framework deliver?
- Harmonisation of the implementation of the Directive across Europe, with more precise regulations.
- Stronger overall security, with strict and proportional criteria depending on the categorisation of the given organisation, between essential or important entities.
- Increased responsibility and powers of supervision, control, and sanction for the Member States to ensure proper implementation of these measures.
- A delegation of this responsibility to businesses, who must manage their own risks.
The question businesses therefore now face is how to meet these compliance challenges quickly and with minimal disruption.
This is frustrated by the fact that currently, no binding measures have yet been taken (other than notification of contact persons, incident reporting procedures and the potential sharing of information). The Member States are currently in the process of transposing the directive at national level.
However, there are elements that must be considered, based on NIS1.
- A governance policy must be in place to ensure adequate risk management. This needs to include audit, risk analysis, security indicators, accreditation, and mapping.
- The consideration of key protection elements in relation to security policies linked to the architecture itself. This needs to account for administration, access, and maintenance.
- Put appropriate and reinforced detection measures in place. This must include incident response and management measures to maintain business continuity in a crisis should a cyber attack occur.
Delays at a European level
NIS2 considers these areas. However, there is a delay in details at the European and national levels, particularly in terms of integration with other legislation.
However, it is possible to translate these demands into a workable strategy to begin now. There are five pillars to consider:
- Identifying and protecting the risks
- Protecting data and sensitive information
- Investing in or strengthening cybersecurity technologies
- Implementing incident management and CSIRT notification measures
- Training and awareness-raising for employees
Primarily, it is essential to develop, enhance or maintain complete visibility of the information system. This can be achieved through Network Detection and Response (NDR) solutions, which offer an inventory and mapping of all assets and user behaviour on the network.
Once the risks and challenges are identified, especially those around sensitive data, it is important to control access and comply with security policies, especially on restricted and confidential networks.
This has made NDR technology a core of successful strategies, integrated with a comprehensive cybersecurity ecosystem. The goal here is proactive research. Easy, rapid qualification and remediation of incidents by experts.
Compliance, an ongoing journey
Today, compliance must be a strategic opportunity for companies. It must not be an additional constraint or tick box exercise to merely meet new regulatory standards.
We need to take a long-term view. Achieving compliance is reactive. It enables a business to promptly respond to compliance needs and anticipate future regulatory developments.
Beyond compliance, NDR enables organisations to raise overall levels of cybersecurity and optimise investments for the most effective detection of and response to threats. Building a cybersecurity strategy with NDR as a cornerstone means choosing a long-term cyber path, with anticipation as the keystone. For cyber-attackers and defenders alike, time is of the essence. The aim is to be able to respond effectively to potential future threats, thanks to an adapted and responsive defence system.
Think of NIS2 as a guide to identifying and prioritizing the risks, areas of weakness, and cybersecurity strengths to draw up a dynamic strategy to combat attacks. When approached strategically, compliance transforms from a necessity into a real opportunity and competitive advantage.
Leader in the detection of cyber threats, Gatewatcher has been protecting the critical networks of worldwide large companies and public institutions since 2015. Our Network Detection and Response (NDR) and Cyber Threats Intelligence (CTI) solutions, quickly detect and respond to any cyber-attacks. Thanks to AI converging with dynamic analysis techniques, Gatewatcher delivers a real-time 360-degree view of threats, covering both cloud and on-premise infrastructures.