Book an appointment
Knowledge base

The NIS2 Directive tightens cybersecurity management – is your organization ready?

 Information security icons, with two businessmen talking in the background while the other one is using a laptop

The updated NIS Directive of the European Union strengthens security practices within the EU. The Directive defines obligations for cybersecurity and the reporting of related incidents. The new NIS2 Directive enters into force in October 2024.

The NIS2 requirements apply to a large number of companies. It includes providers and operators of critical infrastructure for society, for example in the energy, health, public administration, and manufacturing sectors. While the practical guidelines provided by the Directive will be refined as the work progresses, organizations should already promote effective data security practices. 

The NIS 2 Directive puts a big responsibility on management to ensure cybersecurity

The obligations apply to cybersecurity throughout the company’s value chain, including subcontractors and suppliers outside the EU. Organizations not directly affected by the requirements of the directive can, therefore, also be affected by it. 

It is noteworthy that the new directive places the responsibility for the necessary cybersecurity infrastructure on top management personally, with potential penalties for non-compliance of up to 2% of the turnover. Although the directive does not set binding requirements at a practical level, companies have to implement data security in accordance with certain policies and in their own environment.

What is the NIS2 Cybersecurity Directive?

  • Update to the NIS Directive from 2022
  • Enters into force 18 October 2024
  • Defines and harmonizes cybersecurity practices across the EU
  • The number of companies and public bodies covered is growing. The actors involved 
    - operate in a socially critical sector; and
    - are medium to large in size (50+ employees, turnover or balance sheet total of $10+ million)
  • The directive sets out general requirements for cybersecurity practices that companies put into practice. It defines, among other things, the following:
    - comprehensive risk management and cybersecurity across the value chain, including subcontractors and suppliers
    - ensuring business continuity
    - reporting and cybersecurity breaches to the appropriate authorities in accordance with specific procedures
    - proactive controls for key operators (large operators) and post-controls (medium-sized operators)
  • The directive places personal responsibility on the management to ensure compliance. The financial penalties for failure to comply can be substantial.
Read more about the NIS2 Directive.

A systematic approach to cybersecurity is recommended

To meet the new requirements, you should start by taking a critical look at your organization’s existing practices: what is required to achieve a sustainable and compliant level of data security? In line with DevSecOps, the security aspect should be integrated from the very beginning of software development and the application of technical solutions. 

Ecosystem thinking is an effective approach to selecting technology solutions: for example, an organization operating in a Microsoft environment can create a multi-level control system for all devices and IT systems with the Microsoft Defender XDR product family. Defender XDR is a valid solution if your company has Windows workstations or M365, for example, even if your organization is not committed to using Microsoft Azure cloud services.

Microsoft Defender XDR offers things like:

  • Control of identities and access rights
    Defender XDR enables real-time monitoring of identities, endpoints, and cloud services. Identity access controls can be automated, access to systems can be quickly blocked in the event of an attack, and the events leading up to the attack can be assessed afterwards.  

  • Increasing cybersecurity maturity
    The platform suggests where to direct development from devices to users. It can also identify vulnerabilities on an organization’s servers and the people who are most vulnerable to, for example, phishing. Email traffic and attachments can be protected and data leaks prevented through automated monitoring.

  • Minimizing malware threats
    Malware can be prevented, identified quickly, and investigated further. Running the detected programs safely through Defender XDR’s sandboxing feature provides information such as what the program was trying to do. 

With Defender XDR, cybersecurity policies and data can be easily centralized in the cloud. Automating processes with the Defender XDR product family also minimizes the risks associated with manual work, and enables a rapid response during the critical first minutes of a potential attack.

It is important to consider the modern environment

Where in the past the focus has been on the role of the internal network, firewalls, and VPNs in managing cybersecurity risks, the focus is now on the architecture of the operating environment, where risks are minimized at multiple levels. The NIS2 Directive specifies that organizations must establish and document a cybersecurity policy that takes into account all risk factors.

For example, the Zero Trust protection model focuses on multi-level protection of the organization’s cybersecurity and proactive structures. The Zero Trust security model – the name of which gives you the gist of the thinking – operates on the assumption that data breaches are always possible and must be prepared for on every system. For employees, the security model brings changes that make everyday life easier: you can access your company’s systems in the same way from your office, home office, or even a café. Zero Trust follows three guiding principles:

  • Check explicitly
    So a VPN alone is not enough to ensure the identity of the user – other mechanisms must be used to authenticate, such as multi-factor authentication, also on internal systems.

  • Use the principle of least privilege
    Access rights should be allocated judiciously and reasonably – only for the right need.

  • Manage data breaches
    Efforts should be made to minimize the impact of data breaches, for example by encrypting data, ensuring recoverability, and having recovery plans in place. 

It all starts with identifying your needs

A reliable partner is often a good solution for initial mapping and implementation if the required expertise is not available in-house. Pinja provides a wide range of data security services from penetration testing to the deployment of solutions such as Microsoft Defender XDR products in companies – including organizations not using Microsoft’s environment. We report our findings and make recommendations to improve cybersecurity within the organization. 

Are you wondering about the importance of the NIS2 Directive and your organization’s level of cybersecurity? Contact us to discuss the situation together and find the best solution.

Microsoft Defender XDR 

A family of Microsoft products that can be used to create a complete environment for data security operations.
It can be used to, for example

  • prevent cybersecurity threats,
  • identify vulnerabilities in organizations,
  • manage attacks, and 
  • control identities. 

Zero Trust protection model

A mindset that guides data security to meet the challenges of the modern environment. It addresses the protection of devices, the reduction of cybersecurity threats, and proactive action to prevent attacks.

Read more:

What you need to know in the manufacturing industry about the DevSecOps operating model
Software development and partnership service site

Jesse Ikola

Jesse Ikola

I work at Pinja as a data security expert and technical project manager. What I enjoy most about my job is that I get to act as an interpreter at the interface between technical experts and clients. I spend my free time with my family, and I also have a passion for martial arts such as Han Moo Do and Brazilian Jiu-Jitsu.

Read more from this author