The NIS2 Directive tightens cybersecurity management – is your organization ready?

The updated NIS Directive of the European Union strengthens security practices within the EU. The Directive defines obligations for cybersecurity and the reporting of related incidents. The new NIS2 Directive enters into force in October 2024.

The NIS2 requirements apply to a large number of companies. It includes providers and operators of critical infrastructure for society, for example in the energy, health, public administration, and manufacturing sectors. While the practical guidelines provided by the Directive will be refined as the work progresses, organizations should already promote effective data security practices. 

The NIS 2 Directive puts a big responsibility on management to ensure cybersecurity

The obligations apply to cybersecurity throughout the company’s value chain, including subcontractors and suppliers outside the EU. Organizations not directly affected by the requirements of the directive can, therefore, also be affected by it. 

It is noteworthy that the new directive places the responsibility for the necessary cybersecurity infrastructure on top management personally, with potential penalties for non-compliance of up to 2% of the turnover. Although the directive does not set binding requirements at a practical level, companies have to implement data security in accordance with certain policies and in their own environment.

A systematic approach to cybersecurity is recommended

To meet the new requirements, you should start by taking a critical look at your organization’s existing practices: what is required to achieve a sustainable and compliant level of data security? In line with DevSecOps, the security aspect should be integrated from the very beginning of software development and the application of technical solutions. 

Ecosystem thinking is an effective approach to selecting technology solutions: for example, an organization operating in a Microsoft environment can create a multi-level control system for all devices and IT systems with the Microsoft Defender XDR product family. Defender XDR is a valid solution if your company has Windows workstations or M365, for example, even if your organization is not committed to using Microsoft Azure cloud services.

Microsoft Defender XDR offers things like:

• Control of identities and access rights
  Defender XDR enables real-time monitoring of identities, endpoints, and cloud services. Identity access controls can be automated, access to systems can be quickly blocked in the event of an attack, and the events leading up to the attack can be assessed afterwards.  
  
  
• Increasing cybersecurity maturity
  The platform suggests where to direct development from devices to users. It can also identify vulnerabilities on an organization’s servers and the people who are most vulnerable to, for example, phishing. Email traffic and attachments can be protected and data leaks prevented through automated monitoring.
  
  
• Minimizing malware threats
  Malware can be prevented, identified quickly, and investigated further. Running the detected programs safely through Defender XDR’s sandboxing feature provides information such as what the program was trying to do. 

With Defender XDR, cybersecurity policies and data can be easily centralized in the cloud. Automating processes with the Defender XDR product family also minimizes the risks associated with manual work, and enables a rapid response during the critical first minutes of a potential attack.

It is important to consider the modern environment

Where in the past the focus has been on the role of the internal network, firewalls, and VPNs in managing cybersecurity risks, the focus is now on the architecture of the operating environment, where risks are minimized at multiple levels. The NIS2 Directive specifies that organizations must establish and document a cybersecurity policy that takes into account all risk factors.

For example, the Zero Trust protection model focuses on multi-level protection of the organization’s cybersecurity and proactive structures. The Zero Trust security model – the name of which gives you the gist of the thinking – operates on the assumption that data breaches are always possible and must be prepared for on every system. For employees, the security model brings changes that make everyday life easier: you can access your company’s systems in the same way from your office, home office, or even a café. Zero Trust follows three guiding principles:

• Check explicitly
  So a VPN alone is not enough to ensure the identity of the user – other mechanisms must be used to authenticate, such as multi-factor authentication, also on internal systems.
  
  
• Use the principle of least privilege
  Access rights should be allocated judiciously and reasonably – only for the right need.
  
  
• Manage data breaches
  Efforts should be made to minimize the impact of data breaches, for example by encrypting data, ensuring recoverability, and having recovery plans in place. 

It all starts with identifying your needs

A reliable partner is often a good solution for initial mapping and implementation if the required expertise is not available in-house. Pinja provides a wide range of data security services from penetration testing to the deployment of solutions such as Microsoft Defender XDR products in companies – including organizations not using Microsoft’s environment. We report our findings and make recommendations to improve cybersecurity within the organization. 

Are you wondering about the importance of the NIS2 Directive and your organization’s level of cybersecurity? Contact us to discuss the situation together and find the best solution.

Read more:

What you need to know in the manufacturing industry about the DevSecOps operating model
Software development and partnership service site