The updated NIS Directive of the European Union strengthens security practices within the EU. The Directive defines obligations for cybersecurity and the reporting of related incidents. The new NIS2 Directive enters into force in October 2024.
The NIS2 requirements apply to a large number of companies. It includes providers and operators of critical infrastructure for society, for example in the energy, health, public administration, and manufacturing sectors. While the practical guidelines provided by the Directive will be refined as the work progresses, organizations should already promote effective data security practices.
The obligations apply to cybersecurity throughout the company’s value chain, including subcontractors and suppliers outside the EU. Organizations not directly affected by the requirements of the directive can, therefore, also be affected by it.
It is noteworthy that the new directive places the responsibility for the necessary cybersecurity infrastructure on top management personally, with potential penalties for non-compliance of up to 2% of the turnover. Although the directive does not set binding requirements at a practical level, companies have to implement data security in accordance with certain policies and in their own environment.
To meet the new requirements, you should start by taking a critical look at your organization’s existing practices: what is required to achieve a sustainable and compliant level of data security? In line with DevSecOps, the security aspect should be integrated from the very beginning of software development and the application of technical solutions.
Ecosystem thinking is an effective approach to selecting technology solutions: for example, an organization operating in a Microsoft environment can create a multi-level control system for all devices and IT systems with the Microsoft Defender XDR product family. Defender XDR is a valid solution if your company has Windows workstations or M365, for example, even if your organization is not committed to using Microsoft Azure cloud services.
Microsoft Defender XDR offers things like:
With Defender XDR, cybersecurity policies and data can be easily centralized in the cloud. Automating processes with the Defender XDR product family also minimizes the risks associated with manual work, and enables a rapid response during the critical first minutes of a potential attack.
Where in the past the focus has been on the role of the internal network, firewalls, and VPNs in managing cybersecurity risks, the focus is now on the architecture of the operating environment, where risks are minimized at multiple levels. The NIS2 Directive specifies that organizations must establish and document a cybersecurity policy that takes into account all risk factors.
For example, the Zero Trust protection model focuses on multi-level protection of the organization’s cybersecurity and proactive structures. The Zero Trust security model – the name of which gives you the gist of the thinking – operates on the assumption that data breaches are always possible and must be prepared for on every system. For employees, the security model brings changes that make everyday life easier: you can access your company’s systems in the same way from your office, home office, or even a café. Zero Trust follows three guiding principles:
A reliable partner is often a good solution for initial mapping and implementation if the required expertise is not available in-house. Pinja provides a wide range of data security services from penetration testing to the deployment of solutions such as Microsoft Defender XDR products in companies – including organizations not using Microsoft’s environment. We report our findings and make recommendations to improve cybersecurity within the organization.
Are you wondering about the importance of the NIS2 Directive and your organization’s level of cybersecurity? Contact us to discuss the situation together and find the best solution.
A family of Microsoft products that can be used to create a complete environment for data security operations.
It can be used to, for example
A mindset that guides data security to meet the challenges of the modern environment. It addresses the protection of devices, the reduction of cybersecurity threats, and proactive action to prevent attacks.
What you need to know in the manufacturing industry about the DevSecOps operating model
Software development and partnership service site