NIS 2 explained: Security Compliance Path

Last Updated on April 11, 2024

The ever-evolving cybersecurity threat landscape make the competent authorities adapt to reality by establishing new security regulations and laws. According to Forbes Advisor in 2023, there were more than 2K cyberattacks with more than 340 million victims all around the world, which made a significant increase of 72 % in data breaches since 2021.

In 2020 the EU introduced a new cybersecurity law, NIS 2 (Network and Information Security Directive), which came into effect on January 16th, 2023. They stated that by October 17th, 2024 all the EU Member States should transpose the Directive into national law and make it a part of its national cybersecurity strategies. What does it mean? All organizations that are influenced by the Directive should comply with the NIS 2 requirements by the 4th quarter of 2024. So, there isn’t a lot of time left… Let’s break down the main goals of the NIS 2 legislation, what organizations it can concern, and how to meet the Directives’ cybersecurity obligations. 

NIS 2: Key points

After reviewing the original NIS Directive, the European Commission concluded the need to adapt to the emerging menace across both public and private sectors. Thus, as a proactive measure, it presented NIS 2, which is aimed at strengthening the security posture of essential and important entities as well as minimizing the impact of incidents on businesses. The cybersecurity measures that NIS 2 is based on is an all-hazards approach, which obligates the companies to foresee any disaster scenario. It means, that organizations must establish clear strategies for conducting risk management, control, and oversight to enhance cybersecurity within the organization. 

Who does the Directive affect?

NIS 2 Directive, unlike its predecessor – NIS, has a precise list of sectors that it affects. Actually, the Directive divides them into two main categories depending on the size – essential entities and important entities. 

Among essential entities, NIS 2 distinguishes large companies that operate in critical sectors (those that are the most targeted by cybercriminals!). To that list belong businesses related to:

• ICT management
• financial market infrastructures
• transport
• energy (electricity, oil, gas, hydrogen, and heating and cooling networks)
• drinking water and wastewater
• public administration
• space
• the banking sector
• healthcare.

When it comes to important entities, here NIS 2 sees medium-sized companies operating in highly critical sectors. Thus, they are the companies that work in the following sectors: 

• waste management
• foods
• postal and shipping services
• manufacturing and automotive
• companies dealing with chemical products
• research organizations
• digital providers.

What will happen if the organization fails to comply with NIS 2? Large fines… Like failing to comply with GDPR, NIS 2 has also foreseen fines for the companies that can’t meet the Directive’s requirements. 

Thus, for those companies that fall into the “essential entities” category, the fine is up to € 10M or 2% of the company’s global annual revenue. The companies from the “important entities” category have to pay a bit less – up to € 7M or 1.4% of their annual global revenue.

NIS 2 requirements: What the organizations need to comply with

As we have already mentioned, all the security measures that the organizations must adopt within the NIS 2 Directive should be based on the all-hazards approach. It assumes that organizations implement protection measures for their network and information systems, and their physical environment from the possible events of failure. Those measures should at least include:

1. policies regarding information system security and risk analysis,
2. incident response protocols,
3. business continuity measures, including backup, disaster recovery, and crisis management,
4. supply chain security policies that address security-related aspects of relationships between the organization and its suppliers and service providers,
5. security measures in network and information systems acquisition, development, and maintenance, as well as vulnerability management and disclosure,
6. procedures for evaluating the effectiveness of cybersecurity risk management measures,
7. common cyber hygiene practices and cybersecurity training initiatives,
8. policies and procedures governing the use of encryption and cryptography, where applicable,
9. access control policies, asset management, and security of human resources,
10. implementation of multi-factor authentication or continuous authentication options, secure voice, video, and text communication channels, and secure emergency communication protocols within the organization. 

How to prepare your organization for NIS 2 Directive

What is one of the basics for the successful compliance journey? Effective and timely preparation. Let’s look at the best practices and stringent supervisory measures that can help your organization meet the new security requirements and have peace of mind that all your organization’s data is secured.

Identify what critical infrastructure, processes and data your organization has

There’s no doubt that the first step in your NIS 2 compliance path should be to identify your organization’s essential services, assets, procedures, and cybersecurity capabilities. The best way to do that is to have a Business Impact Analysis (BIA). This method predicts the consequences of business disruption due to a disaster and gathers information that your organization needs to develop successful recovery strategies. Thus, the BIA helps to define the company’s critical processes and how much they depend on information and network technologies to determine potential data loss scenarios and ways to eliminate them.

Develop a method for managing risks and information security

Within the NIS 2 Directive, companies should develop methods to manage their information security risks. This risk and information security management system should help organizations identify, address, and constantly monitor the information security threats the organization faces. Moreover, such a management system will help organizations guarantee that they clearly understand their responsibilities and address them to keep all their critical processes continuous. 

Have a double-check of your IT supply chain

It’s hard to imagine work without third-party tools, they help organizations manage their workflows faster and more effectively. But are all the third-party tools that your organization uses safe? That’s what you need to check, especially those applications that are critical for your company’s business continuity. 

Once you know if there is a weakness in your IT supply chain, you can take appropriate security measures to remediate all the operational, contractual, and technical vulnerabilities.

Have a double-check of your IT supply chain

It’s hard to imagine work without third-party tools and cloud computing service providers, they help companies organize and manage their workflows faster and more effectively. But are all the third-party tools that your organization uses safe? That’s what you need to check, especially those applications that are critical for your company’s business continuity. 

Once you know if there is a weakness in your IT supply chain, you can take appropriate security measures to remediate all the operational, contractual, and technical vulnerabilities

Back up your company’s data 

Backup is one of the requirements to comply with the NIS 2 Directive. Why? It’s a guarantee for the company’s business continuity. To make sure that it is so, organizations should develop their backup policy within the backup best practices. They need to include:

• full data coverage, so that no organization’s data is lost,
• automated scheduled backup policies, so that the organization can meet its Recovery Time Objective and Recovery Point Objective (RTO and RPO),
• the possibility of setting up full, incremental, and differential backups,
• multi-storage compatibility, so that the organization can follow the 3-2-1 backup rule or any other standards, like the 4-3-2 or 3-2-1-1 backup rules,
• replication between storages,
• long-term or unlimited retention, as sometimes organizations need to keep their critical data for a long time,
• in-flight and at-rest encryption with a custom encryption key, so that the data is protected during the transmission,
• ransomware protection and cyber-resilence,
• restore and Disaster Recovery technology,
• easy monitoring center to stay up-to-date about all the backup processes.

Ensure that you have a restore and Disaster Recovery

It’s impossible to have restore and Disaster Recovery procedures without backup. Thus, to develop an effective restore strategy your organization should have a professional and comprehensive backup. 

Your backup solution’s restore options should enable you to recover your data from any point in time, granular restore of only selected data, the possibility to restore to the local device you want, recovery to the same or new repository or organization account, cross-over recovery to another Git hosting platform (any combination between GitHub, Bitbucket, or GitLab). 

Disaster Recovery – Use Cases

Your organization should be able to meet any possible disaster scenario. For example, if the organization’s Git hosting provider experiences an outage, it should be able to retrieve its DevOps and project management data from the most recent backup copy or some definite point in time to its local infrastructure, or cross-overly to another Git hosting service. 

In the situation, when the organization’s infrastructure is down, it should be able to restore its data from another storage destination. Do you remember we’ve mentioned the 3-2-1 backup? By following this backup standard, the organization ensures that it has at least 3 backup copies in at least 2 storage locations (they can be as local, as Cloud) with one of the copies off-site. In this case, if the company’s infrastructure suffers a disaster, and the first backup storage is inaccessible, the organization can easily retrieve the backup from any point in time from the second storage location.

And finally the third situation – if your backup provider’s infrastructure is down. In this case, the backup solution supplier should provide the organization with an installer of its on-premise application. Thus, the organization will be able to restore its data. 

Promote cyber-oriented culture within your organization

Remember: it’s highly important to establish a cyber-oriented culture and educate and level up your team’s security awareness. Every member of your team should clearly understand his responsibilities regarding information security and facilitate strategic cooperation of security measures, incident reporting, and incident handling,. To achieve that, organizations should regularly provide training on security for their employees and have a clear security policy.

GitProtect.io backup and Disaster Recovery solution to meet NIS 2 requirements

Backup and Disaster Recovery are some of the requirements that can help the organization guarantee cyber resilience and the business continuity of its operations. 

GitProtect.io is the most professional DevOps Backup & Disaster Recovery software for security compliance and instant remediation. With its best-in-class backup, restore, security, and access control measures proven by both ISO 27001 and SOC 2 audits, it’s tailored to enterprise-class domains. Full data coverage, automated scheduled backups, unlimited retention, ransomware protection package, restore and Disaster Recovery technology, custom encryption key, web-based central management console with visual statistics, data-driven dashboards, SLA and Compliance reports can help organizations keep up with strict security standards, including NIS 2.

“GitProtect is a product specifically developed to backup repositories and metadata. It is interoperable with the most important players in the marketplace. It is a commercial product, continuously developed, and provides good customer technical support. It is compliant with GDPR requirements and it is a valuable choice for ISO 27001 compliance.”

Silvio Umberto Zanzi, IT Manager at Ammagamma

Conclusion

Keeping up with the NIS 2 Directive, organizations can not only comply with the new necessary security standard but also strengthen their digital infrastructure security posture and improve their cybersecurity risk management measures. Organizations should develop effective security procedures to address any possible disaster scenario, as the main goal of the NIS 2 Directive is to achieve a high level of cybersecurity across the European Union’s companies. 

Last but not least, on September 18th, 2023, there was presented the Commission Guidelines about the relationship between NIS 2 and another security standard – the Digital Operational Resilience Act (DORA),  which targets financial entities. Actually, DORA is “considered as a sector-specific Union legal act for the purposes of Article 4 of the NIS 2 Directive,” – stated in the NIS 2 Directive. Thus, if a financial entity is covered by the Cyber Resilience Act, it shouldn’t apply the provisions of NIS 2 on cybersecurity risk management and reporting requirements. 

Before you go:

🔎 Learn more about security standards and security compliance best practices

✍️ Subscribe to GitProtect DevSecOps X-Ray Newsletter and always stay up-to-date with the latest DevOps and security insights to eliminate cybersecurity risks

📅 Schedule a live custom demo and learn more about GitProtect backup and Disaster Recovery software to meet your NIS 2 requirements and ensure data protection

📌 Or try GitProtect backups for your DevOps tools to eliminate data loss, ensure business continuity, and cyber resilience