.png){kind=small}
Part 1: NIS2's Duty of Care Requirements - Why this? Why Now?
For many EU Nation States, Oct 17th, 2024, is a date met with some big expectations regarding NIS2 requirements. In spite of some nations facing delays, it doesn’t minimize the importance that having the NIS2 regulations in place will have for cybersecurity EU-wide.
Thinking from a legislative level about cybersecurity isn’t new - since 2016 when the first EU-wide laws on cybersecurity came into effect, there’s been a major shift in the approach to security of our computer systems and networks. Naturally, as the digitalization of additional key sectors has been on the rise, this latest legislation is vital toward inspiring a changed mindset overall to what it means to be cybersecurity resilient and self-reliant. From the EU Cybersecurity Act (2019) to the presentation of the Cyber Resilience Act, (2022), NIS2 will further expand to include additional sectors, but also additional requirements of existing sectors to build the EU’s resiliency to combat cybercrime and face it confidently head on.
But, it’s complicated too and many players are still figuring out how to integrate these new requirements into existing infrastructures. Yet, the speed of cyberattacks and the sophistication of threat actors isn’t slowing down, so ready or not we need to be thinking proactively. “As organizations adopt NIS2-mandated policies, they contribute to a safer digital environment, protecting citizens’ data.” ISACA.
Why This Directive Now?
"Threat actors are no longer localized and the increase in cross-border attacks are occurring at an alarming rate. NIS2's more harmonized regulatory framework, ensuring that all member states meet the same cybersecurity standards." PECB Insights
Despite delays in legislation, it is important as defenders we help to keep the momentum up regarding NIS2.
Cyber threats and risks aren’t going anywhere and so with the changes in the cybersecurity directive we need to get in stride with the requirements. Why? So, we can check a box and ensure we avoid fines? Not exactly. More along the lines of the stronger our computer system infrastructures are now for businesses and governments, the thicker our resiliency armour becomes. Being compliant isn’t about checking a box - it’s about building a solid foundation that can be built on. NIS2 will thus not only make governments and companies more secure but help to better secure the changing supply chain.
Granted the fines are nothing to scoff at: up to €10 million or 2% of global annual turnover, whichever is greater. This 2-part post isn’t about that though - it’s about getting ahead of the situation, thinking defensively. Then, not getting fined is an added benefit.
Getting the EU to be thinking proactively will make us faster and we will be better prepared with intelligence to inspire decision advantage when situations present themselves.
Contributing to the Optimization of CSIRTs
Comprehensive information on the NIS2 can be found online NIS2 Release Date Directives, but for purposes of this post, we want address where the needs are significant for CSIRTs to ensure they are making the fastest, most informed, best decisions possible so together, we make their constituency and the internet safer overall.
CSIRTs are at the forefront of the proactive tasks of faster response times, meeting changing regulations, better intelligence (contextual data) and, all of this to lead to optimal decision advantage in tough situations. The more we know ahead, the better the chance we have of staying ahead. By knowing where we are at today matters. It’s vital to have a clear view of all your assets of their constituency. By scanning within selected IP ranges (national, regional, sector or organisation based), we can give a clear picture of all that exists within that frame. Thus, you know your own situation better and then, you can discover all the servers you have and become aware of any vulnerabilities you might be facing.
Stay tuned for Part 2 where we will look closer at Duty of Care and highlight four key areas within the NIS2 Directive: Monitoring of External Encryption Settings, Coordinate Vulnerability Disclosure, Proactive Scanning, and External Surface Auditing.