October 19, 2023October 20, 2023 NIS2.0 – The new EU-wide cybersecurity directive and how Microsoft solutions can help Table of Contents Summary for the C-LEVEL NIS2.0 is the new EU directive on network and information security that aims to improve the resilience and preparedness of critical sectors and essential services against cyber threats. It will enter into force in October 2024 and will require organizations to comply with a set of standards and obligations, such as reporting incidents, conducting risk assessments, implementing security measures, and cooperating with national authorities.As a C-LEVEL, you need to be aware of the implications of NIS2.0 for your organization and your customers. You need to ensure that your IT systems, processes, and staff are aligned with the new requirements and that you have a clear strategy and action plan to achieve compliance. You also need to communicate with your customers about the benefits of NIS2.0 and how it will enhance their security and trust in your services.NIS2 will have a significant impact on business operations, reputation, and competitiveness. NIS2 will require companies to invest more in cybersecurity, comply with new rules and standards, and cooperate with national authorities and other stakeholders.NIS2 is not only a challenge, but also an opportunity for C-LEVELs to demonstrate their leadership and commitment to cybersecurity.Failure to do so could result in fines of up to 10% of their annual turnover, as well as reputational damage and loss of customer trust. On the other hand, complying with NIS2 could also bring benefits, such as improved resilience, innovation, and market opportunities. Source : Microsoft Security What is NIS2 - Network and Information Systems 2? The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.The Network and Information Systems 2 Directive – commonly referred to as NIS2 – represents the most comprehensive EU cybersecurity legislation that the region has ever seen. Scheduled to go into effect on October 17, 2024, NIS 2 covers 15 sectors and over 160,000 companies – including those with more than 250 employees.The purpose of NIS2 is to establish a baseline of cybersecurity measures for organizations that provide essential services. This includes organizations in the public and private sectors, across industriesranging from finance to transportation to healthcare.Preparing for NIS2 will require companies to rethink the tools, processes and skills that reinforce their cybersecurity.What does NIS2 mean for me?Cybersecurity Risk Management MeasuresIncident Reporting Obligations Source: Microsoft Security Why has NIS2 been introduced? A significant update to the original NIS directive, NIS2 comes at a time when Europe’s cybersecurity threat landscape continues to quickly evolve.Since the war in Ukraine began, nation state attacks have increased, according to Microsoft’s Digital Defense Report. These bad actors have become more sophisticated, using automation and remoteaccess technologies to attack a wider set of targets – often looking for a vulnerable point of entry within IT supply chains. And often targeting critical infrastructure.In fact, the median time for an attacker to begin moving within a corporate network is less than 2 hours. Why it should be a priority? NIS2 represents an opportunity for organizations to ensure they have the people, processes and partners in place to protect operations, ensure business continuity and enable digital transformation. What’s more, working to ensure NIS2 compliance will help build confidence among customers, partners and shareholders. Differences between NIS and NIS2 Source: Microsoft Security Key Changes from NIS1 Directive to NIS2 NIS2 expands the scope of the previous NIS Directive.NIS2 sets out a benchmark of minimum measures that companies need to take to improve their cybersecurity posture. These include conducting risk assessments, implementing multi-factor authentication, and having plans for incident response and supply chain security.NIS2 introduces stricter enforcement through enhanced measures and sanctions for non-compliance with the directive, as well as more stringent supervisory measures for national authorities. NIS2 establishes a framework for coordinated vulnerability disclosure and creates an EU registry for vulnerabilities, operated by ENISA, The European Union Agency for Cybersecurity.NIS2 also enhances cooperation and information sharing between Member States and their authorities, including on cyber crisis management.It is the most comprehensive EU cybersecurity legislation to date, covering 15 sectors including new sectors such as manufacturing and research, and includes medium-sized companies that are identified as critical infrastructure. Source: Microsoft Security Its purpose is to establish a baseline of minimum-security measures for digital service providers and operators of essential services, to mitigate the risk of cyber attacks and to improve the overall level of cybersecurity in the EU. Here are four key objectives of NIS2 objectives which are broke out into NIS Principles. Source: Microsoft Security To comply with NIS2, you will need to take the following steps: Identify your role and obligations under the NIS2 Directive. Depending your role, you will have different responsibilities and requirements to meet.Assess your current level of cybersecurity and identify any gaps or weaknesses. You will need to follow common standards and guidelines for security and resilience that will be developed by ENISA and the European Commission.Implement appropriate security measures and policies to protect your systems and data from cyber threats. You will need to adopt a risk-based approach and ensure that your security measures are proportionate to the level of risk you face.Report any significant or major incidents to your national authorities and ENISA. You will need to follow a harmonized framework for incident notification that will specify the thresholds, formats and procedures for reporting.Cooperate with your national authorities and other stakeholders. You will need to participate in regular audits and inspections by your national authorities and share information and best practices with other actors in your sector or across sectors. More information about Cybersecurity Risk Management measures and Incident reporting Source: Microsoft Security Microsoft's Solutions for NIS2 Compliance Here are listed Microsoft Solutions which correspond to NIS2 Compliance principles. Source: Microsoft Security Risk assessments Use Microsoft 365 Compliance Manager and Microsoft Defender for Cloud to assess risks and comply with regulations. Microsoft 365 Compliance Manager already provides assessment templates with detailed recommendations for NIS1. NIS2 assessment templates will be provided soon. Use of cryptography Leverage Microsoft Azure Key Vault and Microsoft Defender for Cloud for secure key management and encryption. Security around the procurement of systems Utilize Microsoft Intune and Microsoft Defender for Endpoint to manage devices and ensure security controls are in place. Security procedures for employees With access to sensitive or important data: Implement identity and access management solutions such as Entra ID (previously Azure Active Directory) and Privileged Identity Management to control access to sensitive data.Microsoft Information Protection including Data Loss Prevention can help to protect data and restrict how it can be used. In addition, Microsoft Insider Risk Management can help to detect and follow up on risky behavior of insiders. Multi-factor authentication Use Entra ID Multi-factor Authentication to add an extra layer of security to user sign-ins. Policies and procedures For evaluating the effectiveness of security measures: The Microsoft Defender suite and Microsoft Sentinel can help you monitor and detect security threats in real time. Plan for handling security incidents Microsoft Information Protection including Data Loss Prevention and Microsoft Insider Risk Management provide their own alert and incident management views. Cybersecurity training and a practice for basic computer hygiene Utilize Microsoft 365 Learning Pathways and Microsoft Defender for Office 365 to educate your employees on cybersecurity best practises. Plan for managing business operations during and after a security incident Use Microsoft Azure Site Recovery and Backup to ensure business continuity in the event of a security incident. Security around supply chains and the relationship between the company and direct supplier Use Microsoft Defender for Endpoint to secure your devices and network against supply chain attacks. Timeframe / Deadline for taking in use NIS2 entered 16 January 2023, to be in force at latest on 17 October 2024. Resources NIS Regulations: Cyber Assessment Framework (itgovernance.co.uk)The NIS2 Directive: A high common level of cybersecurity in the EU | Think Tank | European Parliament (europa.eu)Kyberturvallisuusdirektiivin (NIS2-direktiivi) kansallista toimeenpanoa tukeva työryhmä (valtioneuvosto.fi) (in finnish) Jussi Metso Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe SECURITY
AI AI LLM attacks & how – Part 2 January 18, 2025January 18, 2025 Here’s the second part of my Microsoft AI Summit Finland speak written in blog mode. Read More
AI AI LLM attacks & how Microsoft Security products will help to reduce the Attack Surface November 24, 2024November 24, 2024 This post is the first part of my presentation which I held at Microsoft AI Summit Finland last October. In that presentation I handled topics like LLM attacks, risks, their prevention and mitigations. Also Azure related AI security topics. Read More
AI Security Copilot refresh February 8, 2025February 8, 2025 Microsoft Security Copilot is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale. Read More