Cybersecurity

NIS2 is approaching: how to choose the right solution?

September 3, 2024 - 2 minutes reading time
Article by Aurimas Cerniakovas

To boost cyber resilience and prevent societal disruption, the European Union has introduced the Network and Information Security Directive (NIS2). This directive imposes stricter requirements than its predecessor, NIS, and expands its reach to cover more sectors. In the Netherlands, NIS2 is being implemented through the Cybersecurity Act (Cbw). Even though the law will not take effect until 2025, the Dutch government advises organizations not to wait and to begin preparations today.

Key questions to consider

Before engaging with any security solution provider, take the time to reflect on these essential questions:

  • What are the major risks you need to mitigate?
  • What constitutes your critical infrastructure?
  • What compliance requirements do you need to meet?
  • What are your specific objectives?
  • What are your budget constraints and priorities?

Understanding risks

It is important to recognize that no amount of security tools or compliance with frameworks like ISO 27001, GDPR (General Data Protection Regulation) or NIS2 can guarantee full protection. The best an organization can do is minimize risk. Breaches can still happen, but having the right security measures in place offers key advantages:

  • Potentially avoiding penalties, or at least reducing their severity
  • Preserving your reputation, especially if a breach needs to be publicly disclosed
  • Facilitating a smoother recovery
  • Limiting financial and operational losses

When evaluating risks, consider what would happen if your internet connection fails, critical services go down or sensitive data is lost. In each case, ask yourself: would you still be able to deliver services? How likely is it that malware, misconfigurations, or even natural disasters could cause downtime? To effectively address these risks, consider hiring an expert who can both formalize risk assessments and offer meaningful context for evaluating your responses.

Identifying critical infrastructure

The core components of your IT services are considered your critical infrastructure. Discuss this with your IT department to ensure you understand which systems are essential for your operations.

Meeting compliance requirements

Different countries may have additional regulations governing how data is processed and shared. It is vital to familiarize yourself with your own country's requirements. This information will help security solution vendors tailor their offerings and guide IT managers and security officers in asking the right questions.

Defining your objectives

Your objectives should align with the risks you have identified. For example:

  • If access and change control are priorities, a SIEM (Security Information and Event Management) solution that monitors security logs from Domain Controllers is essential.
  • If network security is a focus, implement strong baseline configurations, and monitor policy changes and network traffic.
  • If endpoint security is crucial, consider an EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response) solution.
  • If you require 24/7 monitoring, you will need at least seven staff members to ensure around-the-clock coverage.

Budget Considerations

Consider how much implementing your objectives will cost. Starting from scratch could take up to two years. Keep these points in mind:

  • A cybersecurity expert is not the same as a compliance expert. Both are necessary but have different skill sets. Ensure you have separate professionals for each.
  • An engineer will not monitor your SIEM or XDR environments. You'll need to hire a SOC Analyst or work with an MSSP (Managed Security Service Provider).
  • Include your IT Administrator, Service Desk, and Engineering teams in your budget, as patching and incident management will take up 10%-20% of their time. For larger infrastructures, you may need dedicated personnel.
  • Be thorough in your research when it comes to tools, licenses, and infrastructure costs. Vendors offer a variety of solutions, choose the one that fits your needs best. Simple decisions can save your organization thousands of dollars. Whether you opt for on-premises or cloud solutions, both can be effective in different scenarios.

Setting Priorities

It is nearly impossible to accomplish everything at once, especially if resources are limited. If you are constrained by time or budget, focus on compliance first. Ensure your users are well-educated, and your processes are secure. Even the most advanced cybersecurity tools are ineffective if employees are unaware of best practices. If time is a critical factor, consider outsourcing to an MSSP.

This article aims to provide some guidance on how to get started. Remember, there is always more to learn, and the devil is in the details. Good luck making the right preparations!

Box 1: What is the NIS2 Directive?

The NIS2 Directive (Network and Information Systems 2) is a pivotal European law designed to strengthen cybersecurity across the European Union (EU). In the Netherlands, this law will affect more than 10,000 organizations and companies, as well as approximately 50,000 suppliers to these entities. Both groups will need to implement various cybersecurity measures.

This directive succeeds the original NIS1, introduced in 2016. The updated NIS2 Directive, which will take effect in Europe on October 17, 2024, expands its scope and imposes stricter requirements for securing network and information systems.

European and Dutch NIS2 Legislation

The NIS2 Directive is a European law, meaning each EU member state must incorporate it into their national legislation. In the Netherlands, this will be done through amendments to the existing Network and Information Systems Security Act (Wbni), with the transition occurring later this year.

For more information on NIS2, visit the Samendigitaalveilig-website.

Topics
Cybersecurity
Related articles
How to outsmart ransomware
Cybersecurity
In the event of a ransomware attack, the consequences for an organization are often incalculable. Read th ...
How do you spot vulnerable IT systems?
Cybersecurity
By regularly examining your IT systems for vulnerabilities, you can prevent weaknesses from turning into ...
How to keep your Christmas gifts a surprise
Cybersecurity
Do you want your Christmas gifts to remain a surprise? Read this blog and find out how to outsmart nosy o ...

Insights on technology