Alignment to the NIS2 Directive

The NIS (Network and Information Systems) Directive was the first piece of EU-wide legislation that aimed to improve the security of network and information systems across the European Union. Since its publication in 2016, impacted organizations are required to take appropriate measures to secure their network and information systems and to report any incidents that have a significant impact on the continuity of their services. This includes measures such as regularly updating software and security protocols and implementing access controls to prevent unauthorized access to systems.

NIS2

The updated directive has been designed to expand and harmonize the original scope, while introducing more stringent supervisory measures and stricter enforcement requirements. The final text of NIS2 has been passed by the European Union and was published on the EU Journal website December the 27th, 2022. It will pass into law on the 16th of January 2023 and organizations will then have 21 months to demonstrate compliance with NIS2 or face supervisory action.

Increasing the Level of Cybersecurity in Europe in the Longer Term

NIS2 has the ambition to reduce the losses to cybercrime by 11.3 billion Euro per year. For this aspiration to become reality, an estimated cybersecurity budget increase by 22% will be required for newly selected organizations, and by 12% for organizations that were previously affected by the current NIS directive.

Expansion and Harmonization

The renewed directive now applies to broader vertical industries; it expands the current definition of ‘critical service providers’ by adding a second category of ‘important service providers.’  In an attempt to avoid fragmentation across the member states, NIS2 also streamlines reporting obligations and introduces harmonized sanctions across the EU. This includes fines and penalties for non-compliance with cybersecurity best practices.

The NIS2 Directive strengthens cybersecurity requirements imposed on supply chains and supplier relationships. Fines for essential entities can reach 2% of Global revenue or €10 million euros, while important entities face 1.4% of global revenue or €7 million euros.

Appropriate and Proportional Measures

Article 21 describes the best practices obligations that essential and important entities will be supervised to comply with. The legislation introduces tighter cybersecurity obligations for risk management, reporting and information sharing:

1. policies on risk analysis and information system security
2. incident handling
3. business continuity
4. supply chain security
5. security in network and information systems, including vulnerability handling and disclosure
6. policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. basic cyber hygiene practices and cybersecurity training
8. policies and procedures regarding the use of cryptography and encryption
9. human resources security, access control policies and asset management
10. the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

How Armis can help

While the spirit of NIS2 is to encourage a culture of risk management, rather than reacting to breaches and incidents, we believe the Armis platform is uniquely positioned to address some of the core obligations stipulated by this directive:

• Incident Handling : Armis extends the traditional  SIEM scope by providing risk and threat insights of unmanaged assets like OT, IoT & IoMT. We help reduce incident investigation time by having asset & security information in a single location.
• Business Continuity : our platform continuously monitors every asset 24/7 to detect anomalies and status changes. When there’s any change to an asset’s communications, software, physical location, risk profile, or activity, we can alert your team and reduce SOC investigation time. Armis also maintains data logs for compliance and incident forensics.
• Vulnerability Handling : Armis Asset Vulnerability Management (AVM) provides information about vulnerabilities associated with each asset, no matter what the asset type is. For assets that are not covered by vulnerability scanners, Armis fills the gap by assessing devices against Armis’s Collective Asset Intelligence Engine. This unique crowd-sourced knowledgebase tracks over 3 Billion assets around the world and is continuously updated by Armis’s research group with the latest information about vulnerabilities and exploits. 
• Asset Management : Discover & store an inventory of all organizational assets, providing a complete view of the asset data and its key security attributes, including contextual insights about each asset.

The expansion of the original NIS scope – by adding more entities and sectors to take cybersecurity risk management measures –  should help increase the level of cybersecurity in Europe in the medium and longer term. As technologies converge, Armis remains available to help organizations in essential and important sectors.

To find out more about the Armis Platform, join one of our test drives or book a custom demo.