NEWS: Logpoint Acquires Muninn
At this point it is old news, but this year NIS2 will finally move from being a theory to impacting everyday life of organizations, as Member States must transpose the Directive into applicable, national law by 17 October 2024. The European Directive requires Member States to adopt laws that will improve the cyberresilience of organizations within the EU and impacts organizations that are defined as “operators of essential services”. Under NIS 1, EU member states could still choose what this meant, but to ensure more consistent application, NIS2 has set out its own definition. Rather than making a distinction between operators of essential services and digital service providers, NIS2 defines a new list of the following sectors:
It is quite difficult to figure out if your organization does not fall under one of these areas, but with this new legal set-up it definitely becomes harder to try and find industry segments that won’t be affected. As NIS2 represents legally binding cybersecurity requirements for a significant region and economy it focusses on essential and structural processes including mandatory incident reports with tight timelines. Under NIS2, affected organizations must submit an initial report or “early warning” to respective national authorities within 24 hours after a cyberincident. This major change in the law is meant to create more transparency as well as help the government to have a steeper learning curve when it comes to cyberattacks.
Another important addition to NIS1 is the accountability the new Directive assigns to the management of organizations in scope. The NIS2 Directive's revised penalties, reaching up to €10 million or 2% of an entity's annual global turnover, alongside individual managerial responsibility, set a standard. Penalties aren’t just fairytales any longer. Especially with cases like former Uber CSO Joe Sullivan's sentencing, who failed to report a data breach, and charges against SolarWinds' ex-CISO Timothy G. Brown, who defrauded investors by overstating SolarWinds’ cybersecurity practices and understated or failed to disclose known cybersecurity risks and vulnerabilities.
The law is clear on this issue; CISOs bear direct responsibility in cyberincidents. They have final oversight on assessing cybersecurity frameworks, team structures, and general IT security within their organizations. For their own sake as well as for the good of the organization they’ll also look to join leadership teams who share similar values, hold themselves to a strong code of conduct, and who will support them rather than scapegoat them in times of crisis. Downplaying or under-reporting cyberrisk will lead to an economic disaster and companies might end up in the headlines for the wrong reasons.
Many organizations, especially those that are newly in scope for NIS2, will have to manage and expand their information security risks. For organizations in this situation, there are various tools beyond the standard firewall and anti-virus software, a number of best practices, and frameworks that can be implemented. The following responsibilities and key processes are defined under NIS2, such as:
Network Detection and Response in particular provides capabilities in the areas of network visibility, incident handling, and reporting that can help close the gaps in a cybersecurity stack. Learn more about what NDR is and the most common use cases for NDR.
Artificial Intelligence isn’t specifically mentioned in the NIS2 framework. A reason for this might simply be the timing of the provisional agreement on NIS2 in May 2022 preceding the public awareness regarding broader AI technology, such as ChatGPT and other open-source Generative AI tools, by about six months. Had the law been drafted today, we might see more emphasis on AI, possibly even making it a requirement within the framework.
However, NIS2 does explicitly recommend the encouragement of innovative technologies, which signals a positive stance toward the use of AI. The Directive also emphasizes the importance of pro-active cybersecurity, defined as prevention, detection, monitoring, analysis, and mitigation of network security breaches.
Network Detection and Response which leverages AI can be a tool to proactively detect and respond to threats in real time, ultimately helping to have no disruptions in your network and secure data.
Moreover, a NDR gives full visibility to ensure policy effectiveness and compliance within the NIS2 framework. The Directive covers incident handling and business continuity as well as reporting of cyberincidents, which plays a crucial role plays in handling future cyberattacks, as we are only able to learn from the current ones. It seems like a simple task, but with the amount of network data we are producing today proper reporting tools are innovations that don’t get so much attention. Detailed and comprehensive incident reports will not only be quickly generated, but also contain all relevant information without wasting much time.
See how NDR can help you comply with NIS2.
How exactly the different EU member states will implement NIS2 into their national laws remains unclear, with the deadline for this process set at October 17, 2024. In addition, the European Union pledges to assess the effectiveness of the Directive every three years.
Considering the technical milestones, we have made over the last twelve months and recognition of both the risks and potential indispensability of AI, particularly within cybersecurity, we might come to a point where numerous member states might make AI mandatory to counteract growing cyberthreats and the lack of IT staff available.
