Ensuring the cloud is secure, compliant, and resilient is one of the responsibilities of cloud customers. One of the upcoming legislations enforced in 2024 is the European Union’s Network and Information Systems 2 (NIS2) Directive, Europe's most comprehensive cybersecurity legislation. This blog post provides an overview of the NIS2 Directive, how it could affect you and your cloud, and how to prepare for it.
The Network and Information Systems (NIS) Directive was first established in July 2016 to increase cybersecurity and cyber resilience capabilities across the European Union to a higher level. NIS is designed to establish security measure baselines for digital service providers and operators to mitigate cyberattack risks. However, with cyberattacks becoming more sophisticated and frequent in the past years and the massive adoption of cloud computing, the NIS Directive is no longer effective in covering the complex landscape of enterprise systems.
The new version of the NIS Directive, namely the NIS2 directive, was published in the EU Official Journal On December 2022 and came into force on January 2023. Compared to NIS, NIS2 provides stronger requirements and affects more sectors to focus on the business continuity of the entities. By 17th October 2024, European Union member states must adopt and publish the NIS2 Directive into their national laws. The ultimate goal of the NIS2 Directive is to ensure more entities have a better cybersecurity strategy ready against possible cybersecurity incidents.
In general, there are four main objectives of the NIS2 Directive:
- Managing Security Risk
Entities must be aware of the potential risks to the entities, their services/businesses, people, and assets, i.e., systems and infrastructures. By managing potential security risks that could threaten the entities, entities could plan necessary cybersecurity measures to prevent or minimize the risks.
- Protecting Against Cyberattacks
Entities must be prepared against potential cyberattacks that could threaten them, even for the unplanned scenarios from the first objectives. Ensuring that the people have security awareness and training and that the assets are correctly and securely configured would help entities stay ahead of cyberattacks.
- Detecting Cybersecurity Incidents
Entities must be able to detect cybersecurity incidents when they happen. They need to enable continuous monitoring of the people and the assets and proactively discover security events happening that could lead to incidents.
- Minimizing The Impact of Cybersecurity Incidents
In case of cybersecurity incidents happen, entities have to respond and remediate the incidents as soon as possible to minimize the impacts on the entities. Entities must also analyze how the incidents happened and affected the entities and devise how to avoid the incidents in the future.
NIS2 Directive affects entities located or operating in the European Union member states as follows:
- Medium entities with 50 to 250 employees, 10-50 million Euro turnover, and less than 43 million Euro balance sheet.
- Large entities with over 250 employees, 50 million Euros turnover, and more than 43 million Euro balance sheet.
- Entities operating in the following essential categories:
Transport, Banking, Financial market infrastructures, Health, Digital infrastructure, Energy, Drinking water, Waste water, ICT service management for B2B, Public administration, and Space.
- Entities operating in the following important categories:
Digital providers, Chemical manufacture, production, and distribution, Manufacturing, Waste management, Research, Food production, processing, and distribution, and Postal and courier
The entities will be able to register themselves and determine if their businesses or services fall within the scope of NIS2. Failure to comply with NIS2 could result in fines of up to 10% of the entity’s annual turnover or a temporary ban from exercising managerial responsibilities for the entity’s management team.
How You Could Prepare Your Cloud for NIS2
NIS2 affects cloud providers and companies using cloud infrastructures as the cloud customers, governed by cloud computing’s shared responsibility model. Cloud providers are responsible for the security measures to protect the infrastructure that runs all offered cloud services. Meanwhile, cloud customers are responsible for security measures to protect their cloud resources.
There are several ways for entities to prepare their cloud infrastructure to be compliant with NIS2 Directive:
Take Inventory of Available Cloud Resources
Taking inventory of available cloud resources across various cloud services and regions would help to know the state of cloud infrastructure. It also could be used to analyze potential risks that could affect the cloud resources, which would help to prioritize which resources should be securely configured first.
Securely Configure Cloud Infrastructure
Cloud infrastructure has to be securely and correctly configured to ensure that unauthorized cannot exploit it for cybersecurity incidents. Compliance with cloud security standards and best practices, e.g., ISO 27001, PCI-DSS, or CIS Benchmarks, helps measure and manage the security posture of cloud infrastructure.
Monitor Cloud Infrastructure
Enabling cloud infrastructure monitoring would ensure the cloud resources are working correctly. Suspicious activities could be detected by raising necessary alerts and helping to reduce the time to react to potential cybersecurity incidents.
Proactively Verify Cloud’s Security and Cyber Resilience
Cloud infrastructure has to be prepared against potential threats that could affect any cloud resources and happen at anytime to avoid and minimize the impact of potential cybersecurity incidents. Regular cloud security tests and assessments would help detect potential vulnerabilities and blind spots that attackers could exploit.
Develop Contingency Plan
In the case of cybersecurity incidents, a contingency plan would help minimize the impacts on the entities and the clouds, analyze the root causes, and fix the incidents. Based on that, new cybersecurity measures could be devised and implemented to avoid incidents in the future.
How Mitigant Can Help to Make Your Cloud NIS2 Ready
Mitigant provides a secure and reliable platform to achieve NIS2 for your cloud with only 15 minutes of onboarding time. Improve the state of cloud infrastructure to be more secure, compliant, and resilient with Mitigant.
- Take inventory of cloud resources across various cloud services and regions and monitor for unwanted changes and suspicious activities in the cloud.
- Run automated and on-demand cloud security assessments to detect and remediate security risks in the cloud resources.
- Achieve compliance with cloud security standards and best practices, such as ISO 27001, CIS Benchmarks, PCI-DSS, and BSI C5.
- Prepare the cloud to be ready against potential cyberattacks by automated cloud attack simulations to detect security blindspots in its cloud security controls.
Sign up now at https://mitigant.io/sign-up to start your 30-day free trial.
Muhammad Ihsan Haikal Sukmana
Chief Product Officer & Co-Founder @Mitigant.