Search
Mitigant Blog

Is Your Cloud NIS2 Ready?

Ensuring the cloud is secure, compliant, and resilient is one of the responsibilities of cloud customers. One of the upcoming...
16.8.2023
Muhammad Ihsan Haikal Sukmana
4 min read
Is Your Cloud NIS2 Ready?
Table of Contents
Example H2
Example H3
Example H4
Example H5
Example H6
Contributors
Muhammad Ihsan Haikal Sukmana
Muhammad Ihsan Haikal Sukmana
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ensuring the cloud is secure, compliant, and resilient is one of the responsibilities of cloud customers. One of the upcoming legislations enforced in 2024 is the European Union’s Network and Information Systems 2 (NIS2) Directive, Europe's most comprehensive cybersecurity legislation. This blog post provides an overview of the NIS2 Directive, how it could affect you and your cloud, and how to prepare for it.

NIS2 Overview

The Network and Information Systems (NIS) Directive was first established in July 2016 to increase cybersecurity and cyber resilience capabilities across the European Union to a higher level. NIS is designed to establish security measure baselines for digital service providers and operators to mitigate cyberattack risks. However, with cyberattacks becoming more sophisticated and frequent in the past years and the massive adoption of cloud computing, the NIS Directive is no longer effective in covering the complex landscape of enterprise systems.

The new version of the NIS Directive, namely the NIS2 directive, was published in the EU Official Journal On December 2022 and came into force on January 2023. Compared to NIS, NIS2 provides stronger requirements and affects more sectors to focus on the business continuity of the entities. By 17th October 2024, European Union member states must adopt and publish the NIS2 Directive into their national laws. The ultimate goal of the NIS2 Directive is to ensure more entities have a better cybersecurity strategy ready against possible cybersecurity incidents.

Objectives

In general, there are four main objectives of the NIS2 Directive:

  1. Managing Security Risk
    Entities must be aware of the potential risks to the entities, their services/businesses, people, and assets, i.e., systems and infrastructures. By managing potential security risks that could threaten the entities, entities could plan necessary cybersecurity measures to prevent or minimize the risks.
  2. Protecting Against Cyberattacks
    Entities must be prepared against potential cyberattacks that could threaten them, even for the unplanned scenarios from the first objectives. Ensuring that the people have security awareness and training and that the assets are correctly and securely configured would help entities stay ahead of cyberattacks.
  3. Detecting Cybersecurity Incidents
    Entities must be able to detect cybersecurity incidents when they happen. They need to enable continuous monitoring of the people and the assets and proactively discover security events happening that could lead to incidents.
  4. Minimizing The Impact of Cybersecurity Incidents
    In case of cybersecurity incidents happen, entities have to respond and remediate the incidents as soon as possible to minimize the impacts on the entities. Entities must also analyze how the incidents happened and affected the entities and devise how to avoid the incidents in the future.

Affected Entities

NIS2 Directive affects entities located or operating in the European Union member states as follows:

  • Medium entities with 50 to 250 employees, 10-50 million Euro turnover, and less than 43 million Euro balance sheet.
  • Large entities with over 250 employees, 50 million Euros turnover, and more than 43 million Euro balance sheet.
  • Entities operating in the following essential categories:
    Transport, Banking, Financial market infrastructures, Health, Digital infrastructure, Energy, Drinking water, Waste water, ICT service management for B2B, Public administration, and Space.
  • Entities operating in the following important categories:
    Digital providers, Chemical manufacture, production, and distribution, Manufacturing, Waste management, Research, Food production, processing, and distribution, and Postal and courier

The entities will be able to register themselves and determine if their businesses or services fall within the scope of NIS2. Failure to comply with NIS2 could result in fines of up to 10% of the entity’s annual turnover or a temporary ban from exercising managerial responsibilities for the entity’s management team.

How You Could Prepare Your Cloud for NIS2

NIS2 affects cloud providers and companies using cloud infrastructures as the cloud customers, governed by cloud computing’s shared responsibility model. Cloud providers are responsible for the security measures to protect the infrastructure that runs all offered cloud services. Meanwhile, cloud customers are responsible for security measures to protect their cloud resources.

There are several ways for entities to prepare their cloud infrastructure to be compliant with NIS2 Directive:

Take Inventory of Available Cloud Resources

Taking inventory of available cloud resources across various cloud services and regions would help to know the state of cloud infrastructure. It also could be used to analyze potential risks that could affect the cloud resources, which would help to prioritize which resources should be securely configured first.

Securely Configure Cloud Infrastructure

Cloud infrastructure has to be securely and correctly configured to ensure that unauthorized cannot exploit it for cybersecurity incidents. Compliance with cloud security standards and best practices, e.g., ISO 27001, PCI-DSS, or CIS Benchmarks, helps measure and manage the security posture of cloud infrastructure.

Monitor Cloud Infrastructure

Enabling cloud infrastructure monitoring would ensure the cloud resources are working correctly. Suspicious activities could be detected by raising necessary alerts and helping to reduce the time to react to potential cybersecurity incidents.

Proactively Verify Cloud’s Security and Cyber Resilience

Cloud infrastructure has to be prepared against potential threats that could affect any cloud resources and happen at anytime to avoid and minimize the impact of potential cybersecurity incidents. Regular cloud security tests and assessments would help detect potential vulnerabilities and blind spots that attackers could exploit.

Develop Contingency Plan

In the case of cybersecurity incidents, a contingency plan would help minimize the impacts on the entities and the clouds, analyze the root causes, and fix the incidents. Based on that, new cybersecurity measures could be devised and implemented to avoid incidents in the future.

How Mitigant Can Help to Make Your Cloud NIS2 Ready

Mitigant provides a secure and reliable platform to achieve NIS2 for your cloud with only 15 minutes of onboarding time. Improve the state of cloud infrastructure to be more secure, compliant, and resilient with Mitigant.

  • Take inventory of cloud resources across various cloud services and regions and monitor for unwanted changes and suspicious activities in the cloud.
  • Run automated and on-demand cloud security assessments to detect and remediate security risks in the cloud resources.
  • Achieve compliance with cloud security standards and best practices, such as ISO 27001, CIS Benchmarks, PCI-DSS, and BSI C5.
  • Prepare the cloud to be ready against potential cyberattacks by automated cloud attack simulations to detect security blindspots in its cloud security controls.

Ready to Secure Your Cloud Infrastructures?
Connect with the Mitigant Team and proactively protect your clouds today.
Book DemoStart Free Trial

Read Other Interesting Blog Posts

View Blogs
Cloud Security
Emulating and Detecting Scattered Spider-like Attacks
July 23, 2024
This article shows how to leverage Threat-Informed Defense to effectively tackle cloud threat actors, e.g., Scattered Spider. Practical attacks & appropriate defense are demonstrated using Mitigant Cloud Attack Emulation & the Sekoia SOC Platform.
Read More
Cloud Security
Bedrock or Bedsand: Attacking Amazon Bedrock’s Achilles Heel
July 10, 2024
Amazon Bedrock's Achilles heel is the adoption of S3 as a RAG data source, leading to several GenAI attack vectors, including data poisoning, denial of service & S3 ransomware. This article delves into these attack vectors, detection, and mitigation.
Read More
Cloud Security
Cloud Attack Emulation: Democratizing Security Operations in the Cloud
July 2, 2024
Security operations are the nerve of organizational cybersecurity efforts. An organization’s security policy typically aims to keep it safe by implementing preventive, detective, and recovery measures. Security operations ensure this ambition by s...
Read More

Join The Cloud Security Revolution Today!

Take control of your cloud security in minutes. No credit card required.
Start 30-day Free Trial