How to Prepare Your Cloud Infrastructure for the NIS2 Directive

The Network and Information Systems (NIS) Directive and the newly updated NIS2 Directive are launched by the European Union (EU) to improve the cybersecurity level of EU member states following the rapidly evolving and increasing cyberattacks. This article will provide an overview of what should be expected of the NIS2 Directive for organizations and their cloud infrastructures.

NIS2 - A New Frontier in Cybersecurity

The Network and Information Systems (NIS) Directive, introduced in 2016, marked the EU's first major foray into legislating cybersecurity. It was launched with the aim for EU member states to achieve a high common level of cybersecurity as a response to the increased digitalization efforts in the infrastructures and the increased and evolving cyberattacks in the digital landscape.

The NIS Directive was then established in 2018 across EU member states. However, due to insufficient and inconsistent levels of cyber resilience across the EU and the inability to keep up with the rapidly changing cyber threat landscape, the implementation of the NIS Directive resulted in fragmented systems.

The EU then proposed the NIS2 Directive as a replacement for the NIS Directive to strengthen the security requirements of the EU member states and achieve a higher and more uniform level of European cybersecurity. It contains a newly expanded scope for critical and essential sectors, supply chain security, and more stringent security and incident reporting requirements, to name a few improvements compared with the previous NIS Directive.  The NIS2 Directive was entered into force on 16th January 2023, and EU member states have to transpose its measures as the national law before 17th October 2024.

Deciphering NIS2 Objectives

The NIS2 Directive aims to address the deficiencies of the NIS Directive, adapt it to the current needs of European cybersecurity, and make it future-proof to the potential cyber threat landscape. There are several main objectives that NIS2 is trying to achieve.

Enhanced European Cybersecurity Standards

The NIS2 Directive's main objective is to elevate European cybersecurity standards to new heights. New critical and essential sectors and threshold rules are added to ensure crucial businesses will have better cyber resilience against potential threats. It also includes ten key elements that organizations must implement, such as supply chain security and encryption. Organizations must implement cybersecurity and risk management strategies, such as security awareness training among employees and asset management practices, to identify and secure critical assets.

Collaboration between EU Member States

To ensure a high common level of cybersecurity between EU member states, the NIS2 Directive establishes a new European cyber crisis liaison organization network (EU-CyCLONe) to support the coordination of large-scale cybersecurity incidents and information sharing between the countries. It also enhances cooperation within the Computer Security Incident Response Team (CSIRT) network while shaping necessary strategic policy decisions. A vulnerability database of ICT products and services will be established to coordinate vulnerability disclosure and operated and maintained by the EU Agency for Cybersecurity (ENISA).

Enhanced Security Incident Reporting

The NIS2 Directive introduces improved security incident reporting requirements for companies. It imposes a risk management approach that includes a minimum list of basic security elements that must be applied and more precise information on the incident reporting. The affected organizations have 24 hours to submit an early warning to CSIRT or competent national authorities when they first become aware of the incident, then 72 hours to submit an incident notification, with a final security incident report due within one month

Which Entities Are Impacted by the NIS2 Directive

The NIS2 Directive expands to more essential and important sectors with a new threshold of affected entities compared to the previous NIS Directive. Entities located or operating withinin the European Union member states and providingfor essential and important services are now subjected to the NIS2 Directive with the following specifications:

Affected Sectors

The NIS2 Directive might affect over a more than thousands of EU entities to comply with the directive. AdditionallyMeanwhile, EU member states could identify additional smaller entities with high-security risk profiles that fall within the scope of theshould be covered by the new directive.

Timeline for NIS2 Directive Compliance

The NIS2 Directive must be transposed as national laws for EU member states by October 17th, 2024. EU member states must identify and establish a list of affected entities in the essential and important sectors within the scope of the NIS2 Directive by 17th April 2025. However, entities must comply with the national laws by October 17th, 2024, when there is no grace period for the national laws to be fully in effect.

To ensure essential and important entities comply with the NIS2 Directive, assigned authorities may require regular or targeted audits, on-site or off-site checks, or requests for information, documents, or evidence. Failure to comply with the NIS2 Directive and its national law implementations could result in penalties and consequences.

NIS2 Directive Non-Compliance Consequences

Organizations that do not comply with the NIS2 Directive could receive penalties from the authorized competent authorities in these forms:

  • Administrative fines of a maximum of 10 million Euros or 2% of the global annual revenue for essential entities, or 7 million Euros or 1.4% of the global annual revenue for important entities, whichever is higher.
  • Non-monetary remedies include compliance orders, binding instructions, security audit implementation orders, or threat notification orders to entities’ customers.
  • Sanctions for upper-level management, such as making compliance violations public, naming the management responsible for the violation, or liability for the senior management positions, such as banning holding managerial positions.

What to Prepare for the NIS2 Directive

It could take around 12 months for an entity to comply with the NIS2 Directive, depending on its cybersecurity maturity level. There are several things that entities could focus on to help with the compliance process of the NIS2 Directive.

  • Assessment and Gap Analysis: Begin with a thorough evaluation of the entity’s current cybersecurity posture. Identify how the current entity aligns with the NIS2 Directive’s standards and pinpoint improvement areas.
  • Prioritizing Actions: Based on the assessment’s result, address the most critical gaps and issues detected first to ensure no critical security vulnerability could affect the entity.
  • Resource Allocation: Determine what resources, e.g., financial, technological, and human resources, are needed and available for the compliance journey.
  • Implementation Phase: Start implementing the necessary changes to improve the cybersecurity posture and comply with the NIS2 Directive. This could involve upgrading technology, revising policies, and enhancing security protocols.
  • Training and Awareness Programs: Develop comprehensive training and awareness programs for the entire entity’s staff where everyone should understand their role in achieving and maintaining compliance.
  • Continuous Monitoring and Improvement: Compliance is an ongoing process instead of a one-time event. Regularly review and update the cybersecurity strategies to stay aligned with the evolving NIS2 Directive’s requirements and the everchanging cyber threat landscape.

Documentation and Reporting: Keep detailed records of compliance efforts and report if security incidents happen to the entity. This documentation is crucial not only for internal tracking but also for demonstrating compliance with regulatory authorities.

How Mitigant Can Help Cloud-Native Infrastructures to Achieve NIS2 Directive Compliance

The NIS2 Directive requires the entities to ensure all aspects are secure from potential cyber threats, including the cloud-native infrastructures, which are used to store confidential information or host applications or services for business purposes. Entities can adopt various measures to align their cloud infrastructures with NIS2 Directive requirements, such as:There are several ways for entities to prepare their cloud infrastructures to comply with the NIS2 Directive:

  • Take Inventory of Available Cloud Resources: Taking inventory of available cloud resources across various cloud services and regions would help to know the state of cloud infrastructure. It also could be used to analyze potential risks that could affect the cloud resources, which would help to prioritize which resources should be securely configured first.
  • Securely Configure Cloud Infrastructure: Cloud infrastructure has to be securely and correctly configured to ensure that unauthorized cannot exploit it for cybersecurity incidents. Compliance with cloud security standards and best practices, e.g., ISO 27001, PCI-DSS, or CIS Benchmarks, helps measure and manage the security posture of cloud infrastructure.
  • Monitor Cloud Infrastructure: Enabling cloud infrastructure monitoring would ensure the cloud resources work correctly. Suspicious activities could be detected by raising necessary alerts and helping to reduce the time to react to potential cybersecurity incidents.
  • Proactively Verify Cloud’s Security and Cyber Resilience: Cloud infrastructure has to be prepared against potential threats that could affect any cloud resources and happen at any time to avoid and minimize the impact of potential cybersecurity incidents. Regular cloud security tests and assessments would help detect potential vulnerabilities and blind spots that attackers could exploit.
  • Develop Contingency Plans: In the case of cybersecurity incidents, a contingency plan would help minimize the impacts on the entities and the clouds, analyze the root causes, and fix the incidents. Based on that, new cybersecurity measures could be devised and implemented to avoid incidents in the future.

Mitigant provides a secure and reliable platform to achieve the NIS2 Directive for your cloud with only 15 minutes of onboarding time. It is a proactive cloud security SaaS solution that secures cloud-native infrastructures in Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Kubernetes from security vulnerabilities and cyberattacks. Improve the state of cloud infrastructure to be more secure, compliant, and resilient with Mitigant.

  • Take inventory of cloud resources across various cloud services and regions and monitor for unwanted changes and suspicious activities in the cloud. Read more here
  • Run automated and on-demand cloud security assessments to detect and remediate security risks in the cloud resources and Kubernetes infrastructure.
  • Achieve continuous compliance with cloud security standards and best practices, such as ISO 27001, CIS Benchmarks, PCI-DSS, and BSI C5.
  • Prepare the cloud to be ready against cyberattacks using automated cloud attack emulations to detect security blind spots. Mitigant Cloud Immunity is an innovative product that allows organizations to run cloud attack emulations quickly and safely. Read more here: