Society increasingly relies on IT systems for basic needs, such as buying food and accessing healthcare services. These IT systems need to be networked, so as to allow both their usage and administration to be remote. Regarding usage, we all appreciate the ability to declare parental leave and book doctor’s appointments without having to leave the comfort of our sofas. When it comes to administration, the on-call team’s life simply gets better if they can do troubleshooting and maintenance from home, as opposed to having to sleep in the facility housing IT equipment.
Unfortunately, putting these systems on a public network, such as the Internet, also increases their exposure to cyber attacks. This, unfortunately, happens too often lately, whether to exfiltrate data and illegally profit from it, or as part of a hybrid war strategy.
In this blog post, we present what the recently passed EU NIS2 Directive is and how it will increase the security of networked IT systems in the EU.
Why is security hard?
There are tons of reasons why security is hard from an engineering perspective. Nevertheless, each of these challenges have a solution. Unfortunately, implementing these solutions costs money, both in terms of cash and in terms of productivity. In a competitive market, all actors tend to optimize their costs, which leads to security being chronically deprioritized and underfunded. For example, the Swedish Civil Contingencies Agency (MSB) decided back in 2020 that all government entities should use Multifactor Authentication (MFA). However, this decision seems to have not been fully implemented as of beginning 2022.
Even a security-obsessed company will have a finite security budget. And security is expensive! Cyberattackers only need to find one sufficiently large security gap, whereas your organization needs to mitigate “all” security risks. Unfortunately, without a coordinated, industry-wide effort, no single organization will have the security intelligence required to take those security measures that bring the best “bang for the buck”. For example, the organization might need to decide whether it wants to invest in an anti-phishing solution or a full-day org-wide security awareness training. Perhaps it should invest in a cheaper anti-phishing solution combined with a half-day security awareness training. Without having a fuller picture of the current threat landscape, the organization can at best roll a die.
So, how can we ensure that all organizations:
- Invest enough in security; and
- Have access to sufficient security intelligence
Both for their own benefit and for the benefit of society?
What is NIS2?
To bridge the gap between what society needs and the too often neglected information security, the EU has recently passed the NIS2 Directive. It improves upon the previous NIS Directive – retroactively called “NIS1” – which had a similar goal.
Viewed from a 30,000-foot perspective, it aims to achieve two primary goals:
- to close the budget gap, i.e., underinvestment in security;
- to close the intelligence gap, i.e., no single organization being aware of the current security risk landscape and the most effective mitigations.
NIS2 closes the budget gap by setting fines for neglecting information security: up to 2% of total annual turnover. It essentially gives CISOs leverage when negotiating their budgets: “Should we risk paying 2% of our annual turnover, or should we invest a fraction of that on security?”
NIS2 closes the intelligence gap by essentially creating a hierarchical DevSecOps loop. Without going into too much detail, the European Union Agency for Cybersecurity (ENISA) sits on top. On the next level, each EU Member State has a national authority which coordinates security, called in NIS2 the “single contact point”. For example, the German NIS2 single contact point is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), whereas the Swedish counterpart is the Swedish Civil Contingencies Agency (Myndighet för samhällsskydd och beredskap – MSB). Said single contact points receive reports on incidents and near-misses from organizations. These reports are aggregated on national and EU level, to produce new security measures as well as raise awareness. Such awareness is raised, amongst others, through the yearly ENISA Threat Landscape report.
The NIS2 Directive applies to what it defines as essential and important entities. Essential entities include energy, transport, banking, healthcare, and the public sector, while important entities include postal services and manufacturing.
Also noteworthy is that the NIS2 Directive does not apply to microenterprises and small enterprises – without going into details, this means organizations with under 50 employees. However, these organizations can and probably should participate in NIS2 on a voluntary basis.
Note that NIS2 is an EU Directive that needs to be transposed into national legislation. As of January 2024, this work is still in progress, but we can foresee the impact of the NIS2 Directive by looking at its predecessor, NIS1. The national implementations will likely have sector-specific provisions. This means that NIS2 is not to be seen as a single “book of rules”, but as a myriad of rules that differ from one EU Member State to another and from one sector to another. For example, German industries will be more familiar with “KRITIS”, the German implementation of NIS. In Sweden, the industry will talk about various MSBFS-es.
Related regulations
NIS2 is related to several other EU directives and regulations. Each deserves its own blog post series. In this section, let us just quickly illustrate their relationship to NIS2.
Most organizations are already familiar with GDPR, which regulates personal data. The first question one might ask is: “Does an organization suffering a breach need to pay both NIS2 and GDPR fines?” Fortunately, not! Your organization “only” needs to pay the higher GDPR of up to €20 million or 4% annual global turnover – whichever is higher.
NIS2 is also related to the EU Critical Entities Resilience Directive (CER). CER complements information security with physical security. For example, in Sweden, this will lead to the question, “Is your datacenter physically protected according to the SSF 200 standard?” Entities which are critical under CER are essential under NIS2.
NIS2 also relates to the EU Digital Operational Resilience for the Financial Sector (DORA). As DORA itself puts it, “[DORA] shall be considered a sector-specific Union legal act for the purposes of Article 4 of [the NIS2] Directive.”
Takeaways
- Security is hard, not just engineering-wise, but also because budgets and security intelligence are limited.
- The NIS2 Directive is both a stick and a carrot.
- A stick, because it incentivizes organizations to increase their information security spendings to avoid heavy fines.
- A carrot, because it empowers organizations to better understand the threat landscape and the effectiveness of various security measures, so as to make better decisions when it comes to security.
How does the NIS2 Directive relate to Elastisys Welkin platform?
Welkin is Elastisys’s Kubernetes platform designed around security and compliance by default. Already today, Welkin helps our customers fulfill security requirements coming from regulations as diverse as EU GDPR, EU Medical Device Regulations (MDR) and MSBFS 2020:7. BTW, clicking on the links will guide you to a mapping between each regulation’s requirements and Welkin features fulfilling them.
We can’t wait to see the security measures that NIS2 will bring and evolve Welkin to help NIS2-regulated entities.
Blog post by Cristian Klein
I’m Cristian, the Compliant Kubernetes product owner at Elastisys. I review data protection regulations and security best practices, to translate those into Kubernetes and Cloud Native solutions. I gathered over 19 years of experience acting variously as an on-call network engineer, consultant, teacher and researcher. You can follow me on LinkedIn, where I post about topics at the intersection of information security and Kubernetes.