NIS2 Directive: a strong request for better incident handling | NXLog Blog (original) (raw)

Did you know the European Union created a rule called the NIS Directive? This rule was established in 2016 to ensure that all member countries are equally protected against cyber attacks. It’s a step towards making it easier for governments to work together to stop cyber threats. However, the Directive was expected to provide more specific instructions for protecting against attacks and ensuring all countries follow the rule. The rule also requires companies and governments to be better prepared to handle cyber attacks and have a plan in case something goes wrong. It was a crucial step towards ensuring everyone’s safety in the modern digital age.

Introducing NIS2

From January 2023, there’s a new set of guidelines available called the Directive (EU) 2022/2555. These guidelines are enhancing the old ones, and they’re serious business. Member states must create laws that apply to specific organizations and follow particular rules. And they need to do it fast because the deadline for incorporating these guidelines into their laws is October 17th, 2024. It’s crucial to figure out which organizations these guidelines apply to and how to make sure everyone follows the same rules. So if you’re an organization affected by these guidelines, you better get cracking and start following them before it’s too late!

Old and new

The new NIS2 Directive will protect even more sectors and entities and create new ways for Member States to collaborate and stay safe. The NIS2 Directive is also bringing some fresh ideas to the table, like peer reviews and a crisis management structure called EU-CyCLONe. Plus, The European Union Agency for Cybersecurity (ENISA) is getting new responsibilities, such as creating a registry of vulnerabilities and publishing an annual report on cybersecurity in the EU. It’s exciting to see the EU taking proactive steps to secure everyone’s digital lives!

The key requirements of the NIS2 Directive for Operators of Essential Services (OES) and Operators of Important Services (OIS) include:

1. Implementing appropriate technical and organizational measures to manage cybersecurity risks
2. Designating a cybersecurity officer
3. Conducting regular risk assessments
4. Reporting serious cybersecurity incidents to their competent national authorities
5. Cooperating with their federal competent authorities in the event of a cybersecurity incident

Entities identified as critical

Both directives define a list of sectors deemed Critical National Infrastructure (CNI), including:

• Energy, including electricity, district heating and cooling, oil, gas
• Transport, including air, rail, water, and road
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• ICT service management (business-to-business)
• Public administration
• Space
• Postal and courier services
• Waste management
• Manufacture, production, and distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing, including medical devices, computers, electronics, optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment
• Critical entities as defined under Directive (EU) 2022/2557
• and more!

Suppose your organization is part of a Critical National Infrastructure of a EU member state. In that case, it’s crucial to have a plan to identify and manage risks to your network and information systems. These plans help prevent or minimize adverse impacts from security incidents. Countries require these organizations to implement measures for a secure network infrastructure. Being prepared for security challenges is crucial.

Complying with NIS2

When complying with NIS2 regulations, companies have room for maneuvering in how they choose to tackle the requirements. However, it’s essential to remember that member states are to direct CNI organizations to bear the responsibility of meeting these standards.

In total, there are seven technical and organizational measures that companies must address or implement to ensure compliance. These measures include:

• Conducting risk analysis and establishing information system security policies
• Implementing an incident management framework for prevention, detection, and response to incidents
• Ensuring business continuity and crisis management
• Maintaining supply chain security
• Establishing security measures in network and information systems
• Developing policies and procedures for cybersecurity risk management measures
• Using cryptography and encryption

Companies must make sure they’re secure from online threats. There are a few things that can help with this. One is having clear rules about security, another is having a plan for when something goes wrong, and the third is using a system to keep data safe. It’s not something that can be done once and then forgotten. Companies should keep working on these aspects over time to ensure they stay safe.

Breach notifications

Even if a company is taking care of its cybersecurity, it can still be at risk of getting hacked. If an attack does happen, there is a strict guideline they need to follow:

1. Within 24 hours report an early warning to a computer security incident response team (CSIRT)
2. Within 72 hours report an incident notification that includes initial assessment, severity and IoCs
3. Within 1 month share a final report, including detailed information on incident scope, investigation process, remediation strategies and impact

These strict notification rules put serious pressure on log management and security monitoring. A company must be capable both to track many critical log events from disparate sources and extract incident-related information from backup storage quickly to fit NIS2 reporting time-frames. Being subject to NIS2 regulations, ask yourself if you have such an effective log management pipeline in place and keep on reading to learn how NXLog helps with this.

What types of incidents must be reported?

According to the NIS2 Directive, an incident shall be considered significant and must be reported if any or all of the following are true:

• The incident has caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned
• The incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses

This goes far beyond the reporting obligation under the NIS Directive. Under NIS2, just the presence of a critical vulnerability is sufficient to trigger a reporting obligation.

Violations of the directive

The NIS2 Directive outlines the penalties organizations can face if they violate it. These penalties include:

• Administrative fines: The maximum administrative penalty imposed on an organization for violating the NIS2 Directive is €10 million or 2% of the organization’s global turnover, whichever is higher.
• Criminal penalties: Individuals found to have intentionally or recklessly violated the NIS2 Directive can be subject to criminal penalties, including imprisonment.
• Civil penalties: If an organization breaks the NIS2 Directive, individuals or other organizations harmed, as a result, can take legal action against them.

If a company breaks the NIS2 Directive, its punishment will depend on how severe the violation is. For example, people in the company don’t notify the team in charge of cybersecurity about a security issue. In that case, they might get a lighter fine than if they didn’t set up proper security measures. The NIS2 Directive says that companies should get a chance to prove they followed the rules before they get punished. This means that if a company follows the rules, they can reduce or avoid the punishment they get.

How NXLog helps

Log collection is a key part of any modern cybersecurity program compatible with the NIS2 Directive. Proper log collection enables core security processes like monitoring, incident response, and reporting in time.

NXLog helps organizations stay compliant by providing a centralized security observability solution. With NXLog, you can build a robust log collection architecture and analyze logs across disparate systems to boost threat detection, minimize response time, and ensure you always stay compliant with regulations:

Enable audit log centralization with nothing missed

NXLog supports all popular and advanced log data collection methods. It seamlessly integrates with various data sources, including databases, network appliances, SIEM, and APM systems to ensure a compliant log management process.

Simplify processes with unified log collection infrastructure

NXLog allows an organization to define a unified log collection mechanism across an entire infrastructure, including system and operational components. Unified log collection helps design comprehensive technical solutions and simplify routines and policies that must be documented and communicated to staff.

Keep data safe while in transfer

Log data may include sensitive information. To make transfers secure, NXLog provides TLS/SSL encryption support to prevent data in transit from being viewed or modified by a malicious actor.

Enforce audit log & system file monitoring against unauthorized changes

NXLog provides a File Integrity Monitoring (FIM) module that detects when files are changed and promptly triggers a security event. This helps to protect both critical system files and retained logs from unauthorized tampering.

Enable cost-efficient audit log retention

Nowadays, IT systems generate tons of logs and audit trails. All that data has to be available for real-time analysis and also capable of being quickly re-hydrated from long-term storage for faster response in the case of a security event. NXLog provides log filtration, flexible retention, and routing mechanisms, creating a robust and cost-efficient retention process.

Conclusion

In 2016, the aim of the NIS Directive was to level up security efforts and help critical infrastructure organizations improve their cyber security. However, some parts of the Directive weren’t prominent and needed more guidance on managing cyber risks. People were also worried that member states weren’t doing enough to follow the Directive. The NIS Directive also emphasized the need for companies and member states to be better prepared for cyber-attacks and have plans to deal with them. The NIS2 Directive was introduced to address these concerns to help certain entities improve their cyber security measures.

• nis2
• compliance