EU's cyber directive NIS2 - a stick or a carrot on the way to the next level of cyber security?

Article by Jan Mickos, Managed Services Director, Nixu, a DNV company.

 

  • EU's NIS2 directive aims to elevate cyber security across member states, safeguarding citizens, businesses, and critical infrastructure from cyber threats in the interconnected economy
  • Compliance with NIS2 requires a proactive mindset shift, comprehensive risk evaluation, and strategic roadmap development to address cyber security challenges effectively
  • Establishing a 24/7 Security Operations Center (SOC) helps you meet NIS2 compliance requirements and elevates your overall cyber security posture.

The Network and Information Security (NIS2) Directive is the first piece of EU-wide legislation on cyber security. It is an action taken by the EU to achieve a high common level of cyber security across the Member States to protect its citizens, businesses, and critical infrastructure from cyberattacks and other malicious activity. It reflects the need to address the increasing complexity of cyber security threats in the interconnected economy.

 

Start with a mindset change

To comply with NIS2 and to benefit from it, your mindset needs to be outbound. Yes, cyber security is still about protecting your organization, assets, and reputation. Additionally, it’s about protecting your partners, customers, and end-users, the whole supply chain. It’s about a mindset change from reactive to proactive and from separate entities to interdependent organizations, systems, and processes.

It’s about a mindset change from reactive to proactive and from separate entities to interdependent organizations, systems, and processes.

  • Jan Mickos ,
  • Managed Services Director ,
  • Nixu, a DNV company

 

And continue with risk evaluation

There is no magic solution, checklist, or quick fix to becoming NIS2 compliant. The best way forward is to analyze your current situation first, create a roadmap with clear objectives and timelines, and then get started.

By creating a holistic overview, you can manage risks with a shared understanding of the purpose and extent of the task. As with GDPR, the key is to understand the risks, both technical and organizational, and take the necessary actions.

What threats may systems, components, configurations, and infrastructure face? What can the potential impacts on business operations be? What could go wrong? What actions must you be prepared to take?

 

Manage the entire environment with 24/7 SOC

Demonstrating that you have a framework for managing cyber security risks, often through an information security management system (ISMS), builds trust. However, you also need to be able to organize, manage, and develop your protection. This means staying on top of the whole cyber security environment 24/7. It spans beyond the traditional reactive Security Operations, it's the fusion of proactive protective measures, continuous monitoring and responses, continuously managing the security posture – Security Fusion.

Setting up a world-class security operations center (SOC) that monitors, prevents, detects, investigates, and responds to cyber threats around the clock can help you meet NIS2 compliance and offer several benefits.

SOC helps you meet the NIS2 compliance requirements by providing continuous security monitoring, threat intelligence and analytics, incident management, compliance reporting, and access to skilled cyber security professionals.

  • Jan Mickos ,
  • Managed Services Director ,
  • Nixu, a DNV company

 

Some organizations have built their SOCs over time utilizing both internal and external resources. But, given the ongoing evolution of cyber security technologies and the need to constantly adopt new skills and tools, managing this mix is becoming increasingly complicated. Running a modern SOC is a costly undertaking.

How do you set up your NIS2-compliant SOC cost-effectively? How do you benefit from economies of scale? How much does running a 24/7 SOC cost you? Based on Nixu’s experience, SOC as a service can easily cost as little as 10 % of what an in-house SOC costs. There might still be reasons to have an in-house SOC, but you should regularly validate those reasons.

 

Integration is the key to future success

When we talk about cyber security in the interconnected world, we talk about systems integration and the integration of processes and ecosystems. In the increasingly interdependent world, competitiveness and resilience can only be gained and maintained by getting rid of point solutions, sub-optimization, and silos.

How do you manage this future? Who is leading your cyber security ecosystem? Who knows the big cyber security picture? What is your role in all this?

NIS2 directive can be a tasty carrot and a firm but gentle stick on your way to the next level of cyber security.


DNV has created one of Europe’s fastest growing cyber security services businesses by merging DNV’s existing cyber security business with two recently acquired companies – Nixu and Applied Risk. The merger brings together more than 500 cyber security experts to safeguard demanding IT and industrial control system environments across multiple industries.