The NIS 2 Directive was issued in response to the increasing digitization and the resulting changes in the cybersecurity threat landscape. The original NIS Directive, which was issued in 2016, was no longer considered to sufficiently protect the EU from the new cybersecurity threats.
Even when you didn’t have to comply to the first NIS Directive it will be very important to pay attention to NIS 2 because the regulator has significantly expanded the scope of this second edition:
Senior Management can be held liable for infringements
The deadline for compliance with the NIS 2 Directive is coming close. As of October 17 2024 the supervisor can issue fines for non-compliance.
The NIS 2 Directive applies to companies where a security breach can have a significant impact on the European economy, which significantly extends the scope of the original NIS Directive that only applied to operators of essential services and relevant digital service providers. This difference might sound like pure semantics, but an estimated 160.000 companies will have to comply with the NIS 2 Directive. Among the companies it will regulate, the NIS 2 Directive makes a distinction between Essential and Important Entities based on their size and sector.
Essential Entities are large entities that are part of sectors of high criticality listed below.
Important entities are medium-sized enterprises* operating in the sectors of high criticality of Annex I of the Directive, OR large* or medium-sized* enterprises in the sectors of Annex II of the Directive that do not fall into the essential entity category (due to their size or the type of entity involved).
The NIS2 Directive can even apply to small enterprises depending on the type of services they offer, when they have a monopoly, or when their services are critical to economic stability or national security.
Essential companies will be proactively audited for NIS2 compliance as of its ratification into regulation, where Important entities will only be audited when an incident has occurred.
For a more detailed description of the sectors, I refer to the NIS 2 Directive.
Article 21 of the NIS 2 Directive dictates that organisations must implement appropriate and proportionate technical, operational and organisational measures to manage the cyber security risks such as MFA, encryption and access controls. Recital 82 of the Directive also says that organisations have to apply the zero-trust principles to access management where access to data is limited to what is absolutely needed (Just Enough) for the time it is needed (Just in Time).
This means limiting user access to the data, reports, and AI models they have legitimate access to and only for the time they need that data to perform their tasks.
It is important to notice that senior management will have to approve the cybersecurity risk management measures, oversee the implementation, and can be held liable in case of a breach.
Article 32 of the Directive gives the authorities the mandate to perform regular and ad hoc audits and security scans of essential entities. Among others, they will look for the presence, and proof of implementation of data security policies. It will be important to make sure these audits go smoothly, and have this information readily available, as you will bear the full costs of the audit.
Organisations have to report security incidents to the supervisor and all affected natural and legal persons within 72 hours of becoming aware of the significant incident. This report shall have an initial assessment of the incident, including its severity and impact. Within the month, the organisation shall provide a detailed report on the incident.
Art 34 specifies penalties for non-compliance, including fines of up to 2% of an entity's annual turnover.
The data security requirements of the NIS 2 Directive will be far reaching and will put a heavy burden on the data teams who will have to balance this work with other priorities using limited resources. Without help, NIS 2 compliance will set back data teams several months diverting focus from other strategic topics such as AI/ML, self service analytics, and cost optimization. There is also a significant risk that poorly designed data security workflows following NIS 2 implementation will result in a loss of competitiveness because of their impact on the productivity of data & AI workers. This will particularly be the case of analytical data and data for AI/ML which are typically stored in data warehouses, data lakes, and/or data lakehouses.
Raito’s unique architecture assists data, AI and security teams throughout the below steps for NIS 2 compliance
Identify Critical Assets: Integrate Raito with your data stack to discover data sets across your data stack that are critical to the organisation in terms of sensitivity, access and usage.
Gap Analysis: Evaluate the current access controls and data usage patterns for users, service accounts and AI models. Discover risks and discrepancies with security and privacy policies, and plan remediation actions to resolve those gaps.
Assess the impact of data breaches: Analyse the potential impact of a data breach, and assess the potential damage to confidentiality, integrity, and availability of critical data assets.
Remediate: Remediate the biggest security risks by removing excessive privileges, conflicting access controls, unused permissions, and unused data sets.
Monitor: Monitor the impact on your organisation’s data security posture and maturity score as you execute remediation actions.
Implement Least Privilege Access: Adopt a least privilege approach by granting users, service accounts and AI models, only the access permissions they need to perform their tasks and for the time the need to perform those tasks. This minimises the attack surface and reduces the risk of unauthorised access, data deletion, and ransom attacks.
Regular Monitoring: Implement continuous monitoring of data access and usage to detect violations with security policies and data regulations. Also monitor access requests and approvals.
Conduct regular audits: Conduct regular audits of access control policies, user access rights, and data usage to ensure compliance with the NIS 2 Directive and identify any changes or deviations.
Regular access review: Review access controls on a regular basis for users and machines accounts. Revoke unused permissions, remove unused tables, and resolve policy conflicts.
Reach out to info@raito.io or book some time with me to learn more on how Raito can help!