The NIS 2 directive is a set of proposed EU legislation that builds upon existing rules around cybersecurity. The growing trend towards digitalization and the associated surge in cyber attacks have heightened cyber risk and the European Commission have responded with this proposed replacement of the standing NIS Directive. It aims to address current weaknesses in organizations’ cybersecurity obligations in a world where the pandemic and geo-political instability have highlighted threats to energy and food supply chains. With streamlined reporting obligations, increased supervisory measures and stricter enforcement requirements, the legislation aims to boost the level of cybersecurity in Europe long term.
All EU member states will be expected to implement the legislation. By association, non-member states such as Norway and the UK will need to be compliant due to strong trading links with nations within the union.
Current legislation has been difficult to implement across member states of the EU and has led to inconsistent implementation. While the original legislation improved Europe’s overall cybersecurity posture, there are still gaps to be addressed.
If you are within an affected state and industry sector, the management will be expected to be responsible and accountable for:
Cybersecurity measures – applicable to all entities
What | How can Columbus help? |
Risk analysis |
Technical assessment of key services and infrastructure in the cloud or on-premise.
Analysis of critical business processes and advisory on relevant mitigations.
|
Incident handling |
Sourcing and coordination of response as a key supplier working with your IS team and other key partners such as Microsoft. |
Business continuity | Advisory, architecture and implementation of processes and procedures to achieve recovery time objectives. |
Supply chain security | Industry knowledge of critical links within your supply chain and advisory on measures to lessen the impact of any future breach, through digital, data-driven means. |
Security in networks and information systems acquisition | Columbus is an ISO 27001 compliant business with robust implementation and development processes. Choosing us as your digital transformation partner ensures secure acquisition of services. |
Testing and auditing |
Assistance with business continuity testing.
Security audit support, by provision of log analytics and intelligent alerting to risks to key data and configuration in applications.
Monitoring of key security events and notification to assist in meeting NIS2 reporting deadlines.
|
Policy on cryptography and encryption | Advisory on how Cryptography is applied to protect key information within your SaaS applications and the services they integrate with in the Microsoft cloud and beyond. |
Human Resources Security | Columbus provide a best-in-class access management services which ensures that segregation of duties and least-privilege access is applied to the data within your key cloud applications such as Dynamics 365 or Infor Cloudsuite. |
Affected organizations may be mandated to use certain products, processes, or services under specific EU certification schemes. It is not yet known which these will be, but companies can prepare by ensuring that they have attained a relevant information security quality standard, such as ISO27001 which covers many of the requirements impacted by NIS2.
Entities operating under NIS2 will be required to notify incidents to the member states' “competent authorities” within 24 hours of becoming aware of them and ensure that information exchange takes place between appropriate organizations within trusted communities. A full report would be expected within a month of the initial notification.
Member states will have a duty to disclose the entities in scope of NIS2 to a central register managed by ENISA, the EUs central Cyber Security agency. Other member states may be granted access to the information held in this registry as part of coordinated cross-border incident response.
Organizations found to be in violation of the legislation may face fines of up to 10 million euros or 2% of annual global turnover. Of course, the reputational impact of any incident resulting in non-compliance when made public would be incalculable.
A proposed text was agreed upon in May 2022. It is expected that NIS 2 will be effective in mid-October 2024 and the requirement to transpose it into national laws will need to be carried out within 18-21 months afterwards. Organizations need to act now to ensure readiness in accordance with this timeline.
More details on NIS2 and its impact can be found by following the link below:
The NIS2 Directive: A high common level of cybersecurity in the EU | Think Tank | European Parliament (europa.eu)
If you’d like to explore how Columbus can support you in becoming with compliant in the way you operate your SaaS applications, such as Dynamics 365, Power Platform and the wider set of Microsoft Azure services, reach out to us today.