![CMV_Headshot_3[1].png](https://images.contentstack.io/v3/assets/blt36c2e63521272fdc/blt61bef91726e441ff/638f5497c32187107ea7eacf/CMV_Headshot_3[1].png "CMV_Headshot_3[1].png")
This is Part 5 of a multi-blog series on the new NIS2 Directive. Explore the complete series:
In a series of articles on the Network and Information Security Directive (NIS2), we examine the implications for organizations, CISOs and security specialists. SANS Instructor Cristian Vidu works in national cyber defense and has delved into the NIS2. He distinguishes three key factors that will have a far-stretching influence on organizations.
Vidu characterizes himself as a geek, a true techie, whose focus has turned to advising and teaching in recent years. This background provides him the perfect perspective to translate the language of technology to the language of business and vice versa.
The Evolution of Cybersecurity
Vidu argues that the world of cybersecurity has changed enormously over the past two decades. “Back then, about 20 years ago, cybersecurity was not really a thing,” he said. “It was there, but it was not a big thing. Nobody thought it was reliable. Well, a lot has changed,” he added, grinning. “Then came the 2000s, when the concept was that you can prevent everything. Which meant that if you were raided, you had failed to protect your infrastructure. IT and security professionals then ran a high risk of being fired for this. In recent years, however, we have realized that no one can fully protect themselves.”
Vidu’s gives examples like the US National Security Agency (NSA) having its tools exposed on the internet, and China’s six-months long undisturbed access to State Department emails, and Russia penetrating air gapped networks via SolarWinds. “Let’s face it, if I’m in the small print of public administration, I won’t stand a chance against such a persistent threat. I can put up a fight, but in the end, I won’t stand a chance. So yes, it has been quite a ride over the past few years regarding cybersecurity. Not least because attackers and threats have also upped their game considerably.” He concludes that even the best and most well-prepared organizations that used to worry about how they secure their own networks, now worry much more about how third-party providers secure their networks and whether intrusions into their networks can be prevented from affecting the parent organization or at least detect them if this happens.
“So, this means we’ve gotten a lot better; however, not everyone and this is problematic.” This is where NIS comes into play, trying to address this and ensure that the overall digital resilience of European organizations improves.
Challenge for Medium-Sized Businesses
The first NIS directive dates to 2016 and soon required update and expansion to address the lack of clarity about which types of businesses were required to follow NIS. In the new NIS2, more organizations must have their cybersecurity posture in order, (see the Which Organizations Are Essential or Important? section below). The directive now distinguishes two categories: essential and important entities. The rules apply to large or medium-sized companies depending on whether they are essential or important and the industry in which the company operates. Since NIS2 does not define exact sizes in this area, organizations must refer to the first iteration of NIS. “You are already a medium-sized organization with 51 employees or more or when you have a turnover of 10 million euros or more,” Vidu said. This worries the SANS instructor, as many organizations do not have extensive IT departments, specialized security specialists, or large budgets. “But, if they fall under one of the two categories, they are supposed to be NIS2 compliant, and they need to prepare for NIS2.” This means that organizations must have several things in place.
1. Management is Liable and Must Take Training
One of the critical elements in NIS2 is that management is now legally liable for cyber incidents. The US already has such an arrangement in which the US Securities and Exchange Commission (SEC) recently charged the SolarWinds CISO for the cybersecurity failures leading to the 2019 breach. This led to debate about which management roles were responsible. “Not the entire board, not the management team, just the CISO,” Vidu exclaimed. “Allegedly, he mentioned the problems and risks, but management did not follow through on his alerts.” The SANS instructor stressed that it is essential for the EU to find the right balance. “And NIS2 can provide that,” he said. “The NIS2 framework says that management must know and understand the risks they expose themselves to.” This means they can no longer tell the CISO: it’s your problem. They must identify the pain points in their company and invest their budget to ensure those processes will not be affected by any cybersecurity breach. An interesting point, though, according to Vidu, is that the directive doesn’t specify what it means by ‘management,’ so it is not clear if it is only upper management or also middle and line managers as well. “One other thing about this key element of NIS2 is that the directive states management must take courses to improve their knowledge and understanding of cybersecurity. Note, it says must, so it’s mandatory, a must.”
2. Risk Management Framework
Another critical element of NIS2 comes down to the risk management framework. “Although the risk management measures mentioned are pretty general,” said Vidu, “they cover backup policies, risk analysis, multi factor authentication (MFA), supply chain security, business continuity, basic cyber hygiene, human resources, and incident handling. This is a good thing, organizations having these policies in place are less likely to fall victims to cyber-attacks and the impact would be lower. But it would be nice if there was additional guidance from the regulator on how to implement these policies if we want to assist the medium-sized organizations. I am hopeful that this will follow in the near future.”
3. Reporting
The third element that will affect most companies is reporting, said Vidu. “Any significant incident must be reported to local authorities within 24 hours.” Local authorities must then pass these reports on to the EU where the knowledge will be shared with member states to prevent similar incidents. “For a technical person, I think this is a core benefit of NIS2: a detected attack against one organization becomes a prevented attack against another,” continued Vidu.
Investigated incidents must not only be reported, but early warnings of a significant incident are also mandatory. What Vidu questions is the reporting of near misses. “The EU requires national cyber security incident response teams (CSIRTs) to report all instances of near misses as well,” he said. “Those near misses are very general and could even be interpreted as something as simple as an alert on my firewall that was blocked.”
Voluntary Reporting of Incidents
There is ongoing debate about voluntary reporting of near misses. “The NIS2 framework makes it mandatory for every national CSIRT to have a place where organizations can voluntarily report incidents,” Vidu said. “However, while the idea is very good, and I am a huge fan of it, I am a bit sceptical as to the acceptance, as organizations have already had some experience with this concerning GDPR.” He gave the example of his home country, Romania. “If you report an incident under the GDPR, you immediately get fined. I don’t know how things are in other European countries, but we have numerous examples here.” According to Vidu, this might make companies think twice before voluntarily reporting incidents, whether for GDPR or NIS2.
Building Trust
Vidu sees voluntary reporting as succeeding only if trust is established, which brings him to a striking element in the directive. “It is the first time I’ve seen the traffic light protocol mentioned in a law. The colors green, amber, and red have been used before when deciding whether to share sensitive information, but until now, this was mainly a tacit agreement. Now that it is included in the NIS2, organizations must ensure that whoever receives the information cannot share it so easily with the outside world. For me, this is perhaps the first step towards building that trust needed to share information on indicators and incidents,” he said. When an incident is detected and shared with other organizations, it makes life harder for attackers, said Vidu. “They are opportunistic and like to use the same setup and attack for many different targets. They are not eager to build a new infrastructure and associated components for each target. When we start sharing information, other organizations can protect themselves against the same attack, and it becomes a costly business for attackers. We want to make the attacker’s life as difficult as possible. It costs us to protect, I want to make sure that it costs them as well to attack.”
Implications for Blue Teams
Vidu expects that initially, NIS2 will make the lives of defensive ops teams more difficult, especially for smaller organizations where you have one person on the job who is doing everything from IT operations to security. “This new directive will initially make their life hell, I am afraid,” said the instructor. “But I guess that it will be easier on them after they have all the procedures in place and are comfortable, they are at a good level of protecting and assessing the rest of the organization. But yeah, probably the first two years at the least will be very difficult for them.” It is currently difficult for defensive ops and Blue Teams to determine what they could already be doing to prepare. “If we are talking about the Blue Teams, we care about the technical, and as of yet, there is no itemized list that can be used to improve security.” Artificial intelligence (AI) and machine learning (ML) are mentioned in NIS2, suggesting that cybersecurity teams start leveraging these technologies for cyber defense. “That’s a great idea, however, in many cases, AI and ML are also black boxes, making it difficult to assess how the system arrived at their results.”
No Recommendations (Yet)
Organizations that already fall under the old NIS Directive are becoming a bit wary, noticed Vidu, as there is little guidance on which NIS2 regulations an organization must comply, to the SANS instructor’s surprise. "Nothing has been published recently about NIS2 requirements. Even the NIS Cooperation Group, which is supposed to make recommendations on member requirements, still refers to NIS1 on their website. While I am very happy with what they are doing in general for the project, I actually expected them to be a little more proactive and have some recommendations available for organizations already."
Check the NIS2 Directive
Companies can currently check if they are subject to the new NIS2 Directive, as only some organizations in the NIS2 industries list are applicable. “There are subcategories,” Vidu said. “For example, not every healthcare organization with more than 51 people is automatically covered by NIS2. It can be useful to look into that now.”
Vidu advises that organizations review the NIS2 guideline and suggests skipping the preamble. “That one is long and dry, but if you skip it, the actual guideline makes for an interesting read. That way, you already have an idea of what to expect.” EU member states have until October 2024 to translate the directive into national laws and regulations, after which they must publish a list of all applicable essential and critical entities by January 2025. Whether the organizations must then report themselves to the local authority or whether they will actively approach the organizations themselves is not yet clear. “There are different interpretations of that,” Vidu argued. “We will have to wait and see how member states deal with this.”
Preparing for Legislation
Having said that, NIS2 does specify that it applies to ‘significant incidents,’ so Vidu would advise any organization not to have such incidents. “While I can’t specifically advise an organization about the NIS2 legislation, I can, however, advise on how to prevent having to deal with significant incidents.” Significant attacks do not happen in the ‘blink of an eye’ or at ‘light speed’ (as some vendors would like us to think). “Most significant cyber-attacks take a lot of time, and the signs are visible in the organization if we know where to look and what to look for. And we want to make sure that we do have the time to look at those alerts before the attacker can accomplish their goal. This is something that we teach in SEC450: Blue Team Fundamentals: Security Operations and Analysis. In this hands-on course, we train participants how to prepare themselves and the organization for a defensive and visibility posture so they can see the attacks earlier. We talk about the tools needed, the processes required for quality triage and analysis, and we go into low-level details: define security zones and force communication through controlled choke points to limit the ability to move laterally (think the NotPetya attack on Maersk, where an attack on a Maersk finance office in Ukraine took down the organization’s active directory everywhere in the world), analyze what the users can do on their endpoints, and limit the most risky attacks in a way where productivity is not hindered, et cetera,” said Vidu.
There is one idea that he generally uses to guide his advice which he took from a Microsoft article a long time ago: turn on all invisible security and analyze which visible security measures you can add depending on the specifics of each environment. “What I mean by those two terms: invisible security is what we can turn on, and the user would have no idea that it is there; visible security is whatever measures the user would see and can potentially reduce their productivity.”
Job Well Done
“I could probably go on about how to avoid significant incidents, but I just want to summarize the main advice,” Vidu said. "Significant attacks should not be something easy for an attacker to accomplish. As long as we can define what “significant” means to our organization - what MITRE calls Crown Jewel Analysis – and this should be a management discussion since they are in the position to say what could affect the entire business – and we can prevent the attacks against those items, it means, in my opinion, that we did our jobs well as cyber defenders.”
Which Organizations Are Essential or Important?
Essential entities: Large organizations operating in a sector from Annex 1 of the NIS2 Directive
Key entities: Medium-sized organizations operating in an Annex 1 sector and medium and large organizations operating in an Annex 2 sector.
An organization is considered large based on the following criteria:
- A minimum of 250 employees, or
- An annual turnover of €50 million or more and a balance sheet total of €43 million or more.
An organization is considered medium-sized based on the following criteria:
- 50 or more employees, or
- an annual turnover and balance sheet total of €10 million or more.
In this series on NIS2, we highlight the new directive from different angles so that CISOs and their organizations can gain insight into how to deal with NIS2.
In the ever-evolving world of cybersecurity, staying compliant is key. With SANS, you have a partner in compliance, offering the latest courses and resources designed for NIS2 standards. Start navigating the compliance landscape today at www.sans.org/mlp/nis2.
As SANS maps out industry preparedness for the new EU Commission's NIS2 Directive, your insights are invaluable. Please take a moment to complete the NIS2 survey to contribute to our research. Your feedback will help us provide the guidance and resources needed for this and future directives.
Continue reading in Part 6 of our NIS2 Compliance series here.
