Report | NIS2: Why Everyone’s Compliant Until They're Not

Report | NIS2: Why Everyone’s Compliant Until They're Not

This report examines the July 2024 Crowdstrike/Microsoft outage and the growing impact of the EU’s NIS2 Directive. Gain expert insights on how NIS2 differs from other regulations like DORA and what steps organizations must take to stay compliant. Download now to stay ahead of the evolving cybersecurity landscape.

Report | NIS2: Why Everyone’s Compliant Until They're Not

July 2024’s Crowdstrike/Microsoft outage was bad. Hospitals, emergency services, banks, airlines, TV stations and countless other organizations were hit. Perhaps the only good news for the hundreds of thousands of impacted businesses was that this wasn’t a security incident but rather a buggy cyber security update. As bad as it was, it could have been much worse.

Aside from the multiple learning opportunities, the events of ‘Crowdstrike Friday’ demonstrate just how vulnerable critical infrastructure can be.

So it seems like a good time to check in on progress of the European Union’s NIS2 Directive to help organizations bring their cyber security provision up to scratch.

We sat down with Check Point’s Peter Sandkuijl to get his views.

NIS2: regulation, framework or guidance? NIS2 has been in effect since January 2023. But there’s not a lot out there one can point to and say “this is NIS2 in action”. Unlike the General Data Protection Regulation (GDPR) or Digital Operational Resilience Act (DORA), NIS2 is guidance rather than regulation. As a result, there are a lot of grey areas.

With DORA, for example, banks can’t operate past the implementation date if they’re not compliant. That’s not the case with NIS2. No-one is coming around and putting ticks in boxes.

NIS2: Why everyone’s compliant until they’re not

1

That doesn’t mean that organizations can’t be fined, it just means that under NIS2, everyone is compliant until they’re not. Essentially, a serious breach would need to occur, and it would then need to be proven in the resultant audit that you were in breach of the NIS2 recommendations.

So, despite coming into effect earlier than DORA, the timeline for NIS2 is actually much more protracted. We’re waiting for that first high profile case before any kind of precedent can be set. What happens after that? Even that isn’t very clear right now.

You mentioned DORA. How much overlap is there between regulation like that and NIS2? It depends on which aspects you’re looking at. DORA is limited to the financial services industry, for instance, whereas NIS2 applies to any organization that’s vital to the EU economy. So NIS2 is much broader in scope, but it’s also far less rigorous. NIS2 doesn’t include the supply chain, which is one of the key elements of DORA. With NIS2, you don’t need to guarantee the security of your supply chain, just your own organization.

Technologically, though, many of the factors are the same. We’re still talking about multifactor authentication, segmentation, business resilience, the implementation of zero trust, those kinds of things. And all of that is very comparable.

So if you’re compliant under DORA, will you be compliant under NIS2? Almost certainly, but not the other way around. You also have to remember that DORA is specific to financial services organizations, so it’s not like industry as a whole is already out there taking steps towards compliance.

On the other hand, NIS2 is nowhere near as demanding as DORA. Under DORA, you need to carry out cyber- resilience testing, red-teaming, those kinds of things. That’s not part of NIS2 unless you want it to be. It’s very much down to the maturity of the organization to determine how far they need to go. So where some will end up with very rigorous, DORA style frameworks around NIS2, others will just say “hey, we have an intrusion prevention system, we’re good.”

2

So, there’ll be variance, then? You could have two organizations that are NIS2 compliant, but one might be considerably more secure than the other? Yes. It’s all about your understanding of the guidance and how you choose to implement it. The interpretive nature of NIS2 means there’s a bit of an element of “innocent until proven guilty”. If you haven’t had a breach in the last 10 years, after all, why would you have one tomorrow? Now obviously, that’s a little reductive, but it does makes things harder. It’s already very difficult to get organizations to prioritize cyber security, and understandably so.

Say you’re in grocery retail. That’s a high-volume, low-margin business. We’re talking 2-3% at best. So if someone comes along and says “we need you to invest between 10-12% of your total IT budget into cyber security,” you can imagine what the response will be. That’s a normal percentage if you want to do a good job, by the way, but the mindset is very different—and understandably so.

Even if you frame that need around something like NIS2, it’s still challenging to get the right support. Think about all the other things a retailer needs to deal with—health and safety, loss prevention, the supply chain. There’s an endless list. And I’m not singling retail out, either. This will be the case in many, many industries covered by NIS2. So a big part of the job for the CISO is getting people to care enough to take action.

And how should they be doing that? Well, some of the work will end up being done for them when the first big cases hit the headlines. Nothing prompts the boardroom to start asking questions about compliance than a company in their space suffering a breach. That’s not exactly a proactive approach, of course.

Ultimately, being a CISO is about balancing a limited budget. And that budget will increase or decrease based on your ability to convince people about the need to enhance your defenses. That’s why it’s so important to have a multilayered approach. If you don’t get the budget for option A, you need options B, C, D, E, and so on waiting in the wings so that you can manage the risk as best as possible. There will always be another route to success.

How would you approach that job? Personally, I’d start by eradicating any point of failure in my network. Emails. Firewalls. Databases. If anyone can break through that, you have an issue. It only takes one mistake, bug, or zero-day vulnerability, and it’s done. That’s too great a risk.

That risk will get bigger, too. The situation around NIS2 will improve. We’ll see much greater clarity. And no-one wants to be the company that let one administrator make a policy change that caused everything to come crashing down. So even if it’s just “guidance” for now, NIS2 needs to be taken very seriously.

For more NIS2 insights and support on your journey, click here.

© 2024 Check Point Software Technologies Ltd. All Rights Reserved. 3


Item Type: pdf