NIS2 & Thales: Together we can turn compliance into competitive advantage

Are you ready for NIS2?

The EU’s update to the Network and Information Systems Directive, or NIS2, was adopted on January 16 2023 and the EU’s 27 Member States have until October 17, 2024, to transpose the NIS2 Directive into applicable, national laws. It aims to enhance security in the EU by focusing on risk management, data security and incident reporting, building on NIS1 by extending its scope to more sectors. Organisations classified as ‘essential’ (critical infrastructure) or ‘important’ (non-essential but still vital to society) need a deep understanding of the new EU directive and ensure they’re prepared.

While achieving compliance with NIS2 undoubtedly requires work on your customers’ part, it’s never a bad idea for you to support your customers in enhancing their cybersecurity posture. In fact, it can be what sets them apart from their competitors – and you apart from yours.

Thales offers a suite of tools to help organisations comply with NIS2 and gain significant strategic benefits. In this article, we’ll tell you more about NIS2 and how you can help your customers best position themselves to capitalise.

NIS2 compliance requirements

The NIS2 directive contains a wide-ranging set of requirements to which organisations classed as essential and important must demonstrate compliance. Key obligations include:

  • Risk management—Organisations must consistently carry out risk assessments on their IT environments and take measures to manage any exposed risks. Robust policies and procedures are essential to demonstrate compliance.
  • Incident reporting – If a cybersecurity incident arises, NIS2 requires organisations to report it to the relevant national authorities within strict timeframes.
  • Business continuity – Organisations must demonstrate procedures to continue delivering essential services in the event of a cybersecurity incident.

If an organisation is found in violation of NIS2, its directors can be held personally liable if they are judged not to have taken the correct measures to achieve compliance. The organisation could also face significant fines:

  • Essential organisations – up to €10 million or 2% of global annual turnover
  • Important organisations – up to €7 million or 1.4% of global annual turnover

You can see how critical it is that organisations covered by NIS2 have their bases covered by October 2024. Even if they were in compliance with the original NIS1 EU directive, there is still work to do.

Download the latest NIS2 compliance white paper from Thales to get a more detailed list of the new requirements.

DOWNLOAD WHITE PAPER

Job roles and responsibilities for NIS2 compliance

NIS2 is not just a nice-to-have certification. Once adopted by the Member States (deadline 17 October 2024), NIS2 will become the Law.

Complying with NIS2 is not something leaders can just leave to their IT security team. It requires a coordinated effort across the organisation with input from several functions, including:

  • Board of Directors – As directors are ultimately responsible for compliance with NIS2, they must take a personal interest in cybersecurity and make the right decisions on policies, processes and resource allocation.
  • Cybersecurity Team – Cybersecurity teams are on the frontline, upholding policies and controls, and dealing with incidents daily. They need to be on board with the necessary changes.
  • Risk Management Team – This team will be responsible for identifying and implementing measures to minimise cyber risks, as well as planning for business continuity in the event of a disruptive cyber incident.
  • Compliance Team – The organisation’s compliance team must establish processes for timely reporting cybersecurity incidents to meet NIS2 reporting obligations.
  • Human Resources – HR plays a critical role in delivering cybersecurity training for the workforce and ensuring a culture of cybersecurity awareness.
  • IT Team – This team is responsible for implementing the ten minimum cybersecurity measures mandated by the NIS2 EU directive, including multi-factor authentication and backup management.

Complying with NIS2 needs to be a company-wide effort. However, there’s some great technology available to support the transition.

Introducing Thales Technologies for Compliance

Thales has an extensive portfolio of application security, data security, and identity and access management solutions that can help your customers as they work towards NIS2 compliance.

Thales offers a range of application security solutions that protect applications and APIs at scale, whether in the cloud, on-premises or in a hybrid model. Key solutions include Thales’ Web Application Firewall, solutions to protect against Distributed Denial of Service (DDoS) and malicious bot attacks, and an API security product.

In data security, Thales offers solutions for data discovery and classification, data risk analytics, and vulnerability management. They also help identify structured and unstructured sensitive data at risk on-premises and in the cloud. In identity and access management, Thales provides solutions to managing access control, including delineating who has access to specific resources inside an organisation and adding contextual Multi-Factor Authentication.

In the cryptography and encryption area, Cipher Trust Manager is Thales’ industry-leading key management system, helping even the largest organisations manage encryption keys and access policies from a central location, with comprehensive reporting capabilities. Thales Luna Hardware Security Modules (HSMs) help secure business-critical applications and sensitive data by managing cryptographic keys inside the network, while Thales Data Protection on Demand (DPoD) is a cloud-based key management system with no hardware needed.

These products could directly help your customers comply with NIS2 by addressing essential cybersecurity risk management requirements and delivering complete, accurate and timely reports in accordance with Articles 21 and 23 of the EU directive.

In particular, NIS2 explicitly mandates essential and important entities to define and implement policies for the use of cryptography and encryption of data. In the case of ICT incidents, NIS2 defines stringent reporting obligations, including an incident declaration within 24 hours and early forensics such as data activity analytics within 72 hours.

Turning Compliance into an Advantage

By using Thales’ technologies to achieve NIS2 compliance, you can support your customers in driving their new enhanced security posture, giving you and them a competitive advantage.

The obvious advantage is that compliance keeps organisations out of legal trouble, so they avoid the potentially devastating fines set out in NIS2. However, there are numerous other strategic advantages to placing cybersecurity at the heart of your operations:

  • Cyber incidents can greatly damage an organisation’s reputation. Organisations that are known to take cyber protection seriously generate goodwill and win more business (if that’s their aim).
  • Downtime caused by cyber incidents is disruptive to employees and customers alike. Depending on the services provided, it could be devastating to society. Protecting your environment from cyber attacks helps deliver a higher-quality service.
  • A smooth-running IT system, free of potential cyber threats and with the proper access controls, makes employees more productive.

Achieving NIS2 compliance requires a coordinated, organisation-wide approach. But in today’s world of ever-evolving cyber threats, it’s a necessary move. What’s more, it doesn’t have to be too big a challenge. With the right technology, your customers can go beyond simple legal requirements and start to truly reap the benefits.

Find out more

Download Thales’ latest white paper to learn more about NIS2 compliance (including detailed explanations of the requirements) – and how Thales’ suite of solutions can help get there.

DOWNLOAD WHITE PAPER

If you’re looking for expert support and guidance along your NIS2 compliance journey, it’s time to talk to Exclusive Networks. We’ll help you seize the opportunities that NIS2 presents, so compliance becomes your competitive advantage.

GET IN TOUCH

FURTHER READING AVAILABLE HERE