In recent years, there has been a significant increase in cyber attacks targeting various industries and organizations worldwide. In response, businesses and governments alike have introduced new measures to better protect their systems, infrastructure, and data.
In the U.S., the Biden administration released its National Cybersecurity Strategy in March 2023, which aims to “protect our national security, public safety, and economic prosperity.” And in the European Union (EU), the NIS2 Cybersecurity Directive went into effect in January 2023 in an effort to strengthen the cybersecurity of its member states.
Both recognize the importance of improving cybersecurity resilience by requiring baseline cybersecurity risk management measures.
Understanding the NIS2 Cybersecurity Directive
The NIS2 (Network and Information Systems) Cybersecurity Directive is a cybersecurity regulation that aims to ensure the security and resilience of network and information systems across the EU, particularly those that are critical to society and the economy. The new directive expands the scope of the original legislation and introduces several key changes to strengthen the cybersecurity of critical infrastructure and other essential services. Most notably, many organizations in the EU are classified as “essential entities”, which are subject to the directive’s requirements.
Source: The Stack
One of the most significant changes is the extension of the directive to cover more sectors. The NIS2 Cybersecurity Directive now applies to a wider range of industries, like:
- Energy: This includes electricity, gas, and oil companies that provide critical infrastructure services to the public.
- Transportation: The directive covers airports, ports, railways, and road transport services.
- Water: The directive encompasses water supply and distribution networks.
- Healthcare: This covers hospitals, clinics, and other healthcare facilities.
- Banking and finance: The directive includes banks, insurance companies, and other financial institutions.
- Digital infrastructure: This encompasses cloud service providers, search engines, and online marketplaces.
Under the directive, organizations in these sectors will be required to take steps to prevent and respond to cyber attacks. This includes implementing procedures for quickly responding to security incidents, as well as adopting cybersecurity asset management practices.
Establishing an accurate asset inventory
One of the key requirements of the NIS2 Directive is that organizations must identify and inventory all network and information systems that are critical to their operations. This includes hardware, software, data, and any other digital assets that are necessary for the functioning of the organization.
Asset management practices must include an assessment of the risks associated with the assets, like the potential impact of cyber threats, security controls, and vulnerabilities.
Organizations must also establish policies and procedures for the secure management and disposal of assets, including the secure deletion of data and the destruction of hardware.
Improving incident response
Another important aspect of the NIS2 Directive is incident reporting. Organizations are required to report any significant cybersecurity incidents to the relevant authorities. These reports must be made within a specified time frame and include details of the incident, the assets affected, and the potential impact on the organization and its stakeholders.
The NIS2 Directive also requires organizations to implement appropriate cybersecurity measures to protect their networks and information systems from cyber threats. This includes measures, such as access controls, encryption, and regular security updates and patches.
Complying with the NIS2 Cybersecurity Directive
By complying with the NIS2 Directive, organizations can help to ensure the security and resilience of critical infrastructure across the EU. And effective cybersecurity asset management plays a critical role.
With Axonius, organizations can build a credible, comprehensive inventory of all their digital infrastructure. Acting as a system of record, Axonius empowers IT and security teams to identify security gaps and key risk areas. So when breaches do occur, Axonius can help correlate alerts, identify the relationship between devices and users, and help security teams understand both the current and historical state of an IT asset.
The cybersecurity threat landscape will only get more complex with time. At the same time, the regulatory landscape will continue to introduce new laws similar to that of the NIS2 Cybersecurity Directive that will require greater visibility into an organization’s digital infrastructure. Without a cybersecurity asset management solution in place, compliance will become more challenging.