NIS2 Archive - SITS

NIS2 focuses on processes that do not work without technology

From a formal point of view, the NIS2 Directive primarily addresses processes that are closely linked to the network and information systems used (referred to as ‘cybersecurity practice’). These systems, their users and other persons affected by cyber threats must be protected by adequate measures (referred to as ‘cybersecurity hygiene’). In turn, such protection must be based on the current state of the art and, in particular, on relevant standards (such as ISO/IEC 27001) and a general approach across all risks.

NIS2 aims to fulfil four security objectives:

Availability, authenticity, integrity and confidentiality of data or services of the network and information systems used. Therefore, measures are required that are capable of identifying relevant attack vectors, preventing data leakage as far as possible and reliably detecting security gaps in established procedures. Penetration tests are the appropriate instrument for this.

Vulnerability management based on penetration tests

ISO/IEC 27001:2022 now requires that information security objectives to be met are monitored (section 6.2 lit. d in conjunction with section 9.1) and ISMS-relevant processes are carried out in accordance with defined criteria (section 8.1).

This includes

– to survey and analyze the existing threat situation (A.5.7),
– to carry out regular
independent audits (A.5.35),
– to operate procedures for technical
vulnerability management (A.8.8),
– to prevent
data leaks on systems, networks and other relevant devices (A.8.12)

– detect unusual behavior in networks, systems and applications and respond appropriately (A.8.16).

The majority of the controls listed here are new or have been included in the new version of the international standard in a significantly modified form and are essentially aimed at carrying out penetration tests.

In line with NIS2 Directive recital 49, penetration tests are used to identify missing updates and inadequately assigned passwords. According to recital 58 of the NIS2 Directive, the quick detection and elimination of exploitable vulnerabilities in network and information systems is a key factor in risk management.

The periodic execution of penetration tests is therefore of key importance for NIS2-compliant and effective risk management.

In this context, penetration tests are only classified as regular if a penetration test is carried out by an independent organization at least once a year for systems that are in particular need of protection. Independent means that it is not carried out by the organization that manages and administers the system, but by another competent and experienced testing organization, often an external service provider.

According to the NIS2 directive, this is a provider of managed security services, which in turn is itself obliged to comply with NIS2 and has appropriate cyber security expertise.

What exactly are penetration tests?

In a penetration test, commissioned testers take on the role of attackers in order to show the client existing vulnerabilities that can be exploited by third parties. The testers operate in the same way as attackers would, but without exploiting an identified vulnerability in an actual and uncoordinated manner.

This requires a step-by-step approach: After collecting valuable information to optimize the planned attack, an intelligent proceeding is used to achieve a worthwhile goal and achieve the desired effects, e.g. by accessing inadequately protected data, bypassing authentication mechanisms, changing relevant data records or disrupting IT services.

This therefore directly affects the four security objectives of the NIS2 directive. However, the testers assess the identified vulnerabilities according to a globally standardized scheme and provide specific recommendations on how they can be effectively closed and thus no longer be available to real attackers.

When commissioning a penetration test, the client can choose how much the attacker being simulated may know in advance about the target at risk (e.g. in order to be able to address internal offenders), how ‘aggressive’ and target-orientated the tester should be (e.g. in order to simulate attackers who operate stealthily or are geared towards carrying out sabotage quickly) and which techniques or technical methods should be available to the attacker being simulated.

A distinction is also made in the penetration test as to whether infrastructural components or specific programs (applications, web services, mobile apps, etc.) are to be analyzed and whether specific attack techniques are to be simulated (e.g. threat-oriented penetration tests in accordance with the DORA guideline, so-called red teaming).

Further information on pen testing can be found on our website.

NIS2 Compliance through Implementation of ISO/IEC 27001:2022

NIS2 sets out numerous requirements for managing cyber risks. This is intended to protect network and information systems, their users and other persons within the EU from circumstances, events or actions that compromise the availability, authenticity, integrity and/or confidentiality of data or services. In order to achieve this, appropriate processes – called “cyber security practices” in the NIS2 context – and measures – called “cyber security hygiene” in the NIS context – must be effectively implemented.

Both the definition of the required processes and the implementation of suitable measures are best carried out as part of an information security management system (ISMS). The key standard for an ISMS, which applies throughout the EU in particular, is ISO/IEC 27001. Even when the NIS2 Directive was being drafted, a close reference to ISO/IEC 27001 was clearly evident from the requirement in Article 21 (1) in conjunction with Recital 79: Relevant international standards such as the ISO/IEC 27000 series must be included in the prevention of cyber risks!

New controls from Annex A of ISO/IEC 27001, which are described in more detail in the new version of ISO/IEC 27002, are even perfectly suited to implementing NIS2 requirements. When fulfilling NIS2 requirements, however, essential components from the part of ISO/IEC 27001:2022 to be fulfilled directly as part of certification are also required. It is worth taking a closer look here.

Alignment of Risk Management

Traditional information security primarily protects the security objectives of availability, integrity and confidentiality of data and services. In the NIS2 context, authenticity is added as an independent security objective.

In the usual risk analysis, only the impact on the direct operator of the network and information systems within the scope of their ISMS is considered. In the NIS2 context, this is extended to undesirable risks for society.

In contrast to its predecessor, the new version of ISO/IEC 27001 now requires the fulfillment of security objectives to be monitored and criteria for ISMS processes to be defined and managed in accordance with these criteria. This is where the two frameworks converge. A criterion for the quality to be implemented is specified by the desired manageability against undesired impairments, which can also affect users and other persons. At the same time, this noticeably and significantly increases the resilience achieved against existing cyber threats. So both sides win.

NIS2-specific controls from ISO/IEC 27001:2022:

  • The existing threat landscape must be explicitly analyzed (A.5.7)
  • Data to be protected must be classified according to all four security objectives (A.5.13)
  • The complete life cycle of identities must be considered when defining access rights (A.5.16)
  • Established cyber security practices in the supply chain must be explicitly monitored (A.5.19 – A.5.22)
  • Lessons learned from incidents must be used to improve cyber security (A.5.27)
  • Network and information systems must be aligned to meet business continuity objectives and serve resilience (A.5.30)
  • Deployed personnel and interested parties must be trained on specific cyber security requirements (A.6.3)
  • Maintaining physical security requires constant monitoring (A.7.4)
  • Network and information systems must be configured securely (A.8.9)
  • Unusual system behavior must be monitored (A.8.16)
  • Only secure networks and network devices are to be integrated (A.8.20)

The controls listed above are in fact closely related to NIS2 requirements as part of the new version of ISO/IEC 27001 and therefore actively contribute to NIS2 conformity.

Several birds with one stone

By consistently implementing NIS2 requirements as part of an ISMS aligned with ISO/IEC 27001:2022, not only NIS2 compliance is achieved, but a forward-looking ISMS is also implemented or enhanced. This is therefore more readily certifiable and in turn serves as proof of effectively implemented NIS2 compliance of cyber security practices in the supply chain.

The experts at SITS will help you to make your ISMS NIS2-compliant or in accordance with the new version of ISO/IEC 27001, as well as to establish suitable, target-oriented and effective measures for cyber security hygiene and implement them in practice.

Risk management according to NIS2

NIS2 is intended to protect network and information systems, their users and other persons within the EU from cyber threats. This includes all circumstances, events or actions that affect the availability, authenticity, integrity and/or confidentiality of data and services. These are the security objectives pursued by the NIS2 Directive.

The more exposed a company is, the more likely it is to be targeted by attackers. Attackers are increasingly reaching their actual victims via the supply chain. For this good reason, in addition to the sector reference and the now significantly lower threshold values for the number of employees and annual turnover or annual balance sheet total, NIS2 now also focuses on the supply chain. NIS2 looks at the impact of a cyber threat and only allows minimal impairment of the four security objectives mentioned.

Indicators for Effective Risk Management

The following key questions should be answered to ensure effective risk management in accordance with NIS2:

  • Are all network and information systems used considered in the risk analysis?
  • Is an explicit reference made to all four security objectives?
  • Is the influence of the supply chain sufficiently reviewed?
  • Has robust risk acceptance criteria been defined that is understood by different people and leads to comparable results?
  • Is it ensured that, at the end of the risk management process, impairments of the four safety objectives are limited to a reasonably justifiable level?
  • Does the risk analysis address context-related and actually relevant cyber threats instead of general threat lists?
  • Is risk management controlled by central specifications from a guideline or directive?
  • Are identified risks and their sources regularly reviewed?
  • Are the measures to address existing risks already operationally recorded and are they having the intended effect?
  • Can the effectiveness of the implemented measures be documented in a comprehensible manner?
  • Does such evidence explicitly include all processes involved?
  • Is the current state of the art consistently adhered to during implementation?

If you can answer all of these questions with a clear yes for your organization, you are one of the lucky few who are already well prepared for NIS2! However, if there are any doubts or uncertainties, you will most likely need specialist support. In this case, the SITS NIS2 assessment can help.

Heading into the new cyber age

As part of the NIS2 directive, security managers are faced with a lot of new vocabulary that they still need to get used to. Processes are now understood as “cyber security practice”. Measures, in turn, are used for “cyber security hygiene”.

In addition to risk management, NIS2-compliant processes also require emergency management, incident management, supply chain management and personnel management that are geared towards NIS2. Employees must also be explicitly made aware of cyber security. This includes managers as well as executive staff.

The measures, in turn, are primarily geared towards preventing data leakage. Measures are required for vulnerability and patch management, password management, system hardening, network segmentation, data backup and the prevention of threats to physical security as well as the supply of electricity and internet. You need to be prepared for human and technical errors and be able to recognize and, if possible, fend off malicious attacks.

In short: in the context of cyber security, there is a lot of work to be done by those responsible for security at affected organizations, and it has to be done within a short implementation period. And if an organization fails to do so, or fails to do so completely or accurately enough, it could face significantly higher administrative sanctions than under the previous guidelines and, under certain circumstances, even the dismissal of members of its management board.

What’s more: National legislators within the EU may tighten these regulations even further as part of their national implementation.

NIS2: Are you affected?

On the one hand, NIS2 therefore covers institutions that are now directly addressed due to their sector affiliation. Checking whether this is the case is quite challenging. We have prepared an Online Check for you that provides the relevant information. On the other hand, NIS2 also covers facilities that operate as part of the supply chain. And again, regardless of their size. Optimistic estimates assume at least a factor of 10 for newly obligated organizations and companies. The reality is likely to be significantly higher.