European Network and Information Security (NIS2) Compliance with Nozomi
While the original Directive came into effect in May 2018, EU Member States are directed to adopt provisions included
in the updated Directive by October 2024 and produce associated details of how they plan to comply. Updates
to the Directive expand its scope to include new critical sectors, and additional considerations for determining “essential” vs. “important” entities.
NIS2 incorporates a two-phased incident reporting structure. Regardless of proactive or reactive supervision, the legislation mandates any significant incident to be reported within 24 hours of onset, adding details within 72 hours. More detailed reporting is required as a follow-on measure one month after the onset of a significant incident. This structure is an attempt to swiftly capture immediate details to prevent widespread impacts from similar attacks, and to provide in-depth analysis after the fact for security researchers and future resilience planning.activity, and whether the incident might have transnational impacts.
NIS2 calls out the broad spectrum of resources available
to entities to carry out cybersecurity considerations and requirements, noting “the supervisory and enforcement regimes for those two categories of entities should be differentiated to ensure a fair balance between risk-based requirements and obligations on the one hand, and the administrative burden stemming from the supervision of compliance on the other.” Compliance is mandatory, and failure to do so could still result in significant fines. Fines for non-compliance could equal €10 million or 2% of global turnover for Essential Entities, and €7 million or 1.4% of global turnover for Important Entities.
2. NIS Directive Scopereactive和proactive的区别
Essential Entities replaces the previous category of operators of essential services and generally encompasses organizations with ~250 or more employees, annual turnover of €50 million or balance sheet of €43 million. Important Entities are significant sectors whose disruption would not necessarily cause serious societal or economic consequences, with ~50 employees, annual turnover of €10 million or balance sheet of €10 million. The legislation hopes to ramp up cyber defences without attempting to ‘boil the ocean.’
Important Entities:
• Postal and courier services
• Waste management
• Manufacture, production, and distribution of chemicals • Food production, processing, and distribution
• Manufacture of medical devices, electronic products, and transport
• Digital providers
• Research Essential Entities:
• Energy
• Transport
• Banking
• Financial market infrastructures
• Health
• Drinking water
• Wastewater
• Digital infrastructure
• ICT-service management
• Public administration entities (excluding the judiciary, parliament, and central banks)
Given that NIS is a principle-based approach, how does
an organisation demonstrate ‘compliance’ with the NIS Directive?
Article 7 mandates each Member State in the EU to adopt a national security strategy with the following strategic objectives in mind and in scope:
• Objectives and priorities of the Member State’s cybersecurity strategy
• A governance framework to achieve stated objectives and priorities
• A governance framework clarifying roles and responsibilities for Member State stakeholders, established points of contact, and computer security incident response teams (CSIRTs)
• A mechanism to identify relevant assets and Member State risk assessments
• An identification of the measures ensuring preparedness, response, and recovery planning to include public-private cooperation
• A list of the authorities and stakeholders involved in the implementation of the national cybersecurity strategy established by and for the Member State Article 7 stipulates additional policies each Member State shall incorporate into their strategies, including ICT supply chain considerations, guidance for small and medium-sized enterprises, vulnerability management, internet security, requirements for adopting certain technologies and information sharing tools, training and education, and plans to enhance the general level of cybersecurity awareness for citizens in the general population.
Member States are required to adopt a national strategy and carry out regular risk assessments to identify entities that are considered essential or important to society and the economy. One tool to aid Member States is the Cyber Assessment Framework. The Cyber Assessment Framework offers a systematic method for assessing the extent to which entities are achieving the outcomes specified by t
he NIS principles. It can be used by oversight bodies when assessing entities, or by entities and their stakeholders as a self-assessment tool.
Risk management in Article 21 is three-pronged, tackling technical, operational, and organizational approaches to the security of network and information systems entities
3. NIS Directive Compliance
• North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) Cybersecurity reliability standards , approved by the Federal Energy Regulatory Commission (FERC)
• CISA's Cross-Sector Cybersecurity Performance Goals (Common Baseline Controls and sector-specific controls and goals)
• Department of Energy (DOE)'s  Cybersecurity Capabilities Maturity Model (C2M2)
• NIST Framework for  Improving Critical Infrastructure Cybersecurity
• MITRE  Adversarial Tactics, Techniques, and Common Knowledge  (ATT&CK ®)
3.1. Comparable U.S. Cybersecurity Standards
rely on for the provision of goods and services. The legislation directs entities to assess the proportionality of risk management activities, considering their degree of exposure to risks, size, likelihood of incidents and their severity, and the societal and economic impacts stemming from potential incidents.
As a baseline, NIS2 recommends including the following measures in each risk management program at the entity/organisation level:
• Policies on risk analysis and information system security • Incident handling
• Business continuity, such as backup management and disaster recovery, and crisis management
• Supply chain security, including security-related aspects
concerning the relationships between each entity and its direct suppliers or service providers
• Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• Basic cyber hygiene practices and cybersecurity training • Policies and procedures regarding the use of cryptography and, where appropriate, encryption • Human resources security, access control policies, and asset management
• The use of multi-factor authentication or continuous authentication solutions
3. NIS Directive Compliance
NIS2 is only one part of a broader 5-point plan the EU is enacting to address cybersecurity. The European Commission will continue to expand on technical and methodological requirements related to the NIS2 Directive. The Nozomi Networks platform allows Essential and Important Entities throughout EU Member States to anticipate, diagnose, and respond to cybersecurity incident and process anomalies across critical operational technology and IoT networks.
Nozomi Networks accelerates digital transformation by protecting the world’s critical infrastructure, industrial and government organizations from cyber threats. Our solution delivers exceptional network and asset visibility, threat detection, and insights for OT and IoT environments. Our
platform delivers information that enables an intelligent and targeted approach to cybersecurity within I
CS environments. Customers rely on us to minimize risk and complexity while maximizing operational resilience. Nozomi Networks provides real-time network intelligence, monitoring and AI-powered threat detection. This enables a proactive approach to risk management and ultimate reduction. It also provides real-time alerts to threats and anomalies within an industrial control network. Our solution includes a flexible and intuitive interface for reporting and operational oversight, equipping entities to develop a level of cybersecurity maturity that aligns with and demonstrates compliance with the NIS2 Directive.
4. How the Nozomi Networks Solution Supports the NIS Directive
While all entities are subject to these seven broad security requirements, NIS2 requires Essential Entities to have proactive supervision and oversight on requirements, while Important Entities are subject to reactive supervision
if/when a reported incident is significant and triggers supervision. The table below details how Nozomi Networks’ solutions support each security objective for OT/ICS
networks.
4.1. Risk Management and Reporting Obligations

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。