Is Your Business Affected By Europe's NIS2 Directive? Understanding NIS2 Cyber Resilience Compliance Requirements

The NIS2 Directive is a legislative act that aims to improve the EU's ability to confront new cyber threats, widen the pool of protected industries, and establish a unified system for reporting cybersecurity incidents and managing crises.    

Each EU member state is required to empower its national cybersecurity authority to transfer and apply all aspects of the Directive within national law by October 17, 2024. 

Failure to comply could result in severe administrative sanctions and corrective measures.   

If you do business in the Eurozone, you must understand whether the Directive impacts your business. If you are affected, you will have no more than one year, a relatively brief period, to ensure compliance and avoid potential sanctions.     

At this point, you need to ask yourself two crucial questions:       

• What are the potential costs of ensuring compliance?      

• Do we have the internal resources to deploy the measures necessary to comply? 

The NIS2 Quick Quiz: Is Your Business Directly Affected?

Four characteristics define whether your business is required to comply with NIS2. Take this simple test to find out.

Mark down a star, square, or triangle for each characteristic shown (sector, criticality level, organization size, industry) that fits your business.

Now, add up the number of each symbol you’ve listed. Do you have more triangles, squares, or stars?

More Triangles = Not Currently Affected

Are triangles your top answer? If so, breathe easy. The NIS2 Directive doesn’t impact you—yet. Regardless, you may want to immediately leverage the directive’s cybersecurity standards and best practices to guide your data protection efforts and minimize risks.

More Squares = Compliance May Be Required

More squares mean your organization’s size and industry might make it subject to the EU legal obligations mandated by the NIS2 Directive. See the chart below to learn more about the criteria for determining whether you are subject to compliance.

More Stars = Required Compliance

If you see stars at the top of your list, your organization is considered an important entity (IE) or essential entity (EE). That means you must comply with the standards mandated by NIS2.

This quiz is only informational and shouldn’t be considered a legal framework. Learn more by reading the final articles of the NIS2 Directive here. 

Ten Areas of Risk Management Compliance

NIS2 establishes ten compliance areas with basic measures that every affected organization must take, including:

1. Policies on Risk Analysis and Information System Security

Implementing policies, including conducting regular and systematic risk assessments to identify, evaluate, and prioritize network and information system risks and deploying appropriate and proportionate security measures to mitigate identified risks. 

2. Incident Handling

Establishing policies for detecting, reporting, and mitigating security incidents and notifying relevant authorities about the type of incident, its potential impact, and measures planned or taken to mitigate the risk. 

3. Business Continuity

Deploying robust business continuity measures that ensure resilience against cybersecurity incidents, such as data backup systems, backup management, and disaster recovery, and developing crisis management plans. 

4. Supply Chain Security 

Enhancing supply chain security by conducting thorough risk assessments to identify potential vulnerabilities and threats associated with third-party suppliers and service providers, establishing appropriate security measures and policies for managing supply chain risks, and continuously monitoring and regularly auditing the supply chain to identify any changes or incidents that could impact security.

5. Network and Information System Security

Incorporating security measures and best practices throughout the network and information system lifecycle, from acquisition to development and maintenance, and ensuring continuous maintenance, including regular updates, patch management, and monitoring.

6. Cybersecurity Risk Management Assessments

Assessing the effectiveness of cybersecurity risk management measures regularly, including conducting frequent tests and evaluations and continuously monitoring implemented security measures.

7. Cybersecurity Hygiene and Training

Implementing and maintaining basic security practices and providing all employees with regular, ongoing cybersecurity training sessions to increase their awareness of cybersecurity risks and data protection best practices.

8. Cryptography and Encryption Policies and Procedures

Securing sensitive data and communications using robust cryptography algorithms and protocols to ensure data confidentiality, integrity, and authenticity, as well as decryption key management best practices to limit access to authorized users.

9. Human Resources Security, Access Controls, and Asset Management

Establishing policies and procedures that ensure employees, contractors, and third-party users are aware of their responsibilities in maintaining cybersecurity, enforcing strict access control policies to limit unauthorized access to data and systems based on the principle of least privilege, and maintaining an accurate inventory of all IT assets, including hardware, software, and data.

10. Multi-factor Authentication or Continuous Authentication Access Controls

Deploying multi-factor authentication (MFA) for accessing critical systems and sensitive information as part of a broader set of access control policies, such as RBAC or a continuous authentication solution. 

Backup Cyber Hygiene: The Four Golden Rules of Data Resilience

NIS2 highlights that good cyber hygiene is crucial to business continuity. Ensuring your business is resilient demands that you make your business continuity plan—including data backup and recovery strategies—a top priority. 

With that in mind, here are four golden rules for ensuring your business is resilient. 

1. Create and Integrate a Robust Backup Strategy

• Establish a data hierarchy that identifies critical data and systems that must be backed up more frequently 
• Develop your data and IT system restoration strategy and procedures and test them regularly
• Be sure to include backup for your SaaS environments (see this post regarding the shared responsibility model)
• Back up both production and pre-production environments
• Document your backup strategy and ensure it’s integrated throughout your organization

2. Follow the 3-2-1-1 Backup Strategy

Arcserve is a strong proponent of the 3-2-1-1 backup strategy. It’s simple but effective:
• Keep three copies of your data (one original and at least two copies)
• Store your backups on two different types of media (network-attached storage, tape, or a local drive, for example)
• Keep one copy offsite in the cloud or secure storage
• Ensure one copy of your data is kept in immutable storage

3. Automate and Test Your Backups

• Regularly update and test your business continuity and disaster recovery plans
• Automate backups to ensure recent data is always available for recovery 
• Test your backups regularly to ensure they are complete and will work as intended when disaster strikes

4. Keep Your Backups Secure

• Encrypt your data in transit and at rest
• To control and manage access, create easily identifiable, dedicated accounts for each backup instance and backup administrator
• Implement continuous monitoring and intrusion detection systems (IDS) to identify suspicious activity
• Employ air-gapping to limit the spread of ransomware and optimize your data resilience 
• Keep one copy in immutable data storage, as dictated by the 3-2-1-1 strategy

Choose Tools that Simplify NIS2 Compliance 

Meeting NIS2 requirements pragmatically and cost-effectively demands efficient solutions. The Arcserve unified data resilience platform fits the bill perfectly regarding data backup and disaster recovery.

Arcserve Unified Data Protection (UDP) is one example. 

This powerful software solution protects against data loss and reduces downtime from days to minutes across cloud, local, virtual, hyperconverged, and SaaS-based workloads. It also validates your RTOs, RPOs, and service-level agreements (SLAs) with automated testing and granular reporting. 

Learn how to simplify NIS2 backup and disaster recovery compliance by requesting an Arcserve UDP demo.

Find an Arcserve technology partner to help you choose the optimal solutions to ensure your organization's NIS2 compliance.