As digital transformation expands the threat landscape, compliance mandates adapt to meet new challenges. In 2020, the European Commission announced its decision to accelerate its revision of the Directive on Security of Network and Information Systems (NIS2). When carrying out its impact assessment, the Commission realized that it needed to update the NIS Directive in response to new risks. Recognizing the cascading effects that a service interruption can create, the Commission highlighted the important role that incident response plays in creating cyber resilient systems.
As covered entities seek to implement the appropriate controls, they should consider how centralized log management enables NIS2 Directive compliance.
What is the NIS2 Directive?
NIS2 builds on and repeals Directive (EU) 2016/1148 on security of network and information systems (NIS Directive). As the first EU-wide cybersecurity legislation, the NIS Directive established legal pathways for measuring overall cybersecurity that include:
- Requiring Member States to set national cybersecurity strategies and appoint cybersecurity authorities
- Establishing cooperation through information exchange
- Improving cyber resilience across seven industry verticals and three digital services
While NIS2 replaces the NIS Directive, it primarily aims to
- Standardize cybersecurity risk management and reporting across Member States’ energy, transportation, health, and digital infrastructure industries
- Introduce a size-cap rule that brings all medium-sized and large entities within its scope
- Align language with sector-specific legislation, specifically the Digital Operational Resilience Act (DORA) and the Directive on the Resilience of Critical Entities (CER)
Who does NIS2 apply to?
NIS2 applies to public or private entities as defined in Annex I and Annex II, including those within the following sectors:
- Energy, including electricity, district heating and cooling, oil, gas, and hydrogen
- Transport, including air, rail, water, and road
- Financial market infrastructures
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (business-to-business)
- Public administration
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing, including medical devices, computers, electronics, optical products, electrical equipment, machinery and equipment, motor vehicles, trailers, semi-trailers, and other transport equipment
- Critical entities as defined under Directive (EU) 2022/2557
- Entities providing domain name registration services
Although NIS2 generally establishes a definition of medium-sized and large entities, it requires compliance by companies of all sizes if service disruption could lead to:
- Member state inability to maintain critical societal or economic activities
- Impact on public safety, security, or health
- Significant system risk, especially one with a cross-border impact
- Impact arising from entity’s importance at a national or regional level
- Impact arising from entity’s role in public administration
What are NIS2’s key provisions?
Fundamentally, NIS2 establishes requirements for Member States, not public or private entities. However, from a practical standpoint, NIS2 tells Member States what their laws should have in them. Basically, companies that fall within NIS2’s purview will fall within the purview of any law that their country implements. Understanding the NIS2’s key provisions gives you a roadmap to planning for your country’s upcoming cybersecurity law.
Chapter II – Coordinated Cybersecurity Frameworks
NIS2’s primary objective is to standardize cybersecurity frameworks and laws across all Member States, creating an overarching set of minimum baselines for the entire European Union.
For covered entities, the discussion of coordinated cybersecurity frameworks provides insight into Member States’ implementing acts and how your country’s responsibilities will impact your security program.
While Member States can personalize their laws to their internal infrastructures, NIS2 establishes a set of unified base requirements, including:
- National cybersecurity strategy: national governance and policy framework that includes policies for
- Addressing ICT supply chain risks
- Establishing cybersecurity-related requirements for ICT product and services, including certifications, encryption, and open-source cybersecurity product use
- Vulnerability management and disclosures
- Open internet availability, integrity and confidentiality
- Promoting and developing cybersecurity skills and awareness education and training
- Implementing procedures and information-sharing tools for covered entities
- Strengthening cyber resilience and cyber hygiene baseline across small and medium-sized enterprises (SMEs), especially those outside the Directive’s purview
- Competent authorities and single points of contact: designated authorities to act as a single point of contact to implement laws and communicate with other Member States
- National cyber crisis management frameworks: establishment of competent authorities to manage large-scale cybersecurity incidents, including a national cybersecurity incident and crisis response plan
- Computer security incident response teams (CSIRTs): establish or designate one or more CSIRTs within a competent authority to establish common practices for incident handling, crisis management, and coordinated vulnerability disclosure and who exchanges information with important entities and relevant stakeholders, including third countries’ national CSIRTs
- Coordinated vulnerability disclosure and a European vulnerability database: Designate a coordinator to identify and contact entities, assist people reporting a vulnerability, and negotiate disclosure timelines and vulnerability management across multiple entities
The requirements that Member States implement a national cybersecurity strategy and coordinate with one another will create responsibilities for companies that fall under NIS2. Member States will be monitoring companies more closely. Additionally, Member States will rely on covered entities’ vulnerability disclosures and incident notification to support data sharing initiatives.
Chapter IV Cybersecurity Risk-Management Measures and Reporting Obligations
While Chapter II explains the responsibilities Member States have to one another, Chapter IV outlines the minimum baseline requirements that they need to include in their cybersecurity laws and frameworks. Beyond the two key articles that covered entities should understand, this section also notes that Member States may require essential and important entities to use particular ICT products, services, or processes certified under European cybersecurity certification schemes.
Article 21 Cybersecurity risk-management measures
This article sets out an all-hazards risk management approach that Member States shall apply to ensure that covered entities take appropriate and proportionate technical, operational, and organizational risk management measures.
At minimum, covered entities need policies and processes for:
- Risk analysis and information system security
- Incident handling
- Business continuity, like backup management, disaster recovery, and crisis management;
- Supply chain security, including between each entity and its direct suppliers or service providers;
- Network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure;
- Cybersecurity risk-management effectiveness assessment;
- Basic cyber hygiene practices and cybersecurity training;
- Cryptography use and, where appropriate, encryption;
- Human resources security, access control policies, and asset management;
- Multi-factor authentication use or continuous authentication solutions, secured voice, video, and text communications and secured emergency communication systems within the entity, where appropriate
Article 23 Reporting obligations
While several subparagraphs focus on how Member States will implement their CSIRT and centralize reporting capabilities, this section defines a “significant incident” and reporting requirements.
NIS2 states that an incident shall be considered significant it:
- has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
- has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
All Member States will require covered entities to provide notification to the CSIRT or other competent authority as follows:
- 24 hours or less from detection: early warning of a significant incident, including notification of any potential unlawful/malicious acts or cross-border impact
- 72 hours or less from detection: incident notification updating the early warning with initial assessment, including severity, impact, any any available indicators of compromise
- Upon CSIRT or authority request: intermediate report with relevant status updates
- 1 month or less from incident notification: final report with detailed incident description with any available information about severity and impact, the triggering threat or incident root cause, applied and ongoing mitigation errors, cross-border impact
Centralized Log Management for NIS2 Compliance
While NIS2 primarily outlines Member States’ responsibilities to the EU, it also establishes minimum cybersecurity baselines and incident notification requirements that Member States must adopt and publish in their implementing act by October 17, 2024. Based on the Commission’s timeline, Member States shall establish a list of covered entities by April 17, 2025.
For companies that will need to comply with their country’s implementing act, getting a head start on the compliance process will help ease burdens later on.
Centralized log management with security analytics aggregates, correlates, and analyzes all activity across your IT environment by providing visibility into:
- User access
- Network security
- Endpoint security
- Vulnerability and patch management
- Data exfiltration/data loss
With security analytics, you can meet the tight notification timelines that NIS2 creates with:
- Proactive threat hunting
- High-fidelity alerts for advanced detection capabilities
- Rapid vulnerability remediation
- Lightning fast incident investigation
Pairing the identity and access data that your centralized log management solution ingests from across your environment enables robust access monitoring. Even within a complex environment, you can detect and investigate anomalous behavior.
With security analytics, your centralized log management solution enables you to handle security functions like:
- Privileged access management (PAM)
- Password policy compliance
- Abnormal privilege escalation
- Time spent accessing a resource
- Brute force attack detection
By correlating and analyzing data from multiple network security monitoring tools, you can identify suspicious behaviors indicating a security incident.
With your firewalls tools, you manage inbound and outbound traffic that can help you detect suspicious activity, like data traveling to a cybercriminal-controlled server.
Combining this with your intrusion detection system (IDS)/intrusion prevention system (IPS) monitoring, you gain insights into potential evasion techniques that enable you to comply with early warning and incident notification requirements.
When security analytics into your monitoring, you can create normal network traffic baselines to help you rapidly detect anomalies that could indicate a security incident.
Increasingly sophisticated attacks seek to steal sensitive data while attackers attempt to evade detection using credential-based attacks, malware/ransomware attacks, and Advanced Persistent Threats (APTs).
With security analytics, you can build dashboards and high-fidelity alerts that incorporate threat intelligence for faster detection, investigation, and response times that help you meet strict notification and reporting requirements.
For example, by aggregating and correlating network monitoring, antivirus logs, and Anomaly Detection, you can create alerts for anomalous data downloads indicating a potential incident.
Incident response and automated threat hunting
Rapid search and threat hunting capabilities enables you to implement an incident investigation and response program so that you can provide the required notifications and final reports on time.
For example, creating queries using parameters instead of specific values means you can optimize search for real-time answers.
Further, when you create parameterized searches, you can proactively search for advanced threat activities like:
- Abnormal user access to sensitive information
- Abnormal time of day and location of access
- High volumes of files accessed
- Higher than normal CPU, memory, or disk utilization
- Higher than normal network traffic
Compliance and post-incident reporting
Under NIS2, Member States’ implementing acts will require companies to provide early warning notifications within 24 hours, updated incident notifications within 72 hours, and a final report within a month.
With the right dashboards in place, you can provide everyone across your organization the type of security incident evaluation they need, enabling you to work closely with your senior leadership to appropriately file notifications and reports.
For example, your dashboard could show:
- Start of incident: when logs documented changes
- Incident activities: what types of changes the logs documented to highlight what the threat actor tried to do
- Containment/Eradication: when logs stop reporting the activities indicating the threat actor is no longer acting in the system
Graylog Security: Faster investigation for faster reporting
With Graylog Security’s analytics and anomaly detection capabilities, you get prebuilt search templates, dashboards, correlated alerts, and dynamic look-up tables so that you can strengthen your security monitoring posture – quickly.
Using our powerful, lighting-fast features and intuitive user interface, you gain meaningful detections, so that your team can focus on high-value investigations.
For more information about how Graylog Security can help you comply with NIS2, contact us today.