Future-Proofing Your Cloud Strategy with NIS2

Future-Proofing Your Cloud Strategy with NIS2

As organizations increasingly move towards a cloud-based IT infrastructure it’s essential to keep security as a priority to ensure business continuity and to safeguard their data. One of the main regulations at the moment is NIS2. The Network and Information Systems Directive (NIS2) aims to improve cybersecurity for organizations across the European Union by imposing security controls and obligations. 

Different types of companies will have to comply to different standards but this compliance is only a means to an end to having better cybersecurity maturity across the EU. In this blog we’ll outline how to align their cloud strategy with future regulatory trends and offer long-term strategies for users of cloud services to remain compliant not only with NIS2 but also with future regulatory developments 

About NIS2

NIS2 came into force on 16 January 2023 and EU nations had until 17 October 2024 to transpose the NIS-2 directive into national legislation.

Compliance with NIS2 is mandatory for organizations selected by the government and noncompliance can be punished with fines up to 10 million EUR in extreme cases. 

The NIS2 directive focuses on 3 main topics:

Incident Reporting

Organizations must notify their countries cyber security center withing 24 hours of a significant incident that either has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned or has affected or is capable of affecting other natural or legal persons by causing considerable material or nonmaterial damage. 

24H

72H

Update

(Upon Request)

1 Month

Final Report

Early Warning via written online notification or phone (if needed): indicate if incident presumably caused by unlawful or malicious action and/or if could have a cross-border impact

  • Information update
  • Initial assessment of the incident, its severity and impact, as well as where available, the indicators of compromise
  • Detailed description of the incident, its severity and impact
  • Type of threat or root cause that likely triggered the incident
  • Applied and ongoing mitigation measures

Cybersecurity training

Leadership of organizations must be trained on cybersecurity and risk management to make correct decisions for their cybersecurity roadmap and strategy to stay compliant with NIS2 and most importantly keep improving their security maturity. 

Management will be held accountable for non-compliance with NIS2. 

In addition to this management training, employee training is required to protect against the most common cyberattacks such as phishing.

Security controls

The technical part of NIS2 are the obligated security controls. In Belgium these are outlined in the CyberFundamentals framework which is based on four commonly used cybersecurity frameworks (NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443); and anonymized historical data of successful cyber-attacks. 

Future-proofing your cloud strategy

1. Use a risk-based approach

The main goal of cybersecurity is to mitigate risks. By regularly and continuously assessing risks of your IT environment you remain vigilant and adaptable to new advancements in technology. For each change assess the risks this brings and how these will be mitigated, do this in combination with continuous evaluation of the current environment to detect any risks that may have been missed before or new risks that didn’t exist before but were now created by new technology advancements such as AI. 

Adopting compliance tools such as Microsoft Purview Compliance Manager or the Toreon Security Office Portal can help automating this task of continuous evaluation of risks and help organizations stay compliant with regulations such as NIS2 or other regulations like GDPR, ISO27001, CIS, etc. 

2. Do Third-party risk management

By moving to the cloud some responsibilities of the IT environment are now shifted to the cloud provider of the infrastructure or software but this doesn’t mean that you as an organization aren’t liable for these anymore. 

It is up to the NIS2 compliant company to ensure their suppliers and service providers have the correct cybersecurity measures in place and are also compliant with their applicable regulations. NIS2 non-compliance responsibility can not be shifted to a third party company. 

To make sure you remain compliant while still reaping the benefits of using cloud partners use the following approach:

Reputable vendors

Work together with reputable vendors that are main players in the industry, they usually have the resources to follow compliance and have a reputation to uphold. This being said, never trust blindly and verify their security maturity and compliance before working together. 

SLAs

Review Service-Level Agreements closely to make sure these include provisions for compliance with NIS2 and other regulations.

Communicate

Maintain a strong relationship with your biggest partners and communicate about their cybersecurity and compliance maturity, strategy and roadmap.

Develop exit strategies

Try to prevent vendor lock-in, make sure exit strategies are in place from the moment you start working with a certain vendor to be able to transition from one cloud provider to another in case they shift their cybersecurity strategy or fall behind on compliance.

Work together with strong partners

The Toreon GRC team is eager to help your organization become NIS2 compliant. They can help evaluate gaps, provide expert advice and guide you towards compliance in an efficient manner. Feel free to reach out or read one of their blogs on NIS2 here.

3. Utilize cloud-native security tools

Moving to the cloud brings a lot of advantages and offers tooling you may not have had access to when running an IT environment on-premise in the past. 

As mentioned before, a tool such as Microsoft Purview Compliance Manager or equivalent from other vendors will be the best partner to keep up with your compliance and security posture. 

If everything is centralized in a cloud platform it’s easy for the compliance manager to manage and audit all aspects of the environment and propose potential mitigations automatically. This includes tools such as Intune for device management, Conditional access for authentication and Microsoft Defender plus Sentinel for security monitoring and incident handling. 

By utilizing the power of these modern tools creating a compliant, modern and secure environment becomes a lot easier and faster. 

 

At Toreon we have multiple experts specialized in cloud security who can help you implement, optimize, use and maintain these tools to get the greatest benefit from them and increase your companies security resilience. On top of this we have developed our own compliance tooling as well to check your environment on it’s CyFun and NIS2 compliance.

4. Practice good data governance

Regulations and frameworks like NIS2 and GDPR have significant emphasis on data security and privacy for good reason. Data is often the most valuable asset of an organization and protecting the privacy of employees/users should always be on top of the list when deciding on a security strategy. 

NIS2 and GDPR already have some data protection policies in place but it’s safe to assume these will only get stricter as time goes on and these regulations get updated or replaced by newer versions. 

For this reason it’s a great idea to already go further in certain aspects of security than strictly necessary. For practicing good data governance we recommend adopting a zero trust/least privilege principle to determine your strategy. 

Make sure data is inventoried, labelled, stored in the correct place, has the correct data policies in place and where necessary the correct retention policies applied. It’s impossible to properly protect company data when no one even knows where or what it is. 

By implementing a data protection strategy you safeguard yourself against attackers, get in compliance with NIS2 and GDPR and will be prepared for future stricter requirements that are inevitably coming in the following years. 

At Toreon we harness the power of Purview to discover and protect your sensitive data using data labelling and data protection. As data security experts, we can help you in this journey. With many data protection projects behind us and our expertise in everything Purview we are the right partner to guide you through your data security journey which will strengthen your security for NIS2 compliance and beyond for the future. 

5. Create a security culture and provide continuous training

Security is more than IT controls alone, most cyberattacks happen through phishing or other forms of social engineering. Implementing strong security in your organization goes further than just the IT department. Everyone needs to be aware about the security strategy and be properly trained to keep the company safe and help achieve the companies’ security goals. 

This is especially the case for board members and executives as these profiles will be held accountable for non-compliance with NIS2. 

Continuous Training

To keep your organization compliant, secure and future-proof it beyond NIS2, provide cybersecurity training for every new employee joining an organization, but don’t stop there! As cybersecurity is ever-evolving, it’s important everyone is up to date on the newest security risks and knows how to react to them. Provide consistent training on a regular basis for all employees. 

Continuous simulations

Using simulated phishing mail tools will help you build up your ‘human firewall‘ by training employees to spot malicious mails better and keeping them alert when opening emails. Actively monitor the campaign and implement new phishing tactics that are being used ‘in the wild’ for the best results. It is recommended to do this continuously instead of one time a year for example so employees never know when a simulation is going on and they remain alert throughout the year.

Data Protection Institute

DPI is a Toreon sister company which provides all kinds of Cybersecurity trainings to people all over the world. To keep your leadership up to date in the ever evolving cyber security landscape the course on cyber security basics for boards and management is perfect and can be found here.

By getting your leadership on board you will create a path towards a security minded company. Have a look around for any other trainings that might fill any knowledge gaps you currently may have for your technical or non-technical people on the DPI website.

Aim higher

The goal of NIS2 is to make organizations more secure, not just compliant on paper. So when implementing NIS2 aim to go higher, implement more security than just what’s strictly needed and take the opportunity to build a security culture that improves security maturity for years to come. 

With new technologies like GenAI and machine learning, new regulations are sure to arrive in the coming years. It’s better to be ahead of the curve than having to continually chase the minimum compliance controls.

Closing notes

NIS2 is a great step forward in cybersecurity for organizations in the EU and a guiding star towards better security maturity. By not only following the NIS2 minimum requirements but by using the requirements as a guide and aiming higher you will be better prepared for future regulations to come and be more secure in the process. 

By using a risk based approach, practicing correct third-party management, utilizing cloudnative security tools optimally, implementing good data governance and last but definitely not least; training everyone in an organization to be security minded you will be on your way to a resilient and secure way of working that will comply with NIS2 now, and future regulations later. 

If you require any help guiding you towards a good security strategy, or implementing any of the security topics mentioned, feel free to contact us.

Start typing and press Enter to search

Shopping Cart