NIS2 Compliance in the European Union: The Role of Security Testing and Vulnerability Management

When it comes to cybersecurity legislation, the European Union (EU) is way ahead of many other countries. For example, the Network and Information Security 2 (NIS2) Directive is well on its way to becoming the globally accepted “gold standard” for cybersecurity laws. This directive, which all EU member states are required to transpose into national law by October 17th, 2024, is aimed at strengthening cybersecurity measures across the region.

So what exactly is the NIS2 directive?

What are its implications for critical infrastructure organizations in the EU?

And how can security testing and vulnerability management help these organizations to achieve NIS2 compliance?

Read on to learn the answers.

What is the NIS2 Directive?

The NIS2 is a comprehensive cybersecurity legislative framework that applies to operators of critical infrastructure and essential services in the EU. Its aim is to get the EU’s organizations to secure their network and information systems to address the EU’s evolving cybersecurity landscape and protect the more vital areas of EU society.

Introduced in 2020, the NIS2 expands upon the original NIS Directive adopted by the EU bloc in 2016 with more stringent requirements around:

• the implementation of cybersecurity measures and
• the reporting of cybersecurity incidents

The directive also includes stricter enforcement mechanisms and significant penalties for non-compliance (more on this later). Furthermore, it harmonizes the EU’s various cybersecurity standards and encourages information-sharing among member states, national authorities, and critical infrastructure operators. It thus aims to eliminate implementation inconsistencies (that were common with the NIS) and ensure more consistent EU-wide security.

Who does the NIS2 Apply to?

The NIS2 applies to EU companies operating in 15 critical sectors. Its predecessor, the NIS, applied to only 7 sectors such as energy, water supply, health, and transport. By including coverage for a wider range of sectors and services, the NIS2 aims to protect many more vital areas of EU society.

The organizations that fall under the NIS2’s purview are designated as “essential entities” (EE) or “important entities” (IE).

• EEs operate in sectors like energy, transport, finance, water supply, digital infrastructure (e.g., cloud computing), health, and public administration. Also, they have 250+ employees as well as an annual turnover of €50 million (or balance sheet of €43 million).
• IEs have 50+ employees, an annual turnover of €10 million, or a balance sheet of €10 million. They operate in important sectors like food, postal services, research, manufacturing, and waste management.

The NIS2 may also apply to organizations that don’t meet the size criteria. These operators may be considered either EE or IE if they are the only provider of a critical service in an EU member state.

What are the Key NIS2 Requirements?

The NIS2’s requirements cover three key areas:

• Risk management: Critical infrastructure organizations must implement measures to mitigate cyber risks such as encryption, access control, network security, and supply chain security controls.
• Corporate accountability: Company management must oversee all cybersecurity measures and take responsibility for addressing cyber risks, failing which they may face legal liabilities or be temporarily banned from holding management positions.
• Business continuity: Organizations must implement a plan to ensure business continuity following a major cyber incident.

In addition to implementing these measures, EEs and IEs must report any cybersecurity incidents to the relevant EU authorities within 24 hours of becoming aware of the incident. They must also provide a security assessment to authorities within 72 hours. Furthermore, they must implement any additional requirements specified by their member states to strengthen their security defenses and posture.

What Are the Penalties for NIS2 Non-compliance?

Like other EU-wide laws like the GDPR, NIS2 non-compliance can attract hefty penalties for organizations. For EEs, the monetary penalty (administrative fine) can be up to €10 million or 2% of global annual revenue, while for IEs, it can be up to €7 million or 1.4% of the global annual revenue. For both EEs and IEs, if the percentage of global annual revenue is higher than the lump sum, they pay the higher of the two in fines.

In addition, supervisory authorities can also impose non-monetary penalties on non-compliant organizations. For example, they can send compliance orders or orders to implement security audits.

Security Testing and Vulnerability Management for NIS2 Compliance

Some of the measures that can help essential and important entities to adhere to the NIS2’s requirements include:

• Risk assessments
• Multi-factor authentication (MFA)
• Cryptography and encryption
• Data access policies
• Updated backups
• Incident response and recovery plans
• Cybersecurity training

Covered entities can also achieve NIS2 compliance – and better manage cybersecurity risk – with:

• Vulnerability management
• Security testing

Vulnerability scanning, assessments, and mitigation are vital for effective cyber threat management and stronger cybersecurity in EEs and IEs. A robust vulnerability management process, along with continuous security testing using proven methods like penetration testing, can help organizations to identify and fix security weaknesses in their systems, networks, and applications before they can be exploited by malicious actors. Over time, continuous testing enables them to identify and mitigate emerging vulnerabilities and threats, improving their security posture and boosting their ability to stay ahead of adversaries.

Security testing and vulnerability management also improve an organization’s threat preparedness and accelerate its incident response. They can test their security mechanisms and determine where improvements are needed to respond swiftly to real incidents. They can also simulate attack scenarios, ensuring that they are better prepared to handle real-world threats.

Security testing via continuous pentesting also provides the necessary evidence organizations need to prove that they have implemented the security measures required by the NIS2. They can thus demonstrate NIS2 compliance during audits and avoid non-compliance penalties.

Security Testing for NIS2 Compliance with BreachLock

Security testing is integral to achieving and maintaining NIS2 compliance since it empowers enterprises of all sizes to improve and strengthen their security measures. BreachLock enables organizations to continuously discover, prioritize, and mitigate their exposures across their attack surface.

BreachLock seamlessly combines versatile and flexible security solutions for continuous testing of your defenses so you can prevent attacks. Continuous, Comprehensive, and Certified solutions include Penetration Testing, Attack Surface Management, and Red Teaming to accelerate vulnerability discovery, prioritization, and remediation across your entire security ecosystem.

To learn how BreachLock can help you meet the NIS2’s security requirements, schedule a free discovery call with our team.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!