As the deadline of the NIS2 Directive approaches, Zachary Amos, Editor of ReHack Magazine shares the vital information to know
With the rapid growth of IoT technology, cybersecurity is more critical than ever. The risks associated with these devices have grown in numbers and frequency. However, with the NIS2 Directive, Europe can address these evolving threats by enforcing stronger cybersecurity standards.
What is the NIS2 Directive?
The NIS2 Directive is an updated version of the original Network and Information Systems (NIS) Directive, enacted on 10 May 2018 in the UK. The original directive aimed to boost cybersecurity across critical sectors like energy, transport and health care. The EU set this regulation to force organisations to adopt stronger security measures.
The NIS2 Directive further strengthens and expands these security requirements as cyberthreats grow. It aims to enhance the overall resilience of key infrastructure within the EU, ensuring companies and governments can better handle cybersecurity risks.
The major difference between NIS1 and NIS2 is the expansion of the directive. NIS2 now applies to a wider range of sectors, including:
- Digital infrastructure, such as Cloud computing and data centres
- Public administrations, which cover government and public services
- Manufacturing, particularly industries that provide critical products like medical devices
Additionally, the NIS2 Directive introduces stricter requirements for risk management, incident reporting and accountability. This means organisations the directive covers must implement more comprehensive security measures and quicker responses to incidents.
While the UK has left the EU, businesses operating there must pay attention to the NIS2 Directive if they trade with firms in the European Union. Many UK companies must still comply with this regulation to ensure smooth cross-border operations.
What does the Directive imply?
The NIS2 Directive significantly changes how businesses in the UK and across the EU must approach cybersecurity.
Stronger cybersecurity efforts
First, accountability and risk management are increasingly important. Under NIS2, organisations take more steps to protect their systems, regularly assess vulnerabilities and implement high-end security measures. This change means businesses can no longer view cybersecurity as a reactive approach — they must ingrain it into the foundation of their operations.
NIS2 Directive is costly
For many companies that use digital tools heavily and have a critical infrastructure, the directive comes with significant costs. Building and maintaining the necessary systems to meet NIS2’s requirements can be a major financial undertaking. For example, organisations using artificial intelligence (AI) to enhance their cybersecurity defences must account for the total cost of ownership.
According to research, companies interested in owning AI models face upfront costs ranging from $5 million to $200 million. They must also pay annual maintenance costs of up to $5 million. Creating an AI model is a significant investment, but ensuring it remains secure is even more.
Stricter penalties for noncompliance
NIS2 also enforces more stringent penalties for companies that are noncompliant. If the EU finds an organisation noncompliant, companies can receive a penalty of 10 million euros or 2% of their global annual turnover — whichever amount is greater. These fines can be devastating in an increasingly competitive market, so businesses must have a forward-thinking approach to align themselves fully with the directive’s standards.
How the NIS2 Directive impacts IoT security
IoT has transformed industries, providing smart devices that streamline processes, improve efficiency and gather valuable data. However, the increasing use of IoT devices also presents security challenges.
About 18 billion connected devices are now in use, and each increases the potential vulnerability for cybercriminals to exploit. The NIS2 Directive recognises this risk and emphasises securing IoT networks as part of its broader push for improved cybersecurity.
Under NIS2, businesses that rely on IoT devices must take greater responsibility for managing their security. This includes manufacturers of IoT devices, service providers and companies that deploy IoT solutions in their operations. IoT security is critical, as a single compromised device can be a gateway for wider cyberattacks.
Companies should take the following steps to comply with the NIS2 Directive and protect IoT devices:
1. Maintain an accurate IT asset inventory incorporating IoT devices
One of the foundational steps in securing IoT devices is maintaining an updated IT asset inventory. This should include all connected machines and the passive scanning tools used to manage their IoT.
Organisations can ensure their inventory is accurate by creating a profile with information such as operating system, IP address and port numbers. These records will help them manage their security risks more effectively by knowing their devices’ location, who has access to them and which are in use.
2. Analyse for risks
After cataloguing IoT devices, it’s essential to assess the risks each device may introduce to the network. This involves conducting security evaluations to identify vulnerabilities, such as outdated firmware or unsecured communication channels.
If a risk exists, remediation plans should be a top priority. This can involve patching vulnerabilities and hardening device configurations. It is also imperative to scan weaknesses regularly to detect new threats.
3. Create an incident response plan
Even with strong security measures, no system is entirely immune to cyberattacks. Plus, with the NIS2 directive increasing response times, it’s crucial to have an appropriate action plan. That is why an incident response framework is critical for mitigating damage when a breach occurs.
An incident response plan outlines the steps an organisation should take when a security event occurs. This may include monitoring a smart device’s traffic from a centralised area, blocking ports from a remote location and quarantining compromised devices.
Securing IoT devices under NIS2
The NIS2 is a giant leap forward in strengthening cybersecurity across Europe, especially as technology spreads throughout business operations and infrastructure. Therefore, companies should use it as a framework to protect themselves against emerging threats. This will prepare them against future challenges and help them remain compliant moving forward.
Author: Zachary Amos, Editor of ReHack Magazine
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.