Risk Management in the Digital Age: NIS2 Compliance and Accountability Strategies

Network and Information Systems Directive (NIS2) has become a critical framework for ensuring the cybersecurity and resilience of essential services.

We are navigating a cyber threat landscape of evolving complexity, diversity and sophistication in approach including the rise of cybercrime as an economy and "Ransomware as a Service" (RaaS), alongside an escalation in scope, scale and severity of impact - and one where concern around risk and accountability is understandably rising too. Indeed, 39% of businesses in the UK alone reported suffering cyber-attacks in 2022 (AAG), the FBI has recently highlighted the interrelated risk of fluctuating energy prices and cyber-attacks against critical national infrastructure, and a survey of Chief Information Security Officers identified ‘Reducing and Mitigating Risk’ as their leading CISO concern (Evanta) – understandable then, that some 41% of respondents also reported that they would be investing in Identity and Access Management (IAM) and Multi Factor Authentication (MFA).

A timely response to this increasingly uncertain and aggressive cybersecurity landscape - as emphasised in the UK’s National Cyber Security Centre (NCSC) recent report - the Network and Information Security 2 (NIS2) Directive is a significant piece of new European Union legislation that imposes stricter cybersecurity obligations on entities operating in critical sectors such as energy, transport, health and digital infrastructure. NIS2 also holds executives personally liable if they neglect to adequately address their organizations' cyber risk ("adequately" is a benchmark yet to be defined). I believe the broadened approach also recognises the interconnectedness of IT and OT in today's digital landscape.

In this article, I look at the key steps organizations can take to meet NIS2 requirements, with a personal take on why this matters so much, in particular drawing on my background in telecoms and working across tech convergence, notably securing IT and Operational Technology. I also reference some of the support available to manage the transition, especially from the leading independent Identity partner Okta who Gartner recently named as a Leader in the Magic Quadrant for Access Management November 2023 - the 7th consecutive year that Okta has attained this trusted recognition.

Today’s Cyber Security Landscape

Officially part of the Digital Markets Act (DMA) and with a requirement to be transposed into national law by October 17th 2024, NIS2 replaces and repeals the original Network and Information Security (NIS) Directive. It is designed to improve cybersecurity risk management, incident reporting, supply chain security and third-party risks and also to introduce managerial liability for cyber incidents alongside strict reporting obligations – as just one example, a compulsory early warning must be given immediately following a cyber breach and communicated to the relevant authority within 24 hours.

NIS2 also includes provisions to foster improved information sharing and cooperation across member states to respond to the rise in cross-border cyber threats. This is an area I believe is especially important given the rise in bad actor collaboration, working together for example to reimagine old threats such as Emotet as I discussed here, or to engineer new ones, such as the continuing "Scattered Spider" Casino cyber hacking gang incidents in the US. Clearly, cyber criminals are evolving into networks of highly adaptive and organised crime groups (OCGs), but we are also seeing a rise in smaller and less-organized entities too - these groups often collaborating and trading services on ‘dark’ marketplaces and forums, akin to an ecosystem in their approach.

And the impact is clear! Participants of the European Union’s 2023 ‘Eurobarometer’ survey cited the protection of users from cyberattacks as EU citizens' top priority for future actions in their respective countries. And within NIS2, we see the introduction of the new European Cyber Crises Liaison Organisation Network (EU-CyCLONe) as part of the focus on addressing exactly that - a system for rapid crisis management coordination to be activated in the case of large-scale and cross-border cyber incidents. Given the recent acceleration in AI and notably Generative AI developments, and the dual frontier of risks and new capabilities this affords which came centre stage at the recent UK Government AI Safety Summit, this needed prioritisation on citizen protection underpinned by citizen trust is only poised to grow - a salient discussion paper on this subject is freely available now here.

Understanding NIS2, and Where it Fits in

The NIS2 Directive is the most comprehensive European cybersecurity directive to date, expanding the scope beyond traditional IT systems to include OT and essential service providers, with stricter requirements for risk management and incident reporting, wider coverage of sectors, and more hard-hitting penalties for non-compliance. This includes a potential fine of €10 million or 2% of the yearly global turnover of public and private sector organizations in scope, alongside a variety of non-financial penalties including orders to comply, direct mandatory instructions, mandates for security audits and alerts made to an organisations' clients about their potential risks.

The directive defines "operators of essential services" (OES) as businesses and organizations that provide essential services to society, such as energy, banking, health care, water supply, and transport services. This is an area which also highlights the global impact of NIS2. So, for example, a provider of operationally critical products or services that is non-EU-based but selling to a business classed as important or essential that is, would also be in scope and we can expect to see related elements such as risk assessment and incident reporting procedures embedded into future contracts. Similarly, while it is true that NIS2 has a specific focus – critical sectors – it still applies to a vast number and more broader range of organizations. Quoted statistics generally point to over 100,000 companies to be affected by NIS2.

Within the new legislation, ten core operational requirements are introduced that all companies within its scope must address or implement as part of their cybersecurity measures – these range from risk analysis and vulnerability disclosure right through to incident response and cybersecurity training. These requirements are designed to address the deficiencies of the previous rules, adapt to current needs, and to future-proof the directive as far as possible given the dynamic landscape described.

Key Steps to Addressing NIS2 Requirements

Meeting the NIS2 requirements requires a ‘drilling down’ into the effectiveness of your defensive measures against cyber threats, the robustness of your protocols that are supposed to stop attacks, and the agility of your response mechanisms to counteract emerging dangers. And with some recent reports now indicating that the cost of compliance may rise by 22% for those organisations not previously subject to NIS - being prepared and having access to reliable knowledge and trusted support to navigate this transition becomes an imperative.

Dealing with every detailed requirement of NIS2 takes time and dedication – but the requirements revolve largely around the following key themes, which Okta covers in full detail in their recent whitepaper available now here:

· Verify and Maintain Security Posture: This is all about looking at how well your company is set up to fight off cyber-attacks. It includes how you stop attacks from happening, how quickly your company can react to new threats, and the type of security technology you use, including firewalls or antivirus programs. It's like personal hygiene, but for your company's cybersecurity.

· Special Protections for Privileged Access: Under NIS2, protecting special access means focusing on Identity Access Management (IAM), Privileged Access Management (PAM), and Multi-Factor Authentication (MFA). Access management centres on making sure the right people have the right access to digital resources at the right time - this is not just for your team but for the ecosystem of everyone you work with, such as suppliers.

· Ramping up Ransomware Defences: Ransomware remains a huge headache globally with notable recent attacks including the Colonial Pipeline in Texas and the Health Service Executive of Ireland disrupting critical services. Even though NIS2 does not call ransomware out by name, it is all about tackling these kinds of cyber threats, especially given the rate of evolution, with cyber-criminals now typically prioritizing data theft and extortion over actually deploying ransomware itself.  Start with training your team to spot and handle ransomware risks. Keep your software and systems up to date to close any gaps that attackers might use. Strong access management is critical too - cut down on ways for malware to get in.

· Embrace Zero Trust: Today’s cyberthreat landscape combination of heightened risk alongside endpoint choice, flexible workstyles and applications everywhere means that the once traditional, established trust boundaries that use perimeter security simply no longer exist. Endpoints are not “yours” anymore. NIS2 therefore understandably ‘nudges’ organizations towards a Zero Trust architecture approach. It sounds simple: ensure that every device and user is verified before granting access - trust no one and nothing, whether inside or outside your network. But for more information, my personal take on what Zero Trust security ‘really means’ is freely available here.

While these are the broad themes, specific aspects of NIS2 may have particular importance for your organization and vertical – and it can be very worthwhile to work with a compliance expert to ensure that your organization complies both with the broader themes of NIS2, and the specific legislation. It is equally important to act quickly and make a start now – whilst NIS2 presents a key new challenge for organizations of all sizes, this also represents an opportunity to improve your overall cybersecurity posture and protect critical assets too.

Okta's Role in NIS2 Compliance

With moving from intention to action and closing risk gaps being one of the recurring key themes in cybersecurity today, Okta’s recent highest ranking on “ability to execute” for the third year in a row within Gartner’s Magic Quadrant for Access Management is a standout barometer around protection actualisation and at scale. Indeed, Okta's recent 'Oktane' event saw the launch of Log Investigator with Okta AI, Actions Navigator with Okta AI, and Expert Assist, all contributing to a powerful toolset that can help organizations achieve compliance with specific regulations such as NIS2.

The company’s Identity Governance (OIG) solution combines Okta Workflows, Okta Lifecycle Management, and Okta Access Governance to help organizations mitigate modern risks and improve efficiency – with a focus on IAM and safeguarding privileged access. In combination, Okta's IAM solution provides a framework that helps you govern who the users of your business networks are and what services they can or cannot access. This ensures that the right individuals are the ones signing-in to their business networks, thereby helping top management fulfill their evolved cybersecurity risk management responsibilities under NIS2.

Managing Access is at the Core

And, of course, managing access rights is at the core of NIS2 requirements – poorly managed IAM leaves the door open for breaches. Okta's solutions help prevent security breaches that could lead to significant penalties, from financial to loss of trust. Okta provides comprehensive visibility into authorization and access attempts across various infrastructures and technologies. This capability assists organizations in reconstructing the timelines of network or resource reconnaissance, a crucial component in incident reporting – another core part of NIS2.

Finally, Okta's IAM solution strengthens all important supply chain security by managing access control and identity with the same speed and confidence for 10 employees as for 10,000. All-in-all Okta’s solutions and expertise can help organizations cover a significant amount of ground in terms of NIS2 compliance and moving past common challenges.

Tackling Common Challenges

Meeting the new NIS2 standards can be challenging. For example, when moving to the cloud or as you bring in new technology such as IoT devices and all the opportunities these afford, you're also expanding your exposure and potentially bringing in new risks too, especially when working with third parties. This is heightened further still with the AI juxtaposition already discussed and growing areas such as IT and OT convergence especially within verticals such as telecommunications, manufacturing and energy – with all the advancements also comes new challenges, especially in securing Operational Technology (OT) environments.

Vendor reliability and trust is such a key relationship to help navigate this transition, make informed choices and stay ahead of changes to the threat landscape. Additionally, convincing senior executives to spend more on cybersecurity can be tough but crucial. Here ‘changing the narrative’ is key. Emphasizing the risks of ignoring security or ‘the cost of insecurity’ is fundamental to secure buy-in and the funds to invest in training your current team and attracting new staff, especially given the supply-talent gap shortages in the space today.

Finally, it remains a truism that you ‘cannot manage what you cannot measure’. With risk and compliance legislation tightening, acting now to assess your organisations’ current level of cyber maturity and capability against the requirements of NIS2 is imperative. As a founder, mentor and advisor to businesses across different verticals and across sizes, I have seen the challenge 1st hand, especially for SME/SMBs which can have additional constraints around resources and experience. Or in other words, the ‘where to start’ can feel overwhelming.

To support this, I would recommend exploring Okta’s independent new compliance and regulation risk assessment tool to self-assess – this can clarify your baseline, help you identify ‘low hanging fruit’ areas to work on first, allow regular benchmarking of progress which can also support buy in – the list goes on! Additionally, the assessment provides a foundation to then move onto more complex activities, for example the development of Incident Response templates for uniform reporting of cybersecurity incidents to meet NIS2’s evolved requirements.

And finally, I believe an area that is underexplored but that it is also vital to consider, is the alternative means with which to demonstrate compliance with the NIS2 directive – there is no need to duplicate effort! So, for example, if you’re ISO 27001 certified, you could already have completed up to 70% of the NIS2 security requirements. Similarly, where an EU legal act such as PSD2 or DORA is already under observance with respect to incident response or cybersecurity, that extant ruling will actually take precedence. Again, working with an independent specialist such as Okta can help you work through these options. Additionally, I would recommend readers to explore the CAF (Common Assessment Framework) developed by the UK’s National Cyber Security Centre – adhering to the principals here serve as an excellent underpinning to the new areas of focus being introduced by NIS2.

To close, I would love to leave you with a call for feedback, I think dialogue so vital here! and to pose a final question – reflecting on all the above, do you believe NIS2 can become a trailblazer, akin to how GDPR has been for data protection? Many thanks, Sally

About the Author

A highly experienced chief technology officer, professor in advanced technologies, and a global strategic advisor on digital transformation, Sally Eaves specialises in the application of emergent technologies, notably AI, 5G, cloud, security, and IoT disciplines, for business and IT transformation, alongside social impact at scale, especially from sustainability and DEI perspectives.

An international keynote speaker and author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the "torchbearer for ethical tech", founding Aspirational Futures to enhance inclusion, diversity, and belonging in the technology space and beyond. Sally is also the chair for the Global Cyber Trust at GFCYBER.