Interpreting NIS 2 Directive requirements for applying automation

Positioning and planning end to end automation map by We Are CORTEX

Interpreting the new NIS 2 Directive can be challenging. But once you understand your organisation’s obligations, automation can significantly ease the burden.

The NIS 2 Directive was enacted into European Union law on 17th October 2024. It significantly builds on and expands the compliance requirements set out in the original NIS Directive. It requires organisations to first understand their obligations, and then apply cybersecurity defences.

In parts, NIS 2 offers a challenging interpretation. It contains nine chapters and 46 articles, so it’s essential that all organisations falling under its scope accurately understand their obligations under the directive.

The first port of call is to understand your entity classicisation:

  • ‘Essential’ (which requires complete compliance)
  • ‘Important’ (some requirements)
  • ‘Not in Scope’ (no obligation, but adoption of some of the requirements is highly recommended).

The directive significantly expands the type of organisation included, as well as more sectors, so it’s essential to first understand where your organisations fits on the entity list (see Table 1).

Table 1. ‘Essential’ and ‘Important’ entities in NIS 2

depicting the NIS2 industry sectors

A cross-domain approach to meeting NIS 2 obligations

For both sets of entities, Article 21 of NIS 2 directs Member States to ensure that they manage risk by implementing robust systems, policies, and best practices across multiple cybersecurity measures and disciplines, on a cross-domain basis, as follows:

  • Risk handling, analysis and information system security.
  • Incident handling and reporting.
  • Business continuity, such as backup management and disaster recovery.
  • Crisis management.
  • Supply chain security.
  • Systems acquisition, development, and maintenance security.
  • Basic cyber hygiene practices (a common baseline set of practices to provide a proactive framework of preparedness) and cybersecurity training.
  • Encryption technologies.
  • Human resources security, access control policies and asset management.
  • Zero Trust access (multifactor authentication, continuous authentication).
  • NIS2 security requirements apply to the entire supply chain, including sub-contractors and CSPs supporting them.

The directive also calls for an initial comprehensive review of risks and security gaps throughout the organisation, as well as throughout the entire supply chain, to gain an over-arching view of the risk factors and security gaps that may have gone unnoticed previously.  It also requires risk assessment such as this to be applied on a continual basis.

This means that NIS 2 demands a holistic and on-going approach to cybersecurity – as siloes can leave security gaps that can be exploited by malicious actors. NIS 2 also requires regular security assessments and testing to be performed.

More stringent NIS 2 reporting requirements

Reporting requirements have also been tightened. For example, ‘Essential’ entities must apply the following measures:

  • Provide initial notification of a significant security incident within 24 hours of detection.
  • Deliver an initial assessment of the incident within 72 hours of detection.
  • File a detailed final report within a month of detection.

These requirements are in place to ensure the sharing of information and collaboration across Member States regarding existing (known) and emerging (unknown) security threats to strengthen the EU’s communications networks’ national and international cybersecurity.

It aims to strengthen the EU’s collective response to cyber threats, and means that organisations must adopt a culture-wide, comprehensive approach to security policies (including employees), strategies, systems, processes, and tools.

Other areas covered by NIS 2 include adopting robust accountability and effective governance capabilities; supply chain security; business continuity; regular training and awareness assessments for employees; and a cyber recovery plan that includes

regular testing and validation.

NIS 2 essentially mandates automation

The Directive also explicitly mentions automation. For example, sub-section 3 in Article 29 of the directive states: “Member States shall facilitate the establishment of cybersecurity information-sharing arrangements referred to in paragraph 2 of this Article.

Such arrangements may specify operational elements, including the use of dedicated ICT platforms and automation tools, content and conditions of the information-sharing arrangements.”

The We Are CORTEX automation platform enables compliance and business success

NIS 2 highlights how automation is the only real, viable option for meeting such broad-reaching and complex requirements. Manual processes are prone to human error, while a siloed approach can leave security gaps.

The We Are CORTEX automation platform enables a holistic, joined-up, cross-domain approach to cybersecurity. It can run continuously in the background, providing security systems testing on an on-going basis, reports on anomalous network behaviour (which may represent an attack), provide an interconnected view of the network, and ensure that upgrades and patches are deployed, to name just a few things.

First, it’s essential that organisations and service providers understand their obligations under NIS 2, as they are likely to differ according to sector, business size, risk assessment, and the kind of legacy systems being used. Applying Automation can then ease the burden of meeting NIS 2.

However, the CORTEX platform not only enables compliance, but it also offers additional, multiple benefits, including (but not limited to) digital transformation, operational efficiency, competitive differentiation, cost savings, elimination of human error, and so on.

Our reusable elements enable a cross-domain approach to cybersecurity that can be deployed incrementally, avoiding siloes and the risks associated with major digital transformations.

We are CORTEX has years of experience helping organisations of all sizes to implement automation technologies and platforms that enable compliance, and business success.

To find out more about how we can help you meet your NIS 2 Directive obligations, download our latest report by clicking below or contact us today.

Share this article