How Automation can help evaluate and assess cybersecurity risk to meet NIS 2 Directive obligations

One of the starting points to meet the incoming NIS 2 Directive is to perform a far-reaching risk evaluation and assessment, which can seem like a daunting task. But Automation can take away that perceived burden.

The European Union’s NIS 2 Directive, alongside the UK’s Telecoms (Security) Act 2021, is aimed at expanding and strengthening national and international infrastructures against malicious cyber threats. NIS 2 was enacted into law throughout the EU on 17th October 2024, and will require a holistic, top-down, cultural and technological approach – including technology and people – to dealing with cyber threats. It significantly expands requirements over both the original NIS Directive and the UK’s TSA.

As a result, one of the first components of such a holistic approach is, first, understanding whether you are an “Essential” or “Important” entity. A list of sectors that fall into each category can be found here.

Once your organisation is deemed to fall into either category, the next step must be a comprehensive risk evaluation and assessment. The official EU NIS 2 Directive paper specifically focuses on the telecoms and electricity sectors, as well as spill-over risks and critical interdependencies across both sectors.

Identifying risks and performing risk evaluation

In the telecoms sector, the directive identifies risks to mobile and fixed telecommunications networks as the main threat, followed by risks to the internet’s core infrastructure, and then to satellite communications. It divides risks to the telecoms sector into two categories: threats that could lead to a loss of critical services that can a direct impact on society; and state- or organisation-led espionage. It also lists financially motivated ransomware groups that disrupt critical services as a major concern, as well as destructive malware that can cause data wiping.

Other lower impact risk threats it identifies include DDoS attacks (for an in-depth explanation of this type of attack, download We Are CORTEX’s latest paper here). This type of attack can be very disruptive and can be used as cover for longer-term ransomware and malware attacks, and so is a significant cybersecurity threat.

End-user device attacks are another significant problem. When considering threats from the edge of the network, it’s essential to consider that the edge is very fluid and transient with different devices joining and leaving the network continuously, each of which may be accessing other applications and data, which can then also extend the ‘edge’ even further (again, download our paper for a more in-depth explanation).

Espionage can, of course, significantly impact end users and the privacy of their personal data, with sources noting SS7 and attacks on weak legacy telephony and SMS services as a vulnerability. NIS 2 also identifies supply chain attacks as a growing concern. It notes that the diversity of the mobile and fixed infrastructure supply chain makes it challenging for providers to perform due diligence on all hardware and software within the network. The EU notes 5G suppliers from third countries as a particular concern, as well as the jamming of satellite communications, particularly when they are being used as a back-up network.

The point is that there are multiple threats to the communications network today, and they are growing. So, the starting point to meeting NIS 2 obligations for concerned entities is to perform a comprehensive risk evaluation and assessment, as each network infrastructure is likely to have unique vulnerabilities.

How can Automation help with risk evaluation and assessment?

In order to perform a security risk evaluation, organisations need to identify, analyse, and evaluate potential threats and infrastructure/software vulnerabilities. This can be time-consuming, costly, and prone to human error. That’s where automated software comes in. By automating this process, it significantly accelerates and streamlines the process, and eliminates human error.

The huge advantage of implementing automated software is that it can monitor systems, processes, and networks for attacks and potential threats on an on-going basis and prioritise higher risk threats– something not possible with a manual process. Furthermore, automation can be used to generate real-time reports, alerting operators and providers as soon as a potential risk threat is identified.

Automation can also provide network mapping tools, penetration tools, and compliance management, whatever your requirements.

The We Are CORTEX automation platform for NIS 2 risk evaluation and assessment

As a result, Automation can help organisations to effectively, quickly, and continuously identify and deal with cybersecurity threats helping you to meet your NIS 2, and TSA, compliance obligations and secure your network.

The We Are CORTEX automation platform offers a flexible, comprehensive approach to automating systems, processes, and networks. It uses reusable function blocks, which can be reused across domains, and enable an incremental approach – making the prospect a much less daunting undertaking. As each block can be joined up, it means that efficiencies and resilience feed into one another on a cross-domain basis.

We have worked with many national and international service providers, which have also performed their own customisation automation projects, ensuring that it aligns with existing legacy processes and systems.

Automation provides a significantly more efficient and cost-effective approach to meeting all your security requirements and compliance obligations. Download our latest paper by filling out the form below.


Share this article