With the UK’s TSA and EU’s NIS 2 Directive in place or due to be enacted into law, meeting your mandatory cybersecurity obligations can seem daunting. Automation will be critical in easing this burden.
The NIS 2 Directive is a European Union (EU)-wide regulation was enacted into law throughout Member States on 17th October 2024 and significantly expands cybersecurity legislation and requirements throughout the region. The UK has also introduced the Telecoms (Security) Act (TSA) 2021, which has the same aim of strengthening national and international infrastructure – although compliance with TSA does not meet NIS 2 obligations.
NIS 2 Directive marks a significant shift in cybersecurity obligations
That’s why NIS 2 marks a pivotal shift, as it standardises security requirements throughout the EU, while expanding legislative security requirements and embracing many more organisations. There are three general criteria that define which organisations must comply with NIS 2 Directive obligations:
- 1) Location — Do you provide services or activities in the EU (whether you are based in the EU or not)?
- 2) Size — Generally, mid-sized and large organisations.
- 3) Industry — There are 18 verticals that are classified as either “essential” entities (which means obligatory compliance with all aspects), and “important” (which means obligatory compliance with some aspects). For a full list of the sectors that fall into each category click here.
One of the most important aspects of the directive though is that it provides a framework for a holistic approach to cybersecurity and data privacy, embracing software, hardware, and culture (people).
Unlike ISO 27001 (a voluntary certification), for those entities that fall into one of the two categories, compliance with NIS 2 is obligatory. It therefore means that concerned entities need to take an organisation-wide approach to the directive.
This holistic approach embraces four main strategies and policies, which include technology and culture. These are:
- Governance
- Risk management
- Incident detection and response
- Reporting obligations for incidents and events
Figure 1. Policy and technology strategy framework for cybersecurity.
Source: Honeywell
Governance is outlined in Article 20 Governance of the EU 2022/2555 NIS 2 Directive and encompasses the implementation of risk management and accountability measures. Training is an integral component of meeting governance obligations, including the training and skills of employees so that they are aware of cybersecurity risk and impact. NIS 2 provides a framework for ensuring cybersecurity governance standards. Essentially, it provides a holistic, top-down approach to cybersecurity.
NIS 2 Risk Management requirements
Cybersecurity risk management is outlined in Article 21.2 of the NIS 2 Directive and is critical to the success of a holistic approach to digital security. This section requires concerned entities to develop robust risk management and information system security policies, particularly for operational technology (OT) systems, which helps to enhance security against cyber threats, from a technological perspective.
Risk management also embraces Business Continuity, Supply Chain Security, IT security systems, a policy-based approach to evolving threats, and training in cybersecurity practices.
NIS 2 also sets out obligations for reporting security incidents for ‘essential’ entities – and requires the reporting of near misses and attempted incidents – on a 24/7 basis. It suggests that regular penetration testing might be required. ‘Important’ entities must report significant incidents to the relevant authority in the form of an early warning, an incident report, an interim report, an intermediate report or a final report.
The Directive also recommends that all entities conduct regular risk assessments, and employ cryptography and encryption for securing data exchange, as well multi-factor authentication.
Reporting requirements are strict. For both ‘Essential’ and ‘Important’ entities, any security incidents need to be reported to the appropriate authorities as an “early warning” (within 24 hours), with an incident notification required within 72 hours and a full report mandated within 1 month.
It’s clear to see that the NIS 2 Directive, and the TSA in the UK, significantly expand the cybersecurity obligations of a broader range of organisations and entities, which can be daunting. However, while a holistic, top-down cultural approach is an essential component of meeting the directive’s requirements, much of the technological and operational side of the burden can be substantially aided by automation.
We Are CORTEX can help you to meet your TSA and NIS 2 cybersecurity obligations
We Are CORTEX offers a flexible, comprehensive automation solution, the CORTEX platform, which is designed to support business systems and processes, but can also be leveraged to ensure compliance with the NIS 2 Directive and TSA.
Our platform provides a cross-domain approach to automation and orchestration, which means that there are no process or data siloes, which can provide a framework for a holistic approach to cybersecurity.
CORTEX enables micro- and macro-orchestration, which means that automation can be implemented in a logical, step-by-step manner, with the ability to re-use aspects of automation capabilities, and refine them for new purposes.
It means that We Are CORTEX can help to take a significant burden of compliance with NIS 2 and TSA away, allowing your organisation to focus on a holistic approach to cybersecurity, while ensuring compliance. To find out more, download our latest NIS 2/TSA research paper by filling out the form below, or contact us today.