NIS2 Directive: A Strategic Blueprint for Cyber Security and the Importance of Pentesting
Reading Time: 8 Minutes
Introduction
In the era of rapid digital transformation and increasing interconnectedness, network and information systems have become integral to daily life, impacting all sectors, including cross-border interactions. This evolution has significantly expanded the cyber threat landscape, introducing new challenges that demand adaptive, coordinated, and innovative responses across all Member States. The escalation in the number, scale, sophistication, frequency, and impact of cyber incidents poses a serious threat to the functionality of these systems. Such incidents can disrupt economic activities within the internal market, result in financial losses, erode user trust, and inflict substantial harm on the Union’s economy and society. Therefore, cybersecurity preparedness and effectiveness are crucial for maintaining the internal market’s proper functioning. Also is essential for enabling critical sectors to successfully navigate the digital transformation and fully realize the economic, social, and sustainable benefits of digitalization.
Cybersecurity has become a cornerstone of policy-making within the European Union, driven by the increasing frequency and sophistication of cyber threats. The EU’s response, aimed at strengthening resilience and response capabilities across its member states, is embodied in the NIS2 Directive.
The NIS2 Directive is designed to replace the original Network and Information Systems (NIS) Directive. It extends the scope of regulatory requirements to cover more sectors and digital services, reflecting the evolving technological landscape. A significant addition in this iteration is the explicit emphasis on penetration testing, which underscores the proactive measures entities must undertake to ensure their systems’ integrity and resilience.
From NIS directive to NIS 2 different and how is Strengthening its Cybersecurity Measures
‘NIS’ The full title of the old NIS directive was: “Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.” Therefore, “NIS” is an abbreviation of “Network and Information Systems.”
The EU’s motivation for revising the NIS Directive includes insufficient cyber resilience, lack of joint crisis response, inconsistent threat understanding, and inconsistent resilience among Member States.
The new NIS2 introduces a wider array of industries (sectors) that must be compliant, better cooperation between the Member States, new timelines for reporting incidents, more focus on supply chains, the responsibility on the top management of entities, stricter penalties, etc.
Why is NIS 2 important?
NIS 2 is important because it sets very strict cybersecurity requirements for a large number of companies in the European Union – by some estimates, more than 100,000 companies in the European Union will have to become NIS 2 compliant.
Who Does NIS2 Apply To?
The NIS2 Directive applies to a broad range of entities across various sectors, significantly expanding its scope compared to the original NIS Directive. The directive categorizes these entities into two main groups: ‘essential’ and ‘important’ entities, each with specific obligations.
Essential Entities
These are entities that play a critical role in maintaining vital societal and economic activities. The disruption of their services could have significant adverse impacts on public safety, security, and economic stability. Essential entities include:
| Sector | Description |
| Energy Sector | Electricity, oil, gas, district heating, and essential electricity-related services |
| Transport Sector | Air, rail, water, and road transport, including infrastructure and services essential for these transport modes |
| Banking Sector | Financial institutions and banks that provide critical banking services |
| Financial Market Infrastructures | Entities involved in trading venues, central counterparties, and central securities depositories |
| Health Sector | Hospitals, private clinics, and other healthcare providers |
| Drinking Water Supply and Distribution | Providers of potable water |
| Digital Infrastructure | Internet exchange points, domain name system (DNS) service providers, and cloud computing services |
| Public Administration | Central and regional government entities providing essential public services |
Important Entities
These entities, while not as critical as essential entities, still play significant roles in maintaining economic and societal functions. Their disruption could lead to substantial adverse impacts. Important entities include:
| Sector | Description |
| Digital Providers | Online marketplaces, online search engines, and social networking services |
| Manufacturing | Manufacturers of critical products and services |
| Food Sector | Production and distribution of essential food supplies |
| Chemical Industry | Entities involved in the production and supply of chemicals |
| Waste Management | Providers of waste management and recycling services |
| Postal and Courier Services | Entities involved in the delivery of mail and packages |
| Research and Development | Organizations involved in critical R&D activities, particularly those related to high-tech industries and national security |
What are the main cybersecurity requirements of NIS 2?
To combat against present and emerging cyber threats, the NIS2 Directive establishes comprehensive requirements and obligations that will ensure that organizations are better prepared to prevent, respond to, and recover from cyber incidents.
1) Responsibilities of senior management
According to Article 20, the top management of essential and important entities:
- must approve cybersecurity measures that need to be implemented in the company,
- must oversee their implementation, and
- can be held liable if cybersecurity is not implemented properly.
Articles 32 and 33 further emphasizes the liability of the legal representatives of essential entities and important entities.
2) Importance of training
According to Article 20, members of top management must go through cybersecurity training, and they must enable their employees to attend such training on a regular basis.
NIS 2 requires such training to cover identification of risks, assessment of cybersecurity practices, and how these cybersecurity measures help the company provide its services.
3) Risk-based approach to cybersecurity
Member States must ensure that essential and important entities implement suitable measures to manage risks to the security of their network and information systems, aiming to prevent or minimize incident impacts on services. These measures should align with current technology, relevant standards, and cost considerations, ensuring security levels appropriate to the risks. Proportionality assessments should consider the entity’s risk exposure, size, incident likelihood, and potential severity, including societal and economic impacts.
The measures shall adopt an all-hazards approach aimed at protecting network and information systems, as well as their physical environments, from incidents. At a minimum, these measures shall include the following:
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
4) Cybersecurity as a mixture of technical, operational, and organizational measures
Article 21 mandates that companies implement suitable and proportional technical, operational, and organizational measures to address the risks to the security of network and information systems. It also requires them to prevent or minimize the impact of incidents on their service recipients and other related services.
Additionally, Article 21 stipulates an all-hazards approach, meaning companies must be ready to handle a variety of potential threats.
Also, it specifies a range of cybersecurity documents and measures, which are listed in this article: List of required documents according to NIS 2.
5) Supply chain security
Article 21 requires companies to pay special attention to risks related to direct suppliers and service providers, in particular:
- Vulnerabilities specific to each direct supplier and service provider
- The overall quality of products and cybersecurity practices of suppliers and service providers
- Secure development procedures of suppliers and service providers
6) Reporting of significant incidents
Article 23 requires companies to report any significant incidents to computer security incident response teams (CSIRTs) in the following way:
- An early warning — indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.
- An incident notification — provides an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise.
- An intermediate report — provides relevant status updates.
- A final report — needs to be created, at the latest, one month after the submission of the incident notification.
- A progress report — is created in the event of an ongoing incident at the time of the submission of the final report.
7) Supervision and fines
NIS2 requires a strict oversight over essential and important entities: on-site inspections, off-site supervision, cybersecurity audits, and security scans.
Similar to the EU GDPR, Article 34 introduces fines for companies that do not comply with NIS 2:
- For essential entities: a maximum of 10 million EUR or a maximum of 2% of the total worldwide annual turnover.
- For important entities: a maximum of 7 million EUR or a maximum of 1.4% of the total worldwide annual turnover.
See Also: Solutions: Web Application Pentesting
Regulation and Supply Chain Security
Regulation should be viewed as a strategic foundation for enhancing organizational cybersecurity, not just a compliance checkbox. Many organizations aim only for minimum standards to achieve regulatory compliance, but it should be a step toward comprehensive cybersecurity and resilience. Effective regulation provides a structured framework that, when well-aligned and integrated, can greatly improve security posture.
Regulations like the NIS2 Directive emphasize the critical importance of supply chain security. Organizations must ensure their suppliers and partners comply with relevant regulations, as any non-compliance in the supply chain can pose significant risks. This approach mitigates risks, fosters trust, and shows a commitment to security and resilience. Regular assessments, due diligence, and continuous monitoring of supply chain partners are essential to maintaining compliance and protecting against emerging threats, supporting the stability and integrity of essential services.
Representation of Supply Chain
Prioritizing NIS2 Compliance in Your Organization
The adoption of new cybersecurity legislation should be a priority for your organization, both in terms of budget and strategy. With the NIS2 Directive taking effect soon, it should be top of mind for the COO. Importantly, C-level executives are personally liable in cases of non-compliance, which can result in fines, prosecution, and disqualification from serving on additional boards. The CISO must be informed of the challenges posed by NIS2, and a designated individual or team should be responsible for the integration of IT and OT systems to ensure compliance.
IT and OT Interconnection and the Risks on Cyber Security
As IT (Information Technology) and OT (Operational Technology) environments become more interconnected, organizations face heightened vulnerabilities. Cyber threats can now traverse both IT and OT systems more easily, expanding the attack surface and amplifying the potential impact of attacks or incidents on both operational domains. This interconnectedness can lead to severe consequences, including physical incidents that pose risks to human safety and environmental damage.
To understand the risks, sectors such as energy, transportation and industrial organizations first need to understand the vulnerabilities in their environment and what those represent in terms of criticality to the organization. This knowledge will surface gaps in defenses, enable prioritization, and help establish what countermeasures are needed to help protect IT and OT environments and improve NIS2 readiness.
The NIS2 Directive underscores the need to protect both the physical environment and individuals from cybersecurity threats, stressing the importance of securing OT systems. Achieving NIS2 compliance and improving cybersecurity posture requires securely converging IT and OT systems and processes. This involves a proactive approach to identifying and mitigating vulnerabilities, investing in suitable technologies and training, and fostering effective communication and collaboration between IT and OT teams.
Here’s a closer look at Information Technology (IT) and OT (Operational Technology) and how they interconnect:
| Aspect | Description |
| Purpose | IT focuses on the use of computers, storage, networking, and other physical devices, infrastructure, and processes to create, process, store, secure, and exchange all forms of electronic data. |
| Key Components | Computing Devices: Desktops, laptops, servers, and data centers. Networks: LANs, WANs, VPNs, and the internet. Applications: Software programs, databases, and cloud services. Data: Storage solutions, data analytics, and information systems. |
| Typical Functions | Business Operations: Supports corporate functions like finance, HR, customer service, and logistics. Data Management: Handles information storage, processing, and retrieval. Cybersecurity: Protects data integrity, confidentiality, and availability from threats like malware, hacking, and data breaches. |
Operational Technology (OT)
| Aspect | Description |
| Purpose | OT involves the hardware and software systems that detect or cause changes through direct monitoring and control of physical devices, processes, and events in industrial operations. |
| Key Components | Industrial Control Systems (ICS): SCADA (Supervisory Control and Data Acquisition) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC). Field Devices: Sensors, actuators, robotics, and machinery. Networks: Industrial Ethernet, fieldbus, and other control networks. |
| Typical Functions | Automation: Controls and automates physical processes and machinery. Process Management: Monitors and manages production lines, utilities, and infrastructure. Safety Systems: Ensures operational safety and reliability in environments like manufacturing plants, power grids, and transportation systems. |
Cybersecurity Challenges between IT and OT:
Increased Attack Surface: Interconnected IT/OT systems can be more vulnerable because threats can migrate from IT systems (e.g., malware from a corporate email) to OT systems (e.g., affecting a production line).
Different Security Priorities: IT focuses on data security (confidentiality, integrity, availability), while OT prioritizes operational continuity and safety, leading to potential conflicts in security strategies.
Legacy Systems: Many OT systems were not designed with cybersecurity in mind, making them susceptible to attacks when connected to modern IT networks.
Skill Gaps: OT professionals may lack cybersecurity expertise, while IT security teams might not fully understand the complexities of OT environments.
How Can Your Organization Prepare?
Organizations are encouraged to adopt a proactive approach, conducting assessments to establish cybersecurity baselines and developing strategic plans to address vulnerabilities.
If your organization operates in an industry sector deemed critical for the resilience of the European economy, or if you are a supplier to such organizations, compliance with the NIS2 Directive is mandatory. This regulation aims to enhance cybersecurity practices across the EU and ensure that suppliers and service providers do not introduce cyber risks to their operations.
Cyber Security products are incomplete without testing them for weaknesses
While defensive security solutions such as firewalls, undoubtedly offer essential layers of security, they are not a universal cure. The reality is that a strong defense is only half the battle. Companies that do not embrace the offensive security aspect of Cybersecurity, such as Penetration testing, risk overlooking critical vulnerabilities in their systems. Incomplete solutions, often leave gaping holes in the security posture, waiting to be exploited by determined adversaries.
The Role of Offensive Security in Cyber Security and NIS2 Compliance
Offensive security plays a pivotal role in the cybersecurity landscape, especially within the framework of NIS2 compliance. Unlike traditional defensive strategies that focus on protecting systems from external threats, offensive security adopts a proactive approach by simulating attacks to identify vulnerabilities before malicious actors can exploit them. This method, often referred to as penetration testing, involves skilled professionals emulating cyber-attacks to uncover weaknesses in an organization’s defenses.
The NIS2 Directive elevates penetration testing from a best practice to a regulatory requirement, ensuring that all entities within its scope undertake regular and rigorous security assessments. Entities are required to perform these assessments at regular intervals, facilitating continuous monitoring and improvement of their security posture to identify new vulnerabilities as technology and threat landscapes evolve. The directive mandates a comprehensive scope for these tests, covering all critical aspects of an organization’s IT infrastructure, including networks, applications, and endpoints.
These assessments must be conducted by qualified and experienced cybersecurity professionals to ensure thorough and accurate evaluations. Following the tests, organizations are required to produce detailed reports outlining the vulnerabilities found, the methods used to exploit them, and recommended remediation steps. These reports guide security improvements and must be shared with relevant regulatory authorities if required.
Penetration testing is integrated into the broader risk management framework mandated by the NIS2 Directive. The findings from these tests inform risk assessments and mitigation strategies, ensuring a cohesive and proactive security approach. This proactive stance is crucial for maintaining effective security in an increasingly complex threat environment, helping to safeguard critical infrastructure and services essential for the resilience of the European economy. By embracing offensive security practices, organizations not only comply with regulatory requirements but also significantly enhance their overall cybersecurity posture.
Deadline for NIS2 Directive Implementation
By 17 October 2024:
Member States must adopt and publish measures to comply with the NIS2 Directive.
From 18 October 2024:
Member States must apply the adopted measures.
Conclusion
The goal of NIS2 Directive seeks to strengthen the cybersecurity resilience of organizations across the European Union and raise awareness of the threats from malicious actors. It requires the implementation of cyber risk management strategies, making adherence to cybersecurity standards essential for ensuring organizational resilience and continuity. Therefore, it is imperative to pinpoint vulnerabilities within an organization’s infrastructure and address them promptly.
The cyber threat landscape is constantly evolving, with new threats and attack vectors emerging regularly. As a result, businesses struggle to keep up with the latest developments and adjust their security measures accordingly.
New types of malwares, phishing schemes, and attack methodologies can quickly outdate existing security controls. This constant evolution makes it difficult to predict and prepare for the next threat.
Many organizations do not have effective processes for incident reporting, analysis, and feedback loops to continuously improve security measures.
Incidents may go unreported or underreported, leading to an incomplete understanding of vulnerabilities and control failures. Without thorough analysis, organizations miss opportunities to learn from incidents and improve their controls.
For example, if a phishing attack occurs and is not properly reported or analyzed, the organization may fail to identify underlying vulnerabilities in their email security or employee training programs.
Organizations frequently grapple with a shortage of skilled cybersecurity professionals, limiting their capacity to effectively assess and improve their cyber maturity. This talent deficit hinders their ability to identify, implement, and monitor effective security controls, creating gaps in their defenses against cyber threats. Additionally, many organizations lack comprehensive visibility over their endpoints and devices, complicating their ability to define a proper scope for security assessments. This lack of insight into the full inventory of their IT and operational assets makes it difficult to apply and enforce security measures consistently across the entire environment. Without adequate expertise and clear knowledge of their own digital landscape, organizations struggle to maintain effective security practices and respond to incidents promptly.
What we Suggest and how BHEH can help you
Security Assessment Plan
| Step | Actions | Deliverables |
| Conduct Comprehensive Risk Assessments | Evaluate Organizational Aspects: Evaluate Technical Security Risks: | Assessment Reports |
| Develop a Risk Prioritization Matrix | Categorize risks by Likelihood and Impact. Prioritize based on Risk Level: | Risk Prioritization Matrix, Baseline Documentation |
Develop a Strategic Plan
| Step | Actions | Deliverables |
| Short-Term Action Plan (Quick Wins) | Implement Immediate Security Enhancements: Raise Awareness: | Assessment Reports |
| Long-Term Action Plan (Comprehensive Measures) | Develop Security Policies: Implement Secure Reference Architecture: | Updated Security Policies, Secure Reference Architecture Design |
| Establish Continuous Improvement Mechanisms | Regular Security Audits: Update Risk Assessments: | Audit Schedules, Updated Risk Assessments |
Effective Remediation and Risk Management
| Step | Actions | Deliverables | |
| Execute Fix-It Programs | Implementation Support: Organizational Changes: | Fix-It Program Reports | |
| Deploy Rapid Mitigation Measures | Incident Response Enhancement: Patch Management: | Updated Security Configurations | |
| Monitor and Validate Fixes | Post-Implementation Review: -Conduct reviews to ensure fixes are effective. -Validate those improvements align with risk mitigation goals. | Post-Implementation Review Documents | |
How Our Offensive Security Services can help you
Our company specializes in offensive security services, such as penetration testing, to help organizations enhance their cybersecurity posture. Here’s how we can assist:
Identifying Vulnerabilities:
- Conduct thorough penetration tests to identify vulnerabilities in your network, applications, and endpoints.
- Provide detailed reports on discovered weaknesses, exploit methods, and recommended remediation steps.
Strengthening Security Measures:
- Work with your IT team to patch identified vulnerabilities and enhance security controls.
- Develop and implement secure configurations for systems and applications to prevent exploitation.
Continuous Monitoring and Improvement:
- Perform regular penetration testing to ensure ongoing monitoring of your security posture.
- Help you stay ahead of evolving threats by continuously identifying and addressing new vulnerabilities.
Compliance with NIS2 Directive:
- Ensure your organization meets the Pentesting requirements mandated by the NIS2 Directive.
- Provide comprehensive documentation and reports to demonstrate compliance to regulatory authorities.
Enhancing Risk Management:
- Integrate findings from our penetration tests into your risk management framework.
- Assist in developing and updating your risk assessments and mitigation strategies based on real-world attack scenarios.
Expert Guidance and Support:
- Offer expert guidance on cybersecurity best practices and strategic planning.
- Provide training and awareness programs to enhance the cybersecurity knowledge of your staff.
Are you looking for a better way to secure your business? Whether you need a product audit, vendor security assessment, or overall security testing, we can help. Our team of experts will work with you to identify your specific security needs and provide tailored recommendations to improve your overall security posture.
To find out more about how Black Hat Ethical Hacking can help you, check out our Solutions
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
