What the NIS2 Directive means for application security

The Network and Information Systems 2 (NIS2) Directive, which goes into effect in Oct 2024, aims to enhance the security of network and information systems throughout the EU. The directive mandates operators of critical infrastructure and essential services to implement appropriate security measures and promptly report any incidents to the relevant authorities and affected parties. By October 17, 2024, organizations must adopt and publish the measures necessary to comply with the NIS2 Directive.

NIS2 is an evolution of the Network and Information Systems (NIS) Security Directive, which has been in effect since 2016. While NIS was successful in raising awareness, improved incident reporting, and encouraging investment in cybersecurity, its limited scope and inconsistent implementation across EU member states hindered effectiveness. NIS2 intends to address these issues with expanded scope (e.g., potential impact instead of simply realized harm) and more prescriptive guidelines.

What is the NIS2 Directive?

In contrast to the original NIS Directive, the NIS2 Directive broadens the scope of its EU-wide security standards, encompassing a significantly larger array of industries and organizations within its regulatory framework. The primary purpose of the expansion is to enhance supply chain security, streamline reporting requirements, and enforce stricter cybersecurity risk management measures across the EU. The goal is to ensure the protection of EU’s critical digital infrastructure and that organizations are maintaining a high standard of cybersecurity resilience.

Organizations will undergo classification into distinct categories based on their significance, grouped as either essential or important. This categorization is based on factors including the organization’s association with a critical sector and its overall size.

NIS2 incident reporting requirements

The NIS2 Directive aims to achieve a high level of cybersecurity resilience across the EU. Compared to the original NIS Directive, NIS2 will introduce stricter reporting guidelines and requirements for all essential and important entities. Keeping this in mind, the following are the three major stages of reporting requirements and their timelines to follow for the NIS2 Directive:

• Early warning within 24 hours of the incident to a computer security incident response team.
• Incident notification within 72 hours of the incident (must include initial assessment, severity, IoCs).
• Final report within 1 month (detailed description, type of threat that triggered it, applied and ongoing remediation strategies, scope, and impact).

What types of incidents must be reported?

According to the NIS2 proposal, an incident shall be considered significant and must be reported if any or all of the following are true:

• The incident has caused or has the potential to cause substantial operational disruption or financial losses for the entity concerned.
• The incident has affected or has the potential to affect other natural or legal persons by causing considerable material or non-material losses.

This goes far beyond the reporting obligation under the NIS Directive. Under NIS2, the presence of a critical vulnerability is sufficient to trigger a reporting obligation.

NIS2 risk management process and accountability requirements

NIS2 aims to enhance the security posture of organizations to tackle evolving cyber threats, potentially bringing about significant changes in operational approaches. It’s important to ensure your organization has thoroughly reviewed its risk management process and is well aware of the requirements.

The following are the general requirements for reporting for the NIS2 directive:

• Risk management: Organizations are obligated to execute a comprehensive set of critical measures designed to effectively mitigate cyber risks. These imperative steps encompass a multifaceted approach, including robust incident handling protocols, elevated supply chain security measures, enhanced network security strategies, improved access control mechanisms, and implementing advanced encryption techniques.
• Reporting obligations: Organizations are obligated to meticulously establish and implement procedural frameworks for the prompt reporting of cybersecurity incidents that wield a significant impact on both their business operations and users. These established procedures will encompass precise notification timelines and incorporate an initial “early warning” stage, which requires reporting within the stipulated timeframe of 24 hours from the identification of the cybersecurity incident.
• Corporate accountability: It is the organizational board of directors and executives’ responsibility to actively oversee, formally endorse, and actively participate in comprehensive training programs concerning the organization’s cybersecurity risk management posture, with emphasis on effectively addressing and mitigating emerging cyber threats.
• Business continuity: Organizations are required to strategically plan and articulate a comprehensive strategy to ensure seamless business continuity in the face of potential cybersecurity incidents. This methodology should intricately cover various facets including but not limited to systematic measures for efficient system recovery, the formulation and implementation of emergency protocols, and the establishment of a well-structured crisis response team to effectively navigate and manage the aftermath of any cybersecurity incidents.

How should application security teams prepare for the NIS2 Directive?

To achieve the Directive’s goal of increasing cyber resilience, there must be a full picture of current risks, threats, and trends in real time. Indeed, applications were the top vector in both attacks and incidents in 2023. Application security must inform any robust NIS2 compliance strategy.

As the pace of digital transformation accelerates, the cloud applications supporting digital infrastructure become more complex. The sheer volume of new critical vulnerabilities that teams must investigate to determine reporting can divert resources away from innovation. Simultaneously, there is a shortage of application security skills. This creates a heightened risk for organizations striving to meet incident reporting deadlines. These larger trends make it imperative to enhance and streamline application security analytics and reporting processes through intelligent automation.

To overcome these challenges, organizations must aim to incorporate real-time insights into their overall security posture. This practice fosters end-to-end visibility across hybrid and multicloud environments. This goal requires converging observability and security, along with automating runtime vulnerability analytics. This convergence unlocks crucial insights into the severity and impact of cybersecurity incidents. It also facilitates a prompt assessment of vulnerability urgency. 

Best practices

As cyberattacks continue to evolve, it’s essential to ensure your organization is prepared with a strong cybersecurity risk management process. To be fully prepared for these risks, consider including the following best practices within your application security risk strategy:

1. Continuously monitor for application vulnerabilities and cybersecurity risks. Identify vulnerabilities before they are exploitable. Leverage topology-aware, observability-based solutions to rapidly assess the scope and impact of application vulnerabilities. Operationalizing this best practice will enable teams to meet the quick 24-hour and 72-hour reporting deadlines that NIS2 will mandate.
2. Adopt a “zero-trust” mindset for application vulnerabilities in third-party applications. As recent high-profile exploits of vulnerabilities like Log4Shell and MOVEit have shown, it is not enough to trust that your vendors are delivering secure software. At the same time, monitoring the software bill of materials provided by the vendor can be both tedious and unreliable. Continuously monitor all third-party application runtimes in your environment for critical vulnerabilities and hold vendors accountable for timely remediation.
3. Conduct threat hunting for critical zero-day vulnerabilities. Actively search for abnormal or suspicious activities that may indicate an exploit attempt on a zero-day vulnerability. Use a combination of tools and methodologies to systematically search through systems to find indicators of compromise. Continuously improve effectiveness through iterations and create a thorough plan of remediation to target these zero-day vulnerabilities.
4. Implement consistent feedback loops and educate your organization. Address the root cause of cybersecurity incidents & fix vulnerabilities promptly. Revise security process gaps, policies, and procedures. Establish a strong framework for cybersecurity training and education, ensuring board of directors/executives and employees are knowledgeable of their cybersecurity risk management approach and business continuity strategy in the event of a cybersecurity incident. 

How Dynatrace can help organizations adapt to NIS2 with ease

The NIS2 Directive encourages organizations to strengthen their resiliency to cyberthreats. To ensure complete preparation for the directive, organizations should adopt a platform that continuously identifies and prioritizes vulnerabilities, provides insights for quick remediation, blocks cyberthreats in real time, and provides the analytics capabilities needed for investigation and response.

The Dynatrace platform leverages observability turbocharged by causal AI. This combination enables teams to distinguish real vulnerabilities from potential risks and prioritize remediation based on severity. Automated real-time analysis of the extent and severity of the exposure will help teams quickly determine if the incident triggers a reporting obligation. With observability-powered application protection capabilities, incidents can be averted as exploit attempts can be automatically blocked. With Security Analytics, teams can turbocharge threat hunting and incident response and reduce the likelihood of a reporting obligation.

Finally, teams can leverage observability insights to document all reasonable measures taken to prevent business and customer disruption. In the event of a successful exploit, this audit trail could help prevent loss of reputation and regulatory action.