Beware of Easy Paths: The Journey Towards NIS2 Compliance

Can you hear me? Is this working?

Okay, great. First of all, it's always difficult to, at the first sentence, to contradict your CEO because it's not a regulation, it's a directive, which is a problem. So we just, we, we need to find that out. We have 20 minutes. I have lots of slides, too many slides to read out and to go through. So I kindly ask you to read through them afterwards. I will always highlight what's on that slide and continue because it's a lot of that if you want to leave for lunch.

Now, my idea for the talk is please make sure that you understand your NIST two compliance and you might be subject to NS two, that this is a journey for your organization. Everyone who tells you I can help you in that, I have a blueprint that works for you, don't trust them, including us. Be aware of easy paths.

Short, look at the agenda for today. This too, in a nutshell, I have to explain what it is, at least a bit. I'm not a lawyer, unlike Fabian, I'm, I'm not an auditor, but I'm a practitioner. So I want to help you in achieving doing the right things.

Oh, and not, not that quick. Then from focus to implementation, what you should you put focus on when you look at Nitish two, apart from what you are already doing and how to implement that and in the end how to implement Nitish two for your organization, that is what I'm aiming at. There is no silver bullet. I don't have the crystal ball, but I want to help you in finding the right decisions. I like that sentence. You have read that I think many times, but it's so true also for this two, for every complex problem, there is this answer that is clear, simple and wrong.

And that's true for N two as well. MS two in a nutshell. First of all, what is it? N two implies that there's AN one, which is ns, that is the networking information systems directive, not a regulation. And that there is a, a main difference for that. First of all, who issues it?

The eu, where does it apply? Hey, eu. So these are the organizations that are in scope and especially organizations that come to our mind when we think of critical infrastructures and that is closely related to that as well. So it's economy, society, energy, transport, banking, health. I read it out as well. Digital infrastructure, public administrations and others. And I've put some icons here just to show the breadth of what actually is included there and that maybe give a hint on, hey, we can't do everything for everybody the same way. When does it come into force?

That's my favorite question. Three answers a NS two is in force. It came into force on the 16th of January, 2023.

Why don't we do anything We should, but it's not, it does not apply for us now because member states have to incorporate that into national law and that's the difference between a regulation dora and it's two that needs to be translated into law and that will imply changes for every member state country in the eu and actually when does it needs to be complied to no matter what the member states do, it needs to be implemented in the next, in 21 months, starting from this effective date that is in answer one. So 21 months not too much. Gives a bit of this GDPR vibe if you remember back then.

So there is a lot of lot to do. Quick look at the text, it's always good to look at the text, especially true phone two. Article one is this thing that says it's not actually enforced right now. It needs to be translated. That's what is underlined here or at least highlighted here. If you look, member states adopt national cybersecurity regulations and strategies into their laws. So it needs to be translated. That's first. So second is who is in focus, who is needs to comply, which are the companies? And there are three terms in here and I don't explain them in detail.

I only say there are different levels of criticality that apply to organizations and you should identify A, are you subject to NI two at all? I guess so, but I don't know. And what is the level of criticality that applies to you? And we have the difference between ES essential, important and critical. Most of us would think these are synonyms. There aren't in that context. So you need to understand which level of, of of criticality applies to you as an organization.

So first, are you second, what are you in the context of these two? That's a step that needs to be taken. Now you understand why I'm running through these slides. Focus is on medium sized and large companies. When we think of NI and of critical infrastructure, there were a set of companies that we could all think of who it's relevant for criers and who should be in scope. Lufthansa easy, big banks, easy pharmaceutical companies, some, some aspects of that. This changes dramatically.

There is a massive tightening of requirements, especially for medium-sized companies and if you look at the definition of medium-sized behind me, this is not medium sized. This is, this can be rather small 50 employees or 10 to 50 million euro turnover. It's not that much. So that's a really expanding scope that needs to be looked at.

Again, are you in scope? That applies as well to identify whether you are in scope the right industry and the right size and the right processes that you deal with. That might be already the case that you are around. Those who need to do something right now, start doing things. NS two is very specific and not in telling you what you need to do. So specific and generic requirements, again a look and the final look at the text and if you look at the list to the right and just skimm it a bit, there's a lot to do. This is article 21 and it starts from policies.

Having the right policies in place as the foundation layer to achieve what you want to achieve. Very important is the aspect of incident handling. We come back to that business continuity planning again. And I look at that. What if you look at the last two CSLS events that we did in Berlin, we had a workshop on incident management and we had a workshop on business continuity management and here we go again. Here it is and it's demanded for. So this is something that is really important and it goes down to final aspect. This I like.

They ask for multifactor authentication, getting rid of passwords. I think this is the most tangible requirement which is in N to itself because in any other case it reflects to other regulations, other frameworks, other standards which sectors are affected. There is a long list included in some of the appendixes and you should really or the annexes, sorry for that. So you should really check the list of industries that are in scope and also the more detailed descriptions whether you are in scope. The first step for your Nitish two compliance is understanding what you need to do.

So I don't read the list out I I think everything that's more or less critical infrastructure is involved and more. And also the smaller ones. If you are a supplier to an organization that is considered to be critical, chances are good that you are involved, but I'm not a lawyer. Ask Fabian The enforcement upholding standards. And now we get to slides we all hate. Just a short side note, we all hate smart art in word or in in PowerPoint. We have lots of text and transfer that into something that's not that ugly as plain text but nobody reads it.

So we have four slides or five slides in that type, which I just quickly walked through and I kindly ask you to read them afterwards because there's a lot of information in there. This is the slide about the enforcement, about what the EU needs to do, what member states need to do. And there is a lot of that. It starts with oversight by the EU and the nation state countries. They implement sanctioning power and quite drastic sanctioning power, power comparable to GDPR.

If you know the figures that are in GDPR, this is the ballpark where we are dealing with, there will be and there are supervisory bodies and there will be cross border collaborations or EU member states will work together and organizations are expected to work together also cross borders and everything down to public private partnership. As I said, I can't read it out all, but these are the enforcement principles that are built into NS two. So lots of enforcement, so don't expect to go under the radar. I don't expect that to happen.

From focus to implementation was my next headline of this, of this three at the point agenda. And the question is what should we focus on? Focus means for me that we understand what needs to add to what you have not yet done.

Again, there is an old proverb, I've tried to find that out and I've found it A misfortunes never come singly. And the same is true for regulations, standards, certifications, and directives. So the good thing is you have this big block of already implemented frameworks in within your organization. You can reuse that at least to ask you to do so to identify what you're already doing and if you're missing something, so this is a portfolio analysis, then you need to find out what you're not doing. So this to doesn't tell you to do anything else than multi-factor authentication. That's a this two.

Anything else? That's okay. Look at ISO 27 0 1. That's fine. Look at nist, look at everything that you have. BAIT if your financial organization should do well. And if you think of the presentation from the colleague from Bunes Bank, he said if you implement Dora units two compliant, I like that statement. Have not heard yet that, but that sounds good to me because it's the same kind of regulations. What is missing? Typically when we think of this Lego or building block thing that we have seen before, I've put out four aspects.

First of all is risk, risk management, risk assessment, risk mitigation and emergency plans. Second is incident management. That is somewhere in these regulations but it's not as good as this. It's required by MS two. If you look at that over there, 24 hours initial report to everybody who is affected define affected 24 hours. This is a challenge. This demands for good processes and 72 hours with an analysis of what has happened in an incident. Next supply chain. You are not alone. You are depending on your peers and they are delivering services to you.

So you need to understand that they are too compliant as well. You need to prove as a small supplier that you are compliant to your upper elements in the supply chain. And finally, cyber hygiene including security, access control and other measures. So these are the aspects that I would like to focus on. This is not a comprehensive list, but this is why usually organizations are not that good, even if they are ISO 27 or one compliant or have a have a tza certification, et cetera. So all of this might be something where you want to want, want to have a little focus on how to implement that.

Implementing is always a way move forward. So that is a road and I go back to the guiding principle of risk management because this is at the bottom of everything that NTU asks for. NTU promotes a risk-based approach, which is nicely put in the end. You can see beyond encouragement. There is a mandated comprehensive risk assessment and mitigation strategy for all covered entities. So in the beginning it says you are encouraged to do so and the said, yeah, you have to. So risk management and understanding your individual risks is at the core.

And again, I've put these six icons here, that's the same list as before. Risk for energy is different than risk for public administration is different to the to the risk of banking. So the risk assessment is at the core.

What asks, what does needs to ask on top of that. Again, smart art.

You know, just quickly going through that, we want to move from risk to cyber resilience. So it's not only achieving cybersecurity. Oh there's a danger, switch it off.

No, you need to continue run. That's AT approach that you know of. So there need to be mandatory security measures, continuous improvement. And you need to be ready for incident. You need to be ready for incident handling and for reporting obligations. That includes sharing incident information with your peers and with other involved parties. That includes anonymization for example, of of of incident information. Because you want to share it, you have to share it.

This is something that many organizations are not yet well prepared and that that's the reason why I have a special slide for that because it goes more into detail regarding these requirements. I kindly ask you to load to download the PDF. That is this slide deck because there's a lot of information there and you can drill down from that. It's not comprehensive. So you need to define your incidents, you identify your reporting protocols, whom to talk to, who are the usual suspects to talk to.

That's what again Fabian mentioned, talk to the right people, have the proper communication in place, but also information sharing even across confidential confidentiality concerns. Final step, that's the left corner of this four point bullet diagram that I had extending the security perimeter your supply chain is in at in scope.

And again, if you look at other cybersecurity events that we executed in the last years, cybersecurity, cybersecurity, supply chain risk management long acronym was something that was on our radar well before. And here we go, here it comes again. And now it's mandated for. So do a vendor assessment not only once but all the time. Continuous monitoring, incident response coordination. When you have a cloud provider and you are using that, maybe you want to talk to them, not just web provider, that's simple.

Although it might be a shop, but also cloud platform, lift and shift applications, information sharing and ideally being proactive and having some strategic partnerships within your supply chain and beyond having to check the which. Okay, but yeah, I I I've inherited a few minutes so sorry for that, but I'm, but I'm speeding up NIST two for your organization. What does that mean? Now that we've heard what it is, at least in a nutshell, a big nutshell, but a nutshell. And on the other hand, how, what, what should we focus on when we want to move to these two on top of what we already have?

You are not starting from scratch. Here we go with beware of simple solutions.

If you, if you look, I've, I've just this morning started my LinkedIn and I got a, a big announcement as big as my smartphone display could present it. We help you in being NI two compliant by improving your access governance.

Okay, my stance sure helps. It's a building block of one of these Lego blocks that was on that slide before. But it will not help you in achieving these two compliance. It will make sure that you don't fail it. But this is not sufficient at all. But it'll help. So be careful. And of course we will always see these things now with built-in these two compliance. Yet these are tools that help you. But that's it. So these new regulations, directives come with the promise of a gold rush for all people involved.

Vendors, Analysts, yes, Analysts as well. Consultants, everybody. Because they say okay, there is business there and it is and we need to act. And we need to act, yeah, soundly properly, appropriately. And like a good ransomware attack. High potential panel penalties, tie deadlines and a lack of clarity. Improve the pressure. Now you have to act. That's the way how ransomware attacks not no, no pun intended here. You really need to make sure that you do the right thing at the right time. So what do you should you need to do? Be careful with what you implement. Start from the risk assessment.

We will get back to that. And don't trust one size fits all solutions. So one size does not fit all, I'm quite sure. So you need to understand what is relevant for your own organizations. You will have an a unique cyber ecosystem. You will require tailored security controls derived from these standards, derived from that frameworks, but appropriate for your use case so that the auditor can come and say, okay, what are you mitigating and why can you prove that is this is really useful? That this really mitigates your risk. That is what we're aiming at.

So you need to be flexible in your own strategy. And we as Analysts consultant companies, as consultant companies, individual freelancers need to understand that the need to fulfill the needs of the individual customer, the individual organization beyond box ticking specific aspect SMEs, we start, we have seen this medium sized definition, 52 something. They will have a different way of dealing with that because they cannot afford everything. They have all these constraints that are here. So resource constraints, knowledge and skill gaps. How do they deal with that?

They need a tailored strategy. There is no easy answer that I can say, okay, SMEs need to do that way. And bigger companies can do it that way.

No, it needs to be based on a risk assessment and the right proper measures in place. And that is where we want to move forward with final slide. And that is the good thing. Good for us as cybersecurity experts. That is the first sentence. And this is for me, the core of this presentation. Needs two. Finally puts an end to the notion that compliance is a matter of taking a few steps and periodically ticking off the controls that have been implemented. That time is over, finally, at least with missed two, that's over. We need to take a new approach.

We need to start with risk in the beginning. We need to understand what is really behind that and then embark on their journey implementing that. And this two, compliance is not a simple thing. It requires a well thought out strategy. And we should start yesterday. Thank you.