NIS2 - what it is, who is subject to it and how the cloud relates to it

The European Union's new directive, NIS2 (Network and Information Security Directive 2), sets cyber security standards for critical and relevant member-state entities. Replacing the original 2016 NIS Directive, NIS2 introduces more precise and stringent requirements to strengthen resilience against cyber threats in an increasingly digital world. From a business, government, and IT perspective, its impact is enormous, especially with the growing importance of cloud services.

What is NIS2?

The NIS2 Directive, adopted in 2022, responds to the rapidly changing cyber threat landscape and the increasing number of cyber attacks. Compared to its predecessor, NIS2 covers a broader range of sectors and businesses while introducing a more harmonized approach to security management across the European Union.

A key objective of NIS2 is to enhance the security of networks and information systems vital to the functioning of the economy, society, and public administration. The directive sets out requirements for risk management, incident response, and cyber incident reporting.

Who is subject to the NIS2 regulations?

The NIS2 Directive expands the scope of entities that must comply with the new regulations. While the previous version mainly covered key service operators and digital service providers, the scope has been significantly broadened.

The entities covered by NIS2 can be divided into two main categories:

1. Key entities - covering sectors critical to the functioning of the state and the economy, such as:
• energy,
• transport,
• health,
• financial sector,
• water and wastewater management.
2. Relevant entities - covering sectors such as:
• postal and courier services,
• waste management services,
• chemical industry,
• information and communication technologies (ICT).

The directive covers large organizations and small and medium-sized enterprises if their activities are critical.

Obligations under NIS2

Regulated entities must comply with several requirements, including:

• implementation of risk management systems,
• reporting of security incidents,
• ensuring adequate resources for cyber security management,
• conducting security audits.

In addition, new rules on board members' liability have been introduced. In practice, this means that executives must be involved in cyber security issues and can be held liable for failing to fulfill their duties.

How does NIS2 affect the IT sector and cloud services?

One of the key aspects of NIS2 is the growing importance of cloud services in data management and processing. Due to their flexibility and scalability, these services have become a cornerstone for many organisations, particularly in the NIS2 regulated sectors.

The role of the cloud in NIS2 compliance

Cloud computing plays an essential role in security strategies. In the context of NIS2, cloud services can be both a challenge and a solution. Here are the key aspects related to the cloud in the context of the directive:

1. Ensuring resilience and scalability
2. Cloud providers offer advanced security mechanisms, such as data backups, redundancy systems, or automatic scaling, to respond to load growth.
3. Risk management and regulatory compliance
4. Leading cloud providers, such as AWS, Azure, and Google Cloud, are introducing compliance mechanisms for various regulations, including NIS2 requirements. Many of these platforms offer security auditing and monitoring tools.
5. Shared responsibility
6. However, remembering that the cloud model is based on the principle of shared responsibility is worth remembering. This means that the cloud provider is responsible for the security of the infrastructure, but the organization using the cloud must configure and secure its applications and data.
7. Reporting and transparency
8. One of the challenges arising from NIS2 is the need for timely reporting of security incidents. Working with cloud providers that offer advanced monitoring systems can significantly facilitate this process.

Choosing the right cloud provider

For organizations subject to NIS2, choosing the right cloud provider is crucial. When making a decision, it is worth looking at:

• security certifications (e.g. ISO/IEC 27001),
• location of data centers,
• data storage and protection policies,
• Technical support is available in terms of regulatory compliance.

Challenges in implementing NIS2

Implementing NIS2 requirements can be challenging, especially for smaller organizations. The main difficulties are:

• lack of resources and competence in cyber security,
• the need to invest in new technologies,
• adapting existing processes to the requirements of the directive.

Outsourcing security services and using cloud-based tools to help meet regulatory requirements can be a solution.

The future of NIS2 and cyber security in Europe

The introduction of NIS2 is essential to building a more resilient digital ecosystem in the European Union. In the long term, the directive can help improve security standards and risk management awareness.

For organizations and cloud providers, this means challenges and opportunities to evolve toward innovative solutions to support regulatory compliance.

NIS2 is not just an obligation - it is also an opportunity to raise the level of trust of customers and business partners, which, in the face of increasing cyber threats, is becoming an essential element of competitive strategy.