A simplified illustration of what NIS2 is intended to achieve is provided by the NIST framework (diagram). From our point of view, NIST clearly describes what the BSI basic protection catalogue in Germany or other frameworks also say. What does cyber security achieve and up to where, and where does cyber resilience begin - and who is responsible?
Cyber resilience is more than cyber security
So far largely unnoticed by the legislature, the EU directive NIS2 now makes cyber resilience a mandatory topic for almost all companies - and even makes those responsible for management personally liable for its implementation. And this will happen in quite a short time.
For IT decision-makers, the focus has so far been on all challenges in the area of cyber security. Today, cyber security approaches that aim to prevent attacks from the outset are widely understood and budgeted so that even a separate C-level has been set up at organisational level: the CSO, who takes care of this topic with a dedicated team.
In contrast, cyber resilience is still severely lacking in resources - as it has not yet been such a hot topic.
Up until now, thanks to NIS2. As companies do not yet have a "cyber resilience unit", this part is currently being tackled by completely different people in the company - usually those involved in the general IT infrastructure.
The ability to "recover" from an attack as quickly and unscathed as possible (cyber resilience) is probably a lesson learnt from the recent past and present, in which cyber attackers penetrate systems measurably much earlier or for much longer before launching an attack.
Ransomware in the backup area can massively undermine disaster recovery options - if a company is not prepared for this.
NIS2 poses the question in the long term: are you prepared for an emergency so that your data is back in operation as quickly and seamlessly as possible and you can continue working?
From our experience in distribution we know: Every company has a more or less up-to-date backup concept or solution design. However, the allocation of resources previously determined whether these should be revisited from a cyber resilience and optimisation perspective.
With NIS2, this is now worth doing in any case, as the new EU directive casts cyber resilience into law: Who is affected and how can the requirements be resolved as quickly and comprehensively as possible in the time remaining until 17 October 2024?
NIS2 - How it works
All companies with more than 50 employees or more than 10 million in annual turnover, as well as those in critical sectors, fall under NIS2, whereby a distinction is made between "Essentials" and "Important".
Almost all companies are therefore covered, with a particular focus on KRITIS and the healthcare sector, as well as energy, transport and digital infrastructure (i.e. companies affected by DORA).
How does NIS2 impact you?
A particular feature when the directive comes into force on 17 October 2024 is the responsibility that will be associated with direct liability for managing directors and board members. High penalties will force them to actually and measurably do more to implement cyber resilience.
Benefit from NIS2 for yourself
The aim of NIS2 is to strengthen cyber resilience and provide better protection against attacks.
However, NIS2 also has benefits for companies, according to how the topic is approached. The fact is that NIS2 has to be implemented now - anyway. However, it is also possible - and this is the decisive advantage of NIS2 - that those companies that have implemented NIS2 as far as possible will have a clear competitive advantage.
- Increased resilience not only helps us in the event of cyber attacks, but also makes us generally more agile in responding to events.
- NIS2 compliance makes companies in many sectors more attractive to competitors who have not yet implemented it.
- Risk minimisation, also in terms of cyber insurance, is possible.
- AI-based approaches open up powerful new opportunities to be supported.
However, NIS2 compliance must first be visualised by companies themselves, as there is no ISO certification available.
NIS2 from a data protection perspective: Good traditional backup
The five subject areas that we offer in our solutions and services are described in the NIS2 guidelines. The solution design of VIKING Backup Guardian is based precisely on these topics, such as zero trust, modern air gap, DR tests - the VIKING Backup Guardian features and services are already "NIS2-ready".
It is worth consulting an expert: What is NIS2 actually about?
Essentially, NIS2 is about describing the implementation of the directive. That's half the battle. The solution used - whether it is Rubrik or Cohesity, or another solution - does not matter, rather whether you can demonstrate regular restore tests, for example - which in theory is also achievable using Excel. Large companies will issue guidelines to their departments so that internal standards are developed, e.g. an air gap copy of all data - while the IT department will have to describe the way in which this is to be achieved.
Modern solutions can be of great help to companies. After all, you should be aware of this: NIS2 will not be done with a bundle of measures, but will in future be a recurring to-do with a lifecycle.
Modern, smart solutions should offer companies and IT teams enormous resource savings. We developed a fully managed service solution long before NIS2 that is technologically at the cutting edge of the market, as it already starts with detection. From detection onwards, all steps are automated and AI-driven:
- Detection of malware in backup data
- Malware clean-up
- Regular DR tests
- Weekly recovery assurance
- Includes versioning, reports and documentation.
From our experience, many tasks that IT teams cannot manage in their daily business are thus already completed - on the go. Thanks to rapid deployment and our underlying service, companies can simply tick off more than a third of their to-dos when implementing NIS2.
