The NIS2 Directive has reshaped the cybersecurity landscape in the European Union. New regulations mean stricter rules on businesses to ensure they combat rising cyber threats. If you run a medium- to large-sized business in the EU, it’s important to understand these changes to remain compliant and, in turn, keep your business safe.
Following on from our recent blog, NIS2 is coming: what should EU domain resellers do?, we sat down with Prasad Fernando, Head of Development at Openprovider, to talk about what the new directive means for businesses operating in Europe.
What is the headline message about the NIS2 directive and what does the new directive mean for Openprovider customers?
The primary objective of the NIS2’s Directive is to create cyber-resilient systems in the face of new and more complex security challenges following the accelerated digital transformation of society during and after the COVID-19 pandemic. One major change facing customers in certain key sectors will be the requirement to create dedicated incident response teams. There will also be greater demands in terms of risk management and cybersecurity governance.
What businesses will be most affected by the new directive?
The most important business entities under the NIS2 directive are those involved in areas such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
The NIS2 Directive highlights two types of entities: essential entities and important entities. An essential entity is a large organization with a minimum of 250 employees with an annual turnover above €50 million or more. An important entity, on the other hand, is a medium-sized enterprise of between 50-250 employees.
Can you give us a brief overview of the requirements of the NIS2 Directive that domain resellers, web hosters, and marketing agencies should be aware of?
The NIS2 directive imposes stricter requirements on organizations in terms of risk management, incident reporting, and cybersecurity governance. It promotes cooperation between European Union member states and organizations to improve cybersecurity resilience. It’s important to note that the NIS2 Directive includes potentially large financial penalties for non-compliance.
What kind of impact will the NIS2 directive have on security incident responses and communications?
According to the NIS2 Directive, each organization must create its own Computer Security Incident Response Team (CSIRT).
This Computer Security Incident Response team should:
- Maintain highly available communication channels, preventing single points of failure.
- Have several means for being contacted and for contacting others at all times.
- Create a tiered plan for incident reporting and eliminate divergences in incident reporting thresholds.
- Interact with a national competent authority to provide information regarding the implementation of mitigation measures. A cybersecurity incident should be reported to the Member States CSIRT group within 24 hours of identifying a significant incident, and the official notification should be reported within 72 hours of the incident.
- Ensure that the CSIRT group and supporting information systems are be situated in a safe location.
The NIS2 directive is having a profound impact on organizations across the European Union in terms of security-related processes. What changes had to be implemented at Openprovider to ensure NIS2 compliance?
As soon as the new directive was announced, Openprovider management set about defining the steps needed to adhere to the NIS2 Directive. This led to the creation of our Computer Security Incident Response Team (CSIRT). The company quickly invested in providing NIS2 Directive training to the Information Security Manager and, soon after, we created the policy control documents for asset management, risk management, cybersecurity controls, supply chain security, incident management, crisis management, business continuity, awareness and training, and communication and testing in cybersecurity. Lastly, after a recent Friday Download – our company-wide online weekly meeting – we held a company town hall meeting during which I gave an 81-slide presentation about the NIS2 Directive.
As you have just explained, the implementation of NIS2 policies has required a tremendous amount of planning and teamwork across the organization from day one – what impact has the new directive had on day-to-day operations at Openprovider?
I can proudly say that, through the implementation of NIS2 Directive policies, we have strengthened our cybersecurity resilience. These new policies led us to implement stronger passwords, two-factor authentication (2FA), asset management, risk mitigation, supply chain security, business continuity, and other important security policies.
Being a fully remote company, we have initiated new security measures, such as secure remote access solutions, virtual private networks (VPNs), and endpoint security tools. We have also increased our overall vigilance by implementing more stringent procedures to protect sensitive data.
These include:
- Regular training for employees.
- Heightened monitoring of network activity.
- Stricter access control.
We focus on supply chain security to prevent breaches that could originate from third-party vendors or partners, and we have put in place a robust incident response plan that is essential to minimize the impact of a cyberattack and ensure a swift recovery.
We’re in an age where the volume and complexity of security threats are increasing by the day and we are determined to be proactive and on the front foot in order to enhance prevention initiatives and, in turn, minimize risk. To this end, Openprovider is actively enhancing security technologies by investing in advanced security technologies such as firewalls, digital network intrusion detection systems (IDS), and digital network intrusion prevention systems (IPS). Encryption is now standard practice to protect sensitive data from unauthorized access. Meanwhile, we use strong identity and access management (IAM) solutions to control who can access systems and data, reducing the risk of unauthorized access. Openprovider has adopted 100% cloud-based services and cloud security measures, such as encryption, access control, and vulnerability management.
In the European Union, new legislation and regulations pose challenges to smaller companies that do not necessarily have the resources to ensure compliance without disrupting their business (and losing money). How can Openprovider help these businesses in this regard?
With 20 years in the business, Openprovider has established itself as a trusted and transparent partner. We understand the challenges faced by smaller companies in the area of compliance – it is a process that requires significant resources, both in terms of time and money. Therefore, we are more than happy to share our knowledge and expertise to help our customers in cybersecurity compliance and management. With regards to the latest legislation, for example, we can show our partners how to implement the NIS2 Directive with proper incident management and reporting. What’s more, Cybersecurity Awareness Month has been the perfect platform for us to provide important and up-to-date information about the acuity issues that businesses face today.
—-
At Openprovider, we’ve been at the forefront of domains for 20 years, and we are constantly evolving to stay ahead of the curve when it comes to cybersecurity. By blending human expertise with innovative technology like AI, we strive to maintain a safer, more secure online space for everyone. We are proudly ISO 27001-certified and NIS2-compliant.
If you have any queries about the new NIS2 Directive, please contact our support team.
