NIS 2

What is the NIS 2 Directive?

The NIS 2 Directive, officially known as Directive (EU) 2022/2555, is a significant enhancement over its predecessor, the original NIS Directive. It aims to establish a high common level of cybersecurity across all EU member states. The directive was adopted to address the escalating range and sophistication of cyber threats and to strengthen the overall resilience of network and information systems within the EU.Key changes introduced by the NIS 2 Directive include an expanded scope of sectors and entities covered. Unlike the original directive, which focused primarily on sectors like health, energy, transport, and finance, NIS 2 extends to additional sectors such as postal and courier services, waste management, and public administration. Moreover, the directive imposes stricter security and incident reporting requirements, which reflect the need for higher security standards in the face of advanced cyber threats​.

Why is the NIS 2 Directive Important for Your Company?

  1. Enhanced Cybersecurity Measures: The NIS 2 Directive mandates rigorous cybersecurity risk management and reporting obligations. These requirements are designed to ensure that entities, especially those deemed essential or important, maintain a robust defense against cyber disruptions. This is critical for the sustainability and security of operations in today’s digital age.
  2. Compliance with Legal Requirements: Being compliant with the NIS 2 Directive is not only a legal obligation for entities within its scope but also a crucial step in safeguarding against potential penalties and reputational damage that could arise from non-compliance. The directive includes stringent enforcement mechanisms, such as higher fines and stricter regulatory oversight, to ensure adherence to its provisions​.
  3. Strengthening Resilience to Cyber-attacks: The directive highlights the importance of cybersecurity as a pillar of operational resilience. By complying with NIS 2, companies enhance their capability to prevent, detect, and respond to cyber incidents swiftly and effectively. This improved resilience is vital for maintaining trust and ensuring the smooth operation of critical services that society relies on.
  4. Opportunities for Business Improvement: Beyond compliance, the directive encourages organizations to adopt advanced cybersecurity measures, which can drive operational efficiencies and innovation. The focus on risk management and security can also lead to enhanced business processes and a competitive advantage in sectors where trust and security are paramount​​.
Overall, the NIS 2 Directive serves as a cornerstone for modern cybersecurity practices in the EU. By complying with its requirements, companies not only adhere to legal standards but also significantly enhance their cybersecurity posture, contributing to their long-term success and sustainability in an increasingly digital world.

Tailored Cybersecurity Solutions: NIS 2 Compliance Bundles

Empowering Your Business with Customized Protection and Compliance Strategies

Bundle #1 – NIS2 Awareness, Training & Incident Response

Incident Response Handbook
  • Tailored Playbook: Custom incident response playbook designed for specific sectors, activities, and company types.
  • Training and Education: Comprehensive educational programs to equip your team with knowledge and skills for cybersecurity.
  • Support Hours: A 40-hour support package from the Kaspersky team to assist during incidents or for forensic analysis.
Kaspersky Interactive Protection Simulation
  • Gamified Awareness Session: An engaging, gamified session using simulation to teach incident response.
  • Multidisciplinary Teams: Suitable for diverse teams including executives, IT, and operational technology personnel.
  • Participant Capacity: Accommodates up to 100 participants.
  • Certification: Participants will receive a certificate upon completion.

Bundle #2 – NIS2 System and Network Development, Acquisition & Maintenance

ICS Security Assessment
  • Layered Pentesting: Comprehensive penetration testing across various layers including network, hardware, and software.
  • White and Black Box Testing: Rigorous testing methodologies to scrutinize system security from both known and blind spots.
  • IT and OT Evaluation Capability: Proficient in conducting detailed assessments at both Information Technology (IT) and Operational Technology (OT) levels.
  • Specific Vulnerability Identification: Expertise in pinpointing precise vulnerabilities within your systems and networks.
KICS XDR
  • Integrated KICS Platform: A full-spectrum KICS solution encompassing network and node integrity, including:
    • OT-Specific EDR: Endpoint Detection and Response tailored for OT endpoint security.
  • IDS and NTA: Intrusion Detection System and Network Traffic Analysis for OT network visibility and monitoring.
  • Centralized Management: Streamlined oversight of your cybersecurity landscape for optimum efficiency and response.

Bundle #3 – NIS2 Basic Awareness Package

Kaspersky Interactive Protection Simulation
  • Gamified Awareness Session: A simulation-based game designed to raise awareness and train participants in incident response.
  • Multidisciplinary Engagement: Suitable for teams across the board including executives, IT, and OT professionals.
  • Broad Participation: Can accommodate up to 100 individuals.
  • Certification: Confers a certificate upon successful completion.
Kaspersky Industrial Cybersecurity Basic Training
  • OT Cybersecurity Training: A 3-hour session tailored for various roles including IT/OT professionals and executives.
  • Level: Beginner, making it accessible for all knowledge backgrounds.
  • Group Size: Designed for small to medium groups, from 10 to 25 participants.
  • Flexible Delivery: Available in both in-person and remote formats to suit your team’s needs.

Bundle #4 – NIS2 Full Awareness Program

Kaspersky Interactive Protection Simulation
  • Gamified Awareness Session: Engaging simulation-based game designed for learning and practicing incident response.
  • Cross-Functional Applicability: Ideal for diverse groups including executives, IT, and OT professionals.
  • Capacity: Supports up to 100 participants in a session.
  • Certification Provided: Participants will receive a certificate of completion.
Kaspersky Industrial Cybersecurity Basic Training
  • OT Cybersecurity Training: A 3-hour introductory course on OT cybersecurity tailored to various roles.
  • Experience Level: Beginner level, perfect for participants across all knowledge levels.
  • Group Size: Optimal for groups ranging from 10 to 25 participants.
  • Delivery Method: Flexible options with in-person or remote training sessions.
Kaspersky Automated Security Awareness Platform (KASAP)
  • Automated Cybersecurity Awareness: A comprehensive automated platform for cybersecurity awareness training.
  • Customized Learning Modules: Features various modules with tailored plans based on level and role, including phishing campaign simulations.
  • User Capacity: Designed for up to 100 users, ensuring extensive reach within your organization.

Bundle #5 – NIS2 Threat Intelligence Suite

Digital Footprint Intelligence (DFI)
  • Data Asset Monitoring: Continuous surveillance of asset exposure and data leakages.
  • Dark Web Vigilance: Monitoring and vigilance across dark web platforms and forums.
  • Periodic Reports: Regularly updated reports based on intelligence discoveries to keep you informed.
Kaspersky ICS Threat Intelligence Reporting
  • Annual OT Sector Reports: One-year subscription providing specialized reports for the OT sector.
  • Accessible Insights: Gain access to detailed reports, executive summaries, and newly discovered IoCs via Kaspersky’s TIP platform.
Threat Data Feeds
  • Threat Intelligence Integration: Threat data feeds (IoCs and metadata) to bolster the detection capabilities of cybersecurity tools (SIEM, EPP/EDR, firewalls, IDS/IPS, etc.).
  • Malicious Hashes: Kaspersky ICS-specific threat data feeds targeting malicious file hashes.
  • Vulnerability Feed: Comprehensive feeds detailing vulnerabilities affecting systems and software.
  • IoT URL Data: Specialized feeds to protect against IoT-based threats and malicious URLs.

Bundle #6 – OT Cyber Starter Pack

Kaspersky Interactive Protection Simulation
  • Interactive Learning Game: A simulation game designed to increase awareness and train for incident response.
  • Versatile Training: Ideal for diverse groups, including executives, IT, and OT professionals.
  • Large-Scale Engagement: Allows for up to 100 participants per session.
  • Certification Awarded: Certificates are issued to participants upon completion.
KICS for Nodes
  • EDR Server License for Nodes: Offering KICS for Nodes Endpoint Detection and Response server licenses, available in 1 or 3-year terms.
  • EDR Server License for Workstations: Provision of KICS for Workstation EDR server licenses, also in 1 or 3-year durations.
  • Enterprise MSA: Included is an Enterprise Master Service Agreement, outlining service terms and conditions.

Bundle #7 – NIS2 High Compliance Package

Digital Footprint Intelligence (DFI)
  • Asset Monitoring: Continuous monitoring for asset exposure and data leakages.
  • Dark Web Surveillance: Proactive surveillance within dark web environments and forums.
  • Reporting Access: Regular access to comprehensive reports based on the latest intelligence findings.
Incident Response Handbook
  • Customized Playbook: A tailor-made incident response playbook designed for specific sectors, activities, and business types.
  • Training and Skilling: Comprehensive training sessions to empower your team with the necessary skills for incident handling.
  • Support Package: 40-hour support from Kaspersky’s team for incident support or forensic analysis.
Kaspersky Interactive Protection Simulation
  • Gamified Awareness Session: An immersive game-based simulation for heightened incident response awareness.
  • Multidisciplinary Involvement: Suitable for a wide range of teams, including executives, IT, and OT professionals.
  • Extensive Participation: Up to 100 participants can be accommodated.
  • Certification Provided: Participants will receive a certification upon successful completion.

Bundle #8 – NIS2 System and Network Acquisition, Development & Maintenance

KICS XDR
  • Comprehensive KICS Platform: A complete KICS solution (Networks and Nodes) offering full visibility into the OT environment and enhanced detection and response capabilities across multiple attack vectors.
  • OT-Specific EDR: Endpoint Detection and Response tailored for the unique needs of OT endpoints.
  • IDS and NTA: Advanced Intrusion Detection System and Network Traffic Analysis for OT network visibility and surveillance.
  • Integration Agent: Facilitates telemetry transmission, enriched visibility, targeted vulnerability scans on endpoints and network elements, and endpoint response capabilities.
  • Centralized Management: Streamlined control for an integrated security posture across the entire organization’s network.

Entities and Sectors Affected by the NIS 2 Directive

The NIS 2 Directive broadens the scope significantly compared to its predecessor, encompassing a wider range of sectors and introducing more defined categories of entities that must comply with its regulations. Here’s a detailed breakdown of who needs to adhere to the NIS 2 Directive:

1. Essential and Important Entities

The directive distinguishes between ‘essential’ and ‘important’ entities, both subject to specific cybersecurity obligations:

  • Essential Entities: These include entities that are vital for the maintenance of critical societal or economic activities. The designation of essential entities includes, but is not limited to:

    • Sectors: Energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, digital infrastructure, and public administration.
    • Services: ICT service management, trust service providers, and DNS service providers.
    • Organizations: Entities covered by the Critical Entities Resilience (CER) Directive, public electronic communication networks, and other entities specified by Member States​​.
  • Important Entities: These are entities that are not classified as essential but are still critical to the society or economy. The criteria for important entities focus on the size and impact, generally including medium-sized and large organizations within the sectors covered by the directive​.

2. Expanded Sector Coverage

The NIS 2 Directive significantly extends its reach into various sectors, reflecting the growing interconnectivity and reliance on digital technologies:

  • Original Sectors: Includes sectors initially covered under the NIS Directive such as energy, transport, health, and financial services.
  • New Sectors Added:
    • Public and Private Sectors: Postal and courier services, waste management, manufacture, production, and use of chemicals, and food production​.
    • Digital Services: Cloud computing services, online marketplaces, and search engines. The inclusion of digital service providers highlights the EU’s recognition of the pivotal role these services play in the digital economy​​.
    • Research and Development: Entities involved in research and development in the context of national security and economic resilience​.

3. Specific Compliance Requirements

The NIS 2 Directive sets out specific compliance requirements based on the entity’s classification as either essential or important:

  • Cybersecurity Risk Management: Entities must implement appropriate technical and organizational measures to manage the risks posed to the security of network and information systems.
  • Incident Reporting: Entities are required to report significant cyber incidents with detailed information swiftly, following guidelines set by the directive. This process is designed to standardize incident reporting across the EU, ensuring a prompt and effective response to cyber threats​​.

4. Proportionality and Adaptation

The directive also introduces provisions to ensure proportionality and adaptation to the specific needs and circumstances of different entities. This includes the flexibility for Member States to specify additional entities and sectors based on national risk assessments​​.

 

The NIS 2 Directive’s expanded scope and stringent requirements reflect a proactive and comprehensive EU approach to enhancing cybersecurity across a broad spectrum of sectors and entities. By identifying and classifying entities as essential or important, the directive ensures that a wide range of organizations implements robust cybersecurity practices, thus safeguarding Europe’s digital and economic security against evolving cyber threats.