The software development community has been awash in new requirements and legislation recently, with the goal of neutralizing — or at least minimizing — cybersecurity threats. If your day-to-day work has not already been impacted by these new rules, it will soon be.
But far from just bureaucratic busywork, these rules are actually making us safer. They're also raising important awareness of the vulnerability of the global software supply chain.
One of the most sweeping of these new laws is the European Union's updated cybersecurity legislation, the Network and Information Security (NIS2) directive. Designed to bolster cybersecurity across the EU, NIS2 is actually an update to the original NIS Directive, introduced in 2016, to increase resiliency and keep pace with evolving cybersecurity threats.
Set to take effect on October 17, 2024, NIS2 strengthens the security posture of European software development while also introducing reporting requirements and penalties for non-compliance. As a directive, NIS2 doesn't mandate how these things are accomplished, but it leverages standards including the National Institute of Standards and Technology (NIST) as guidelines to meet compliance. Member states will have to integrate NIS2 into their national laws as a baseline but can add elements to suit their regional needs.
Two cornerstones of NIS2: Protecting the supply chain and reporting requirements
Software supply chains are tantalizing targets for hackers because compromising a widely used software component can impact a lot of organizations and amplify the potential for damage. Article 21, Section 2 of NIS2 lays out minimum cybersecurity risk management measures and includes areas like policies on risk analysis and information system security, incident handling, business continuity and disaster recovery, and supply chain security.
Reporting is another important requirement of NIS2, which requires organizations to submit an early warning of significant cybersecurity incidents within 24 hours, which is fast even for an initial report. These need to be submitted to the relevant CSIRT and indicate if the significant incident is suspected of being caused by unlawful or malicious acts. Within 72 hours, the first report must be updated to include an initial assessment of the incident, including severity and impact.
Within a month, a final report is required that includes:
-
a detailed description of the incident, including its severity and impact;
-
the type of threat or root cause that is likely to have triggered the incident;
-
applied and ongoing mitigation measures;
-
where applicable, the cross-border impact of the incident.
Sonatype and NIS2
NIS2 is part of a global trend towards more transparent software development, and these requirements to protect supply chains and provide timely reporting present challenges to organizations for monitoring and managing dependencies at scale.
Sonatype has been at the forefront of protecting the software supply chain, and our platform is ideally suited to help meet these requirements by providing a streamlined way to collect, monitor, and manage components across the development lifecycle. Critically, this includes automated generation of software bills of materials (SBOMs), safeguarding and verifying the integrity of provenance data, and expediting the ability to respond to cybersecurity incidents while holding software suppliers accountable.
By preparing now, organizations can not only comply with NIS2 but also build a resilient cybersecurity posture that safeguards their operations against future threats. For a more detailed look at NIS2 and how the Sonatype platform can help, read our NIS2 User's Guide to Compliance.
Download the NIS2 User's Guide to Compliance
