News and Notes from the Makers of Nexus | Sonatype Blog

Vulnerability handling requirements for NIS2 compliance

Written by Hannah Laurence | September 11, 2024

In a previous blog post, we covered two foundational elements of the Network and Information Security (NIS2) Directive, software supply chain security and reporting requirements. In this blog, we take a closer look at the types of organizations impacted by NIS2 and the incident-handling requirements it outlines.

As the name suggests, NIS2 is an update to the original NIS Directive, introduced in 2016, that set out to achieve a high common level of cybersecurity across the European Union. It was originally targeted at network infrastructure and information systems and covered what it defined as "Essential Entities." These were primarily digital infrastructure providers and organizations of critical importance, like national healthcare providers. One of the key elements of NIS2 is that it significantly expands on these sectors and includes two new categories, "Highly Critical Sectors" and "Critical Sectors."

Sectors of High Criticality

Applies to organizations with >49 employees and an annual turnover exceeding € 10 million or a balance sheet total exceeding € 10 million.

Critical Sectors

Applies to organizations with >249 employees and an annual turnover exceeding € 50 million or a balance sheet total exceeding € 43 million.

Energy, Transportation, Banking, Financial Market Infrastructures, Health, Drinking Water, Digital Infrastructure, ICT Service Management, Public Administration, Space

Postal and Courier Services, Waste Management, Manufacturing, Food Production and Distribution, Digital Service Providers, and Research

 

Essentially, if you're a medium-to-large organization and you perform a service of any societal significance, compliance with NIS2 is mandatory. NIS2 sets the expectation that organizations in these categories have policies and procedures in place for certain business management obligations, including risk analysis and information system security, incident handling, and supply chain security, just to name a few.

How will you respond in case of a cybersecurity incident?

It's unlikely that NIS2 is going to catch anyone by surprise. But knowing about something isn't the same thing as being prepared, so what does this actually look like in practice? This is the question that needs to be answered for NIS2 satisfaction. It's possible, maybe even likely, that your organization already has something in place that documents what happens in the event of a cybersecurity incident.

This could be assigning responsibilities for communicating with suppliers and customers or disseminating information about the severity and remediation of the incident. Specifically, NIS2 requires an early warning of significant cybersecurity incidents within 24 hours to be submitted to the relevant computer security incident response team, or CSIRT. Then, this is to be updated within 72 hours to include an initial assessment of the incident, including severity and impact.

Intentionally reviewing what you have in place will make NIS2 more manageable, but it also provides an opportunity to apply some thought and planning to these risks. For example, ransomware is a new area NIS2 seeks to address in its management obligations. Supply chain management is Sonatype's area of expertise, so the NIS2 guidance on this is particularly relevant to what we see happening with the increase in supply chain attacks. Making a plan for how you will manage suppliers when they encounter security breaches, including how you will insulate your business in the event a supplier is unable to continue doing business, is one of the opportunities NIS2 provides to get things in order. You can do this by auditing your suppliers, learning how they are approaching security to make sure it aligns with your own, monitoring their software for known vulnerabilities, and being ready to provide patch issues for supplier-provided software.

Protecting the software supply chain

The European Union Agency for Cybersecurity (ENISA) has issued supplemental guidance to make NIS2 compliance more manageable. Among its recommendations is that effective software bill of materials (SBOM) management is the only way to manage security for software development effectively. This means having an SBOM for all of your software dependencies and monitoring those dependencies for vulnerabilities. This applies not only to the software that you build for yourself but also to the software you purchase and that your teams are using. For a detailed look at what NIS2 means for SBOM management and how the Sonatype platform can help, download our NIS2 User's Guide to Compliance.

Every European Union country will legislate for it differently as a directive, and the consequences of failing to comply with NIS2 are not trivial. They include the temporary halting of trading, steep financial penalties, or the banning of executives from doing business, among other things. If you're unsure of where to start and would like to speak to an expert, we'd love to hear from you.