Puppet by Perforce: Here’s why nobody’s really ready for NIS2

Despite being published in late 2022 and coming into effect in January 2023, the second Network and Information Security Directive (NIS2) is taking the European Union by surprise. Weeks after the 17 October deadline, the majority of member states haven’t transposed it into their written laws — a necessary step for organisations in those countries to know the expectations and penalties. The story of NIS2 is, in some ways, the story of all compliance regulations – and in some ways, it’s completely unique.

OUTLINING wide-reaching measures from system hardening to reporting, training, and more, NIS2 isn’t likely to be either simple or clean for member states or their constituent organisations; as the deadline for legislation shrinks in the rearview, companies are scrambling to get ready for whatever their member state has in store (with most IT departments pulling funds from other areas of the business to cover). The NIS2 Directive was published in November 2022; member states have had since January 2023 to figure out how to require it by law; now, most EU companies are left in the lurch, waiting to find out their exposure and risk. How does that happen?

Three reasons NIS2 compliance is taking the EU by surprise

1. NIS2 is not an instruction booklet Like most compliance regulations, directives, and even some frameworks, NIS2 is not instructional in nature. Rather than outlining the specific configurations, tools, and steps organisations can use to get compliant, NIS2 seeks to define a secure end state for IT systems.
   
   That’s largely because every IT system (and team) is different, providing instructions for bringing and keeping every component into compliance would be impractically complex. It’s also partially by design: The more specific the requirements for compliance, the faster they become obsolete. The end result is that every stakeholder along the line is doing some degree of interpretation before they can action anything. This includes member states that need to decide how to work NIS2 into their laws, organisations in those member states that need to become compliant, and teams in those organisations responsible for putting compliant tools and practices in place.
   
   
2. Nobody wants another NIS1 – so nobody wants to rush into NIS2 The first NIS Directive (sometimes referred to with the retronym “NIS1”) went ignored for so long by so many member states (and the companies operating within them) that the European Commission ensured that NIS2 made up for the deficiency.
   
   To address the increasing risk level associated with critical systems and data, NIS2 regulators baked in recommendations for hefty fines and personal liability in noncompliant organisations. Ernst & Young expects Ireland to impose a bevy of penalties, up to and including imprisonment for negligent C-level figures if their organisation fails a NIS2 audit.
   
   Unlike NIS1, regulators also set expectations for the entire supply chain in NIS2, fostering a culture of cybersecurity through collaboration, vulnerability handling, training, and information sharing – not unlike some of the core tenets of the NIS2 contemporary Digital Operational Resilience Act (DORA). But NIS2 doesn’t exist solely to punish. It was built with room for teeth to inspire long-term adherence to IT security standards in a world where cybersecurity is primarily reactive. As pointed out by my German colleague Marc Martin, EU regulators feel an increasing sense of social responsibility for mitigating cyber risk in critical industries which they govern. That’s one reason why all EU countries have already agreed to a minimum baseline expectation for compliance that includes ramifications not found in NIS1.
   
   
3. Getting compliant could take months. Staying compliant will take forever To be frank, no single individual requirement, control, or component of NIS2 compliance is likely to be truly groundbreaking. But the fact that NIS1 compliance is and was so inconsistent means that when laws enforcing NIS2 are passed by each member state, companies will likely still be scrambling to catch up. It also means that using proven, standardised tools now can get them much closer later.
   
   Additionally, regulators are likely expecting companies to put system hardening measures in place, but not continuously maintain them. That’s why audits never happen the same day you configure everything just right – they look for evidence of long-term security policy enforcement as well as repeatable, scalable processes for demonstrating compliance. (Consider that compliance percentage rates with some of the most well-known compliance regulations, like GDPR and PCI-DSS, remain abysmal, even decades after their introduction). Again, that’s the point of regular audits: to ensure that once you’ve gotten secure and compliant, you can keep it up over time. Longevity is the true test of a GRC framework – and the one most organisations fail.

How to settle in for the long haul of NIS2

Build your GRC framework with proven standards

Where directives fail to provide instructions, IT security standards like CIS Benchmarks and Frameworks like NIST pick up the slack and can help you choose the right tools, processes, and configurations you need to enforce. Plus, many of these prescriptive resources are free, internationally recognised, and peer-reviewed for an added layer of reliability. With specific configurations for hardening software, hardware, and network components – down to the configuration level – they’re your bridge from “not compliant” to “compliant.” Additionally, seek common threads across regulations. If you’ve already used the controls outlined in one regulation or framework, you might have already accomplished key controls of another (like NIS2).

Focus on the long term

If you create a NIS2-compliant GRC framework without a solid foundation of repeatable configurations built with proven standards, you’re building a house on sand. Even if you pick the right tools and institute the right processes, don’t assume you can just pass every NIS2 audit for years. Drift, employee turnover, knowledge gaps, and tech debt will pile up over time. Even if it were possible to prevent every single active, malicious attack, that continuous passive risk exposes you to the teeth of NIS2. Choosing tools you can manage and processes you can maintain in the long term also saves time down the road, when member states enter the perpetual ‘auditing and enforcement’ phase of NIS2.

Don’t forget about scalability

Use the above recommendations to define and enforce a secure, compliant desired state – no matter how much you diversify or scale your critical IT infrastructure.

For example, when you roll out an automated patch two days before someone uncovers a new vulnerability in it, can you run a line of code and roll it back on every server running that version of the software? When someone inserts a backdoor into the latest version of the open source tool your infrastructure uses every day, how long will you let it cripple your NIS2 compliance posture?

If you’ve got some production workloads in AWS, some in a data centre, and some private cloud, can you keep the bolts tight on all of them from one infrastructure codebase? Or will you be forever configuring, tweaking, and chasing down configuration drift? And how do you expect to manage compliance for them all if each platform is controlled by a different vendor?

For all its enhanced penalties, potential implications, and years of hype, NIS2 compliance largely comes down to fundamentals. Organisations across the EU would do well to bear the weight of NIS2 with patience, persistence, and strategic investments that reduce the toil of maintaining a compliant state.