NIS2 and the consequences for segmented networks

The NIS2 Directive is the EU’s latest move to tighten online safety, extending its reach to cover more companies and demanding stronger protection measures. The goals of NIS2 are to boost IT and OT security, simplify reporting, and create consistent rules and penalties across the EU. It impacts a variety of businesses by setting safety standards and how to communicate cyber issues. Are you wondering how these changes might require your company to update its digital defenses? We’ll walk you through the most important changes and how you can act upon them.

What is NIS2?

At its core, NIS2 is a regulatory directive designed to improve the cybersecurity posture across the European Union. It stands for the second version of the Network and Information Systems Directive. The principal objective of NIS2 is to enhance resilience against cyber threats within the EU. This aim reflects an adjustment and broadening of the initial NIS Directive’s scope in light of the evolving cybersecurity environment and rising cyber threats.

The NIS2 Directive focuses on a few key areas to strengthen cybersecurity measures:

  1. Broader scope: Unlike its predecessor, NIS2 applies to a wider range of sectors and entities. In NIS2 they’re categorized as either ‘essential’ or ‘important’ entities. This includes sectors such as energy, transportation, banking, digital infrastructure, and health, among others. The directive aims to cover all organizations that (if compromised), could pose significant risks to the EU’s internal market and the well-being of its citizens.
  2. Stricter requirements: NIS2 imposes more strict security and incident reporting requirements on the entities it covers. Organizations are expected to adopt a proactive approach to managing cybersecurity risks. This way they are ensuring that they have the necessary measures in place to prevent, detect, and respond to cyber incidents.
  3. Increased supervision and enforcement: The directive introduces the ability for authorities to conduct audits, inspect, and enforce corrective measures. The aim is a more consistent application of cybersecurity standards across member states.
  4. Focus on supply chain security: Entities are required to address cybersecurity risks not only within their organization but also among their suppliers and service providers.
  5. Incident reporting: NIS2 mandates timely reporting of cybersecurity incidents to national authorities. This aims to improve information sharing and coordination in response to cyber threats.

The importance of segmented networks

The concept of data segmentation plays a critical role in enhancing the cybersecurity defenses of organizations. Segmentation means dividing a network into smaller parts or segments. The more you divide the network into these secure segments, the harder it is for a hacker to get through to all the data. 

Why segmentation is vital

  • Limits the attack surface: By dividing the network into segments, the attack surface is significantly reduced.
  • Data protection: Segmentation lets us create security rules that match the importance of the data in each segment. This ensures that highly confidential information receives the highest level of protection.
  • Improved incident response: In the event of a breach, segmentation can help contain the spread of the attack. This makes it easier to isolate compromised segments and respond more effectively.

NIS2 and segmentation

Under the NIS2 Directive, there’s a strong emphasis on adopting robust cybersecurity measures across essential and important sectors. This process involves a thorough evaluation of the assets that need protection, the potential threats they face, and their resilience against these threats. Network segmentation is implicitly encouraged as a best practice for achieving these objectives. NIS2 highlights the need for effective strategies like segmentation that can prevent, detect, and respond to cyber incidents. 

Willemijn Rodenburg, Relationship Manager for the Dutch Government at Fox Crypto, gives us the details about the tailored approach across different sectors: “Essentially, what is in the core of the directive is that organizations must be risk-aware and must carry out a risk based approach. The implementation of NIS regarding segmentation could mean diverse things for different sectors; for example, the financial sector might lean towards DORA regulations. On the other hand, the energy sector could emphasize segmentation due to the combination of IT and OT systems.”

Despite the Dutch delay in implementing NIS2, organizations are expected to be compliant by October 17th, 2024. Willemijn advises organizations to focus on identifying and protecting their most critical assets. “Regardless of the delay in the Netherlands, every organization must comply with NIS2 by October 17th. It comes down to the following: look at where your crown jewels are, that meaning; your interests that need protection, and do something about it considering the regulations of NIS2.”

How the DataDiode stands at the forefront of NIS2 and segmentation

The NIS2 framework focuses on high-level security measures, particularly in Identity Management, Authentication, and Access Control. This approach limits access to physical and logical assets only to authorized users, services, and hardware. It highlights dividing networks into segments as a key method for reaching safety goals. Adding a DataDiode and dividing the network is a smart move to improve cybersecurity in essential areas.

Willemijn explains: “Looking at what the law states now, segmentation is particularly linked to our communication networks and services. That’s where you see segmentation being emphasized, and it’s also where the DataDiode comes in. The DataDiode is an example of an implementation tool that can help you get that organized properly. The implementation of DataDiodes can significantly improve your strategy by ensuring a unidirectional flow of information. This improves the security posture against potential cyber threats, and that’s the aim of NIS2. Keep in mind that these measures are not just about compliance, but about adopting a proactive approach to safeguarding the digital infrastructure against evolving threats.”

Examples of how the DataDiode eliminates risks

The DataDiode offers solutions to various risks related to securing secrets and protecting assets within organizations. Here are some examples of how the DataDiode can address these risks in different sectors:

  1. Separation of IT and OT environments: In scenarios where IT and OT environments need to be kept separate to ensure the integrity and safety of operational systems, the DataDiode provides an effective solution. Because of its unidirectional data flow, critical operational data can safely move to IT systems. This is without the risk of malware or attacks infiltrating back into the OT system.
  2. Air-gapped systems: For systems that must remain air-gapped for security reasons, such as those used in critical infrastructure or secure government networks, DataDiodes can enable the secure update of software or databases. By allowing data to enter the secure environment without the possibility of data exfiltration, systems can be kept up-to-date and secure against vulnerabilities.
  3. Supply chain collaboration: The DataDiode secures information sharing across the supply chain. This allows a manufacturing company to share sensitive data with suppliers and logistics partners securely. It ensures data integrity and protection against unauthorized access or cyber threats.

Why companies should integrate a DataDiode into their security strategy 

Integrating a DataDiode into a company’s cybersecurity strategy can significantly enhance its effectiveness in several key areas:

  • Protecting critical data: The DataDiode ensures sensitive information, such as customer data, financial records, and trade secrets, can only travel in one direction. 
  • Preventing financial damage: By reducing the risk of cyberattacks, the DataDiode helps avoid the direct and indirect costs associated with data breaches. This includes expenses related to system and data recovery, as well as potential losses in revenue and reputation.
  • Compliance: Using the DataDiode can help organizations meet strict data security regulations, like GDPR or HIPAA. It provides a secure method to transfer sensitive information without risking unauthorized access.

The future of cybersecurity: The role of NIS2 and the DataDiode

It’s hard to tell what the effect of NIS2 holds for the future in combination with the DataDiode. But knowing what we know now, we asked Willemijn for her future vision. She elaborates: “I believe the importance of having a DataDiode is going to increase, especially because everything is interconnected. In this environment, it’s crucial to keep information in one place or to transfer it to another, in a safe way. I don’t think NIS2 will go so far as to specifically mandate having a DataDiode in certain situations. 

The challenge is that such laws need to be future-proof, and that’s the strength of NIS2. It tells you to look at your organization, identify your ‘crown jewels’ (the assets you need to protect) consider how your organization operates, and take measures accordingly. 

“The directive already exists, and I think the implementation of the law this year will provide direction. I suspect that by the end of this year, it will become clear how regulators intend to fulfill their supervisory role. These regulators must determine how they believe the sectors under their responsibility can comply with their duty of care. They will oversee thousands of organizations. They might not visit each organization individually; perhaps they’ll do it in groups. Time will tell, but they will oversee and require evidence of compliance, whether that’s adhering to ISO 27001 standards or having a cybersecurity section in their overall risk profile,” Willemijn Rodenburg states.