NC Nov-Dec 2023
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SECURITY UPDATE<br />
COMPLYING WITH THE NIS 2 DIRECTIVE TO HELP SECURE CRITICAL ASSETS<br />
STEVEN KENNY, INDUSTRY<br />
LIAISON, ARCHITECTURE &<br />
ENGINEERING, AXIS<br />
COMMUNICATIONS,<br />
EXAMINES THE LATEST<br />
CYBERSECURITY<br />
COMPLIA<strong>NC</strong>E REGULATION -<br />
THE NIS 2 DIRECTIVE - AND<br />
WHAT SECURITY BUSINESSES<br />
SHOULD BE DOING TO<br />
PREPARE FOR IT<br />
The European Parliament adopted the<br />
NIS 2 Directive (NIS 2) in <strong>Nov</strong>ember<br />
2022 and a planned UK alignment is<br />
set to follow. NIS 2 replaces and repeals the<br />
NIS Directive that established cybersecurity<br />
requirements for the operators of essential<br />
services (OES) and digital services providers<br />
(DSP). It modernises the existing legal<br />
framework in the EU to keep up with<br />
increased digitisation and an evolving<br />
cybersecurity threat landscape, and will<br />
improve cybersecurity risk management and<br />
introduce reporting obligations across a<br />
number of new sectors and entities.<br />
With an October 2024 deadline by which to<br />
adopt and publish the measures necessary to<br />
comply with NIS 2, it's important to determine<br />
what this means for security businesses<br />
working with, or wishing to work with,<br />
affected companies. A network camera, for<br />
example, while used for both security and<br />
operational means across a range of<br />
industries that may come under the NIS 2<br />
Directive, is not classed as a critical asset.<br />
This technically places it outside the Directive's<br />
scope. Yet such a device nevertheless<br />
represents a vulnerability through which a<br />
malicious threat actor could launch an attack.<br />
What steps, then, should security businesses,<br />
their partners and customers be taking to<br />
ensure compliance?<br />
DEMONSTRATING CYBER MATURITY<br />
The new directive eliminates the distinction<br />
between OESs and DSPs, instead it clarifies<br />
businesses as either essential or important<br />
and uses a size-cap rule to determine which<br />
medium and large-sized entities fall within its<br />
scope. To comply with NIS 2 a holistic<br />
16 NETWORKcomputing NOVEMBER/DECEMBER <strong>2023</strong> @<strong>NC</strong>MagAndAwards<br />
WWW.NETWORKCOMPUTING.CO.UK