NIS2 Directive & Your Networking Solutions Cybersecurity
#2024, #nis2, #corporatenews
The European Union has mandated compliance with the NIS2 Directive by October 2024 for numerous companies in both the private and public sectors. This new cybersecurity regulation encompasses many aspects focusing on a company’s security policies. Learn about the requirements and how Teltonika can help you meet the NIS2 Directive standards.
We said it once and will say it again: cybersecurity is not to be taken for granted.
Unfortunately, cyberattacks in both the private and public sectors continue to thrive and expand, as evidenced by the 57% increase in such attacks in Europe in 2023. This isn’t a good sign, but if there’s a silver lining, it’s that these incidents highlight the need for companies to reassess and improve their IoT security measures.
Now, the growing concern about IoT security, and cybersecurity in all its forms, extends beyond the private and public sectors and includes governmental bodies as well. The European Union is just as invested in taking great cybersecurity measures to protect companies from any unwanted exposures, especially those working with critical infrastructure.
With new EU cybersecurity regulations set to be implemented by October 2024, you should familiarise yourself with the NIS2 Directive, its purpose, regulations, and the potential consequences of non-compliance.
WHAT MAKES NIS2 DIFFERENT FROM NIS?
The NIS Directive was the first piece of EU-wide legislation ordering companies operating within the scope of the European Union to achieve certain cybersecurity standards.
These standards included measures to control and prevent risks and the obligation to report incidents while cooperating with authorities. This directive was mostly relevant to companies working in critical infrastructure and key digital service providers in the transportation, energy, and financial sectors.
The original NIS Directive was introduced nearly 7 years ago, in 2017. Much has changed in the digital world since then. So, it was inevitable that the European Union would update the NIS Directive to ensure IoT security. And indeed, it did.
This second iteration of the NIS introduced by the EU is bigger, stronger, and stricter, aiming to establish higher cybersecurity standards for enhanced network infrastructure protection that companies must comply with by October 2024.
NIS2 DIRECTIVE REGULATIONS COMPANIES MUST COMPLY WITH
There are four overarching types of requirements in the NIS2 Directive that are most crucial for a company to comply with:
1) Risk management – companies must mitigate risks by focusing on strengthening its network infrastructure protection, supply chain security, and networking solutions’ access control and data encryption methods.
2) Corporate accountability – corporate management must oversee and instruct its employees to implement security measures in their daily tasks and address any cybersecurity risks they identify.
3) Reporting obligations – essential and important entities must promptly report any security incidents they experience, complying with specific deadlines for incident reporting, like the 24-hour early warning.
4) Business continuity – companies must plan in advance their actions taken in the event of a major cyber incident, including conducting system recoveries, implementing emergency procedures, and assigning a dedicated team, responsible for crisis management.
Teltonika’s Head of IT Infrastructure and Security, Artūras Golyšenko, advises:
“It’s likely that companies will involve only their IT staff in the preparation for the NIS2 Directive, seeing it as just another technological conundrum. However, to enhance the resilience of the whole organisation against cyber threats, the team should include not only technical experts but also heads of multiple departments, lawyers, employees responsible for the company’s services, and even managers.
“As the scope of cyber-attacks also includes human error, the IT department alone won’t be enough to help prepare. It’s important to foster a cyber security culture in companies by providing employees with basic and specialised knowledge on dealing with certain situations.
“By doing so, all stakeholders in the company will have the information they need and be able to identify problem areas and address them. This guarantees continuity in the development of the cybersecurity process.”
For more information, check out this comprehensive overview of the NIS2 Directive’s contents.
This leads us to the next question…
HOW DOES THIS AFFECT YOU?
Consider this question carefully, as the original NIS Directive had a narrower impact, affecting fewer critical infrastructure companies that specialise in sectors such as energy, health, transport, finance, water supply, and digital infrastructure.
Now, the NIS2 Directive not only continues to focus on these six sectors but also expands to include nine additional sectors, such as waste management, manufacturing, research, digital providers, and more. So, the list is far larger than it previously was.
It’s also crucial to consider your company’s size when determining compliance with the NIS2 Directive. Essential entities, defined as companies with around 250 employees and a €50 million annual turnover, must comply. Similarly, important entities with about 50 employees and a €10 million turnover are also required to adhere to the Directive.
However, it’s important to note that companies that don’t fit these categories may still need to comply if they provide critical services vital to societal or economic activities in a member state.
If companies subject to the NIS2 Directive won’t comply with the requirements, they will become prone to penalties. These penalties can manifest as non-monetary remedies, administrative fines, or even criminal sanctions.
And despite all this, your company’s sector not being in the list doesn’t mean you’re off the hook, as there’s a high chance your services or products could be utilised in one of the affected sectors. In other words, your company must comply with the NIS2 Directive regulations, too.
WHAT IF YOUR COMPANY FAILS TO COMPLY WITH NIS2?
As mentioned before, companies subject to NIS2 will require their vendors and partners to comply with its regulations to ensure a secure supply chain and to avoid fines. Failure to comply could result in your potential or current clients not renewing contracts, adversely affecting your business.
Another important concern lies within your company’s reputation. If your company doesn’t comply with the NIS2, it might be considered untrustworthy or incompetent in maintaining a high level of cybersecurity.
So, ignoring the NIS2 Directive regulations will put your company at a disadvantage, surely affecting its relationship with clients and overall business.
YOUR COMPANY WILL COMPLY WITH TELTONIKA
Teltonika invests a significant amount of time and effort into not only enhancing the security of our networking devices and IoT security, but also our cybersecurity policies. As our headquarters are located in Lithuania, we must comply with all EU regulations, including the NIS2 Directive.
The EU NIS2 Directive has yet to be transposed into Lithuanian law. The specific regulations from the Lithuanian National Cybersecurity Centre are expected to be announced in Q4 2024. In the interim, we adhere to the best cybersecurity practices, utilising state-of-the-art technologies and managing our systems in accordance with ISO27001 and ISO9001.
Teltonika’s networking device unit has recently become an official member of the CVE programme community. This membership enables us to ensure quick incident reporting by allowing us to establish, register, and publish CVEs ourselves.
It’s also important to highlight a huge benefit of our Remote Management System (RMS), as with it, our clients can attain secure remote management capabilities of their entire networking solution and oversee each component’s health and status.
RMS can be used to monitor whether all involved IoT devices are continuously working as they should. If not, RMS can effectively alert the client about any incidents or potential risks based on pre-configured rules.
TELTONIKA’S TAKE ON SSDL
When developing software systems for our networking devices, our R&D and cybersecurity engineers follow a Secure Software Development Lifecycle (SSDL) process. This is to ensure our networking devices are secure from the start, even before any additional security measures are added to them.
We approach our SSDL with six phases that help us meticulously identify and mitigate any potential cybersecurity risks:
1) our cybersecurity engineers train and test software development teams, covering security topics and best practices to ensure secure working efficiency;
2) we establish baseline security and privacy requirements for upcoming software updates or releases;
3) the R&D team continually reviews and analyses how devices should perform with upcoming software releases while searching for potential security threats;
4) we consistently perform static code analysis to maintain, review, and optimise the code within our networking devices;
5) we conduct multiple tests, including comprehensive fuzzing and penetration, to finalise the verdicts;
6) once these rigorous tests are complete, the documentation is finalised, archived, and used as a reference when the new cycle begins.
ENSURE YOUR CRITICAL INFRASTRUCTURE HAS NIS2-COMPLIANT IoT DEVICES
Securing your critical infrastructure, especially within networking solutions, can seem daunting at first. However, choosing Teltonika devices in your critical infrastructure solutions can put your worries to rest. And we’re confident about that.
Want to know even more details on how we comply with the NIS2 Directive and the extra cybersecurity steps we take to elevate our IoT devices above the competitors?
Don’t hesitate to contact us. We’ll tell you how our commitment to security makes us the ideal partner for your journey into a safer digital future.
