Get ready for NIS2

Well, that happened...

NIS2 is the upcoming cybersecurity regulation that's... wait, already here? Did anyone notice?

It turns out that the 17th of October was the date for countries to transpose the EU regulation into local law. I can't find any reference that Finland has actually completed that yet. In fact, according to this handy source, Finland is in Stage 3. In other words, a draft has been submitted but has not yet been approved. That's okay, Finland, I was always late with my homework as well!

This is far from a Finnish problem. Only four countries—Belgium, Hungary, Croatia, and Latvia—are at Stage 4, having implemented these controls ahead of time. These countries get a gold star!

Stage 2 (Initial Development) includes Denmark, France, Ireland and Romania; while Bulgaria, Estonia, Malta, Portugal, and Spain are in Stage 1 (Minimal Progress or Information).

As you might expect from EU legislation, the rock rolls slowly down the hill. Whether or not this means those who aren't complying with NIS2 yet have earned some amnesty is up for debate. With no clear deadline, NIS2 could become ratified in Finnish law at any time.

History of NIS2

The Network and Information Security (NIS) Directive, initially adopted by the European Union in 2016, aimed to bolster cybersecurity across member states. As the digital landscape evolved, it became clear that the original NIS Directive drastically needed an update, which prompted the creation of the NIS2 Directive.

• 2016 – Original NIS Directive adopted to improve cybersecurity in the EU.
• December 2020 – NIS2 Directive proposed by the European Commission.
• May 2022 – Political agreement on NIS2 reached by EU institutions.
• November 2022 – NIS2 Directive formally adopted by the European Parliament.
• January 2023 – NIS2 enters into force.
• October 2024 – EU member states must transpose NIS2 into national law.
• October 2024 – Weird liminal space where it's unclear whether the law is in force or not (you are here).
• April 2025 – EU member states must submit a list of identified essential and important entities to the European Commission six months after transposing NIS2 into national law.

NIS2 introduces broader requirements, an expanded scope, and, perhaps most critically,  stricter penalties.

The new scope of the bloc

The NIS2 Directive significantly expands the scope of NIS. Under NIS, only operators of essential services and digital service providers were subject to the requirements. NIS2 broadens this to include more critical sectors such as:

• Energy (including electricity, gas, and oil sectors).
• Transport (aviation, rail, water, road).
• Banking and financial services.
• Health sector (hospitals, laboratories, pharmaceutical production).
• Public administration (national and regional bodies).
• Space (satellite services and ground stations).

Medium and large enterprises in these sectors are now required to comply. This means that even companies that may not have previously been considered critical but play a role in key supply chains are now within the directive’s scope.

Core controls

Stricter incident reporting requirements

Organizations must implement “appropriate and proportionate” security measures to address the risks posed to their systems.

This includes:

• Incident prevention: Protecting systems and data from potential security breaches.
• Business continuity: Ensuring resilience during and after cyber incidents.
• Incident detection: Implementing monitoring to identify breaches early.
• Response and recovery: Developing procedures to respond to incidents effectively and to recover operations quickly.

The reporting timeline has also been tightened. Companies must report significant cybersecurity incidents within 24 hours of detection to relevant authorities, with a final report due within one month. Failing to report an incident within this time frame can result in sanctions.

What this means for DevOps and platform engineering

Observability is key. Understanding and being able to report what is happening in your systems is paramount; 24 hours is an extremely short length of time from discovery to report, and wrestling with logging systems to understand the impact of an incident is going to be a potential time sink.

For further listening on the subject of observability, I recommend our DevOps Sauna podcast episode with Charity Majors.

Supply chain and third-party risk management

A welcome addition to NIS2 is the focus on the security of supply chains and third-party suppliers. The directive requires companies to ensure that third-party vendors, contractors, and service providers comply with NIS2 standards. This applies particularly to companies that rely heavily on external IT services, cloud providers, or other infrastructure partners.

Effective supply chain security management includes:

• Conducting thorough risk assessments of third-party vendors.
• Establishing contractual obligations that enforce cybersecurity best practices.
• Continuously monitoring third-party compliance.

What this means for DevOps and platform engineering

Three words: Software. Supply. Chain. Chances are your builds are pulling in third-party dependencies. As of right now, it's not fully clear where the responsibility for managing the security of such dependencies will end up. There has been some feedback from the Free Software Foundation Europe about the business-relation focus of NIS2 and how it might affect providers of FOSS.

The smart play at this point is to verify every building block of your supply chain by implementing SBOM and open-source review boards now.

Risk-based approaches

Unlike prescriptive standards, NIS2 demands a risk-based approach to cybersecurity. This means organizations must assess the specific risks they face, including potential threats to their operations, suppliers, and customers, and tailor their security measures accordingly.

What this means for DevOps and platform engineering

If you've never been in a threat modelling exercise before, you should be prepared for them. Start by mapping out your entire dataflow and give some consideration to how trust works from development to deployment. Understanding the risks facing you as a company, mapping them out and having a remediation strategy in place for all of them is a good starting point. From there, it's a case of development and iteration.

Accountability, cooperation, and penalties

Three aspects of NIS2 are less directly relevant for DevOps and platform engineering but should be discussed. Knowledge of them will help you understand exactly what we’re going to be dealing with.

For accountability: NIS2 emphasizes the role of leadership and governance in cybersecurity. It mandates that top management must take accountability for cybersecurity measures. Organizations are required to designate a CISO (Chief Information Security Officer) or equivalent person responsible for cybersecurity, and the board must be informed about cybersecurity risks and strategies.

Regarding cooperation: NIS2 promotes greater collaboration between EU member states, setting up a structured network of information-sharing and joint cyber resilience efforts. Member states are encouraged to establish Computer Security Incident Response Teams (CSIRTs) to respond to cybersecurity threats and work together on large-scale incidents.

This cross-border cooperation also includes establishing the European Cyber Crises Liaison Organisation Network (ECLON), a structure aimed at managing large-scale cybersecurity crises at an EU level.

And finally, harsher penalties: NIS2 introduces tougher penalties for organizations that fail to comply with the set-out requirements. Violators may face fines of up to €10 million or 2% of global annual turnover (whichever is higher) for significant breaches of the directive. This makes NIS2 penalties comparable to those under GDPR.

Prepare to meet the requirements of NIS2

At Eficode, we’ve actively supported customers in preparing their DevOps and platform engineering systems to meet the stringent requirements of NIS2.

We’ve explored threat models for CI/CD systems, built toolchains around Software BOMs and pipeline security, and expanded reporting capabilities with advanced observability. By partnering with us, organizations can ensure their infrastructures are secure, compliant, and ready for the upcoming regulatory changes.