In 2016, the European Union (EU) introduced the Network and Information Security Directive (NIS) as its first cybersecurity legislation. The primary goal was to establish a high common level of security across the EU for essential services. This directive included legal measures to ensure that EU member states improved their cyber-readiness by establishing agencies such as a National Network and Information Systems Authority and a Computer Incident Response Team (CSIRT). Additionally, it aimed to instill a security culture in IT-intensive sectors of the economy, including energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.
However, as cyber threats continued to evolve, the EU issued the NIS2 directive in January 2023 to raise the bar on cybersecurity compliance. NIS2 introduces several key updates and additions, including penalties and other actions for failing to meet proper risk management and reporting requirements. It also established the EU Cyber Crises Liaison Organization (EU-CyCLONe) to manage large-scale cyber incidents across the EU. Furthermore, NIS2 strengthens security by focusing on specific disciplines and demands a formal reporting process for cybersecurity incidents.
Expanding the Scope
One significant change with NIS2 is the expanded scope of industries required to comply. While NIS covered sectors like healthcare, transport, banking, and digital infrastructure, NIS2 adds new industries such as public electronic communications networks or services, digital services (such as social networking services platforms and data center services), wastewater and waste management, space technology and operations, manufacturing of critical products (such as pharmaceuticals, medical devices, chemicals), postal and courier services, food, and public administration.
NIS2 Directive Security Disciplines
NIS2 also specifies key security disciplines that organizations must address. More than half of them are directly relevant to the implementation of application protection tools. While the directive does not include a detailed list of controls, it emphasizes the importance of these disciplines in ensuring cybersecurity resilience. They include:
- Incident handling and crisis management
- Vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- Basic computer hygiene practices
- Supply-chain security
- Business continuity
What to look for in Network and Application Protection Solutions
To comply with disciplines 1-3 (aforementioned), network and application protection solutions should provide early detection and prevention of cyber-attacks accompanied by managed services and 24/7 emergency response teams. The prevention and detection capabilities must include automation to preemptively block malicious source IPs and that way prevent unwanted devices and bots from sending requests to your applications. To achieve this, vendors can integrate various means into their tools, such as real-time intelligence feeds of active attackers, device, and user validation mechanisms such as iOS/Android attestation and JavaScript validation, and ideally also automate the process of cross-correlating between security events in real-time to preemptively block nefarious source IPs.
Application Security Solutions must protect against bad bots and web-based attacks and provide preemptive protection against new phenomena and vulnerabilities exploited in the wild. This kind of zero-day protection can be achieved by using AI and machine learning with advanced behavioral-based detection and mitigation. When it comes to security policies—whether it is for a WAF, Bot management, DDoS or API protection—they must be dynamic and rely on both negative and positive models (block lists and allow lists) to automatically adapt to evolving threats.
The vendor service managers and emergency response teams should regularly update security policies across the board for any new zero-day vulnerability found in the wild, and enterprises under their protection with be provided with detailed logging and reporting, as well as annual and quarterly reviews with designated account managers, and security policy reviewing by the managed services team to assess the effectiveness of cybersecurity risk management measures.
Now, as to Disciples 4-6
Each is a bit more specific so let us address those one by one:
Cyber Hygiene Practices: your network and application protection solution should provide a holistic security umbrella to satisfy the “due diligence” control requirements of a comprehensive protection against all current cyber-attack vectors layer 3-7. incorporating WAF, API Protection, DDoS Protection, Bot Management, and Client-side protection—to ensure applications are protected against all types of threat vectors.
Business Continuity: For continued inbound and outbound access to data and applications, companies need a business continuity and disaster recovery solution that ensures no downtime or service disruption, while also delivering optimized performance. Network and application DDoS Protection, and Load Balancing solutions ensure just that. Look for behavioral-based DDoS Protection solutions that can accurately mitigate DDoS attacks in real-time and block only attack traffic without impacting legitimate users. As for load balancing, incorporate a global server load balancing function that will ensure that even in the event of a complete site outage, traffic will be redirected to other sites automatically with no service disruption, or in the event of an internet link failure (or even just temporary high delays), traffic will be rerouted through the fastest and other available links.
Supply Chain Security: To protect your applications from supply-chain attacks you need to gain visibility of all third-party scripts running on the browser side of your applications. By implementing a client-side protection solution you can discover all third-party domains connected to your application and all the scripts going out to them. A proper solution should be able to let you assess their threat level, and block requests to suspicious third-party services in the supply chain. It should also be able to block any scripts with illegal parameters leaking out, even if it is to legitimate third-party destinations.
Contact us to learn more about how your organization can enhance its cybersecurity posture and ensure compliance with the security disciplines outlined in the NIS2 directive.