Your Comprehensive Guide to Simplifying NIS2 Compliance with Advanced Software Visibility

As the world continues to go digital, more and more critical data migrates to various IT infrastructures. These data storage sites are the target of increasing attacks that have the potential to halt the smooth functioning of our work lives, finances, travel, and personal communications and cost companies millions to remediate. The European Union’s recent NIS2 Directive is a regulatory attempt to increase cybersecurity across the region. In this article, we’ll look at what NIS2 is, the escalating cybersecurity risks that it addresses, who it affects, and tangible actions to comply with its provisions and enhance cybersecurity.  

Cybersecurity Risk Climbs in 2024 and Beyond  

Cybersecurity attacks continue to increase in both frequency and cost. The European Union Agency for Cybersecurity (ENISA) noted the concerning uptick in cybersecurity incidents in its 2024 Threat Landscape report: 

“Throughout the latter part of 2023 and the initial half of 2024, there was a notable escalation in cybersecurity attacks, setting new benchmarks in both the variety and number of incidents, as well as their consequences.” 

These attacks have devastating consequences and underscore our reliance on properly functioning IT infrastructure. While not malicious, the global CrowdStrike outage demonstrated the scale of what can go wrong. In early 2024, Tietoevry was the target of a ransomware attack, disrupting services in companies, universities, government agencies, and municipalities across Sweden.  
 

In the EU, geopolitical factors like the recent election and regional conflicts are cited as causes for the increase in cybersecurity breaches. Other global contributors are our ever-increasing reliance on digital platforms, where more and more sensitive data is stored, and the rise of artificial intelligence, which malicious actors now use to enhance the efficacy of their cyberattacks. In light of this, the EU has taken actions to increase cybersecurity resilience through the NIS Directive and its most recent iteration, the NIS2 Directive. 

What Does the NIS2 Directive Require?  

The NIS2 Directive is designed to strengthen cybersecurity practices across the EU. It entered into force on 16 January 2023, giving member states until October 18th, 2024, to incorporate it into national law. 

NIS2 requires companies to “implement appropriate and proportionate technical and organisational measures to mitigate the risks posed to the security of network and information systems, as well as the physical environment, including data centres.” 

Building on the NIS Directive, NIS2 has extended its scope to cover new industry sectors. It also emphasizes risk evaluation and mitigation strategies to prevent cybersecurity incidents from occurring and knowledge-sharing across regional borders on cyber threats. Reporting guidelines require a preliminary report when the incident is first caught, a full notification report, and a final incident report. 

The Directive also introduced increased focus on supply chain security and third-party risk management. The Directive requires companies to evaluate “the vulnerabilities specific to each direct supplier and service provider and the overall quality of their suppliers' and service providers' cybersecurity products and practices, including their secure development procedures.” 

Non-compliance with the Directive is costly. Maximum fines for non-compliance are set at €10MM or 2% of global annual revenue and €7MM or 1,4% for essential entities. 

Who Will the NIS2 Directive Affect?  

NIS2 applies to all companies in the EU with 50+ employees and an ARR of at least €10 million, and non-EU companies delivering services within the EU. It also extends the scope of NIS from essential services to providers of essential and important services such as energy, electricity, transport, banking, health, water, digital infrastructure, public administration, and space. 

Steps to Becoming NIS2 Compliant 

The Directive requires companies to mitigate risk and improve the security of their digital systems. Because of its unique nature, the preparation steps will be diverse across different sectors and organizations. Access control security specialists Okta recommend that companies prepare by: 

Most of these preparation points are part of companies’ security practices. However, the increased focus on third-party risk and supply chain security typically falls under the control of professionals responsible for software and IT provisioning. NIS2 compliance will require collaboration between them and legal, financial, procurement, and security departments. 

The SaaS Connection: Managing Third-Party Risk Exposure with Software Visibility 

Investigating supply chain security and third-party risk aims to prevent cybersecurity incidents by encouraging companies to prioritize vendors with secure development, privacy, and data management practices. SaaS software increases the likelihood of shadow IT and exposes vendors to risk due to data stored in data centers that they are not responsible for managing. Therefore, Controlling SaaS is vital to achieving compliance with NIS2.   

Despite procurement teams' efforts to track new software contracts, surveys indicate that only 3% of IT executives have complete visibility of their current SaaS tools. App provisioning outside of official procurement processes contributes to the visibility problem. Balancing the objectives of agile, business-owned provisioning, vetting vendors, and tracking software purchases centrally is no easy task.   

Practical Strategies for NIS2 Compliance  

These are some recommendations for building bridges between Software Asset Management, procurement, and IT security teams when working toward NIS2 compliance:  

This will help companies demonstrate that they have taken all reasonable measures to ensure the security of their software environments by NIS2. Xensam’s Security Center can support this by offering an easy-to-access overview of security metrics from software environments.  

Conclusion 

The NIS2 Directive aims to increase cybersecurity resilience across the EU, with increased focus on third-party risk management. While vendor investigation will heavily involve procurement teams, decentralized provisioning by lines of business is becoming more and more common. Unseen apps are a barrier to compliance, but automated software visibility is the answer. Current estimates reveal 64% of companies don't use automated tools for managing software licenses, leaving them to rely on manual management of licenses, contracts, and vendors. In light of the Directive, companies will have to make the shift to advanced tools that guarantee visibility and enable compliance. SaaS-native Software Asset Management technology is no longer a “nice-to-have" tool for large companies seeking to cut costs. It’s a must-have to safeguard the risk management of software assets.