Network and Information Security Directive 2 (NIS2)¶
We are not lawyers, this is not legal advise.
It is your responsibility to discover what law applies to you and how to best comply with it. In case of doubt, consult your Data Protection Officer (DPO) or equivalent.
The NIS2 Directive stands as a comprehensive EU-wide cybersecurity legislation, aimed at elevating the overall state of cybersecurity across the European Union. Imposing legal measures, it serves to fortify the digital landscape in the region.
Initiated in 2016, the EU's cybersecurity regulations underwent a substantial transformation with the enactment of the NIS2 Directive in 2023. This update was imperative to adapt to the expanding realm of digitization and the continuously evolving cybersecurity threats. The directive's enhancements extend the applicability of cybersecurity regulations to novel sectors and entities, thereby enhancing the resilience and response capabilities of public and private bodies, competent authorities, and the entire EU.
The NIS2 Directive, officially titled the Directive on measures for a high common level of cybersecurity across the Union, imposes legal requisites to augment cybersecurity throughout the EU. Its key provisions encompass ensuring the preparedness of Member States, mandating the establishment of essential capabilities like a Computer Security Incident Response Team (CSIRT) and a competent national network and information systems (NIS) authority. Furthermore, it promotes cooperation among Member States through the establishment of a Cooperation Group, fostering strategic collaboration and information exchange.
The directive seeks to instill a culture of security across critical sectors vital for the economy and society, heavily reliant on information and communication technologies (ICTs). These sectors include energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure.
To uphold the directive's objectives, businesses identified by Member States as operators of essential services in the specified sectors must implement suitable security measures and promptly report significant incidents to relevant national authorities. Similarly, key digital service providers, such as search engines, cloud computing services, and online marketplaces, are obligated to adhere to the security and notification requirements outlined in the directive.
Which sectors are covered by the NIS2 Directive?¶
A lot more sectors than in the previous iteration. Society has become more digital, and as a result, more vulnerable to cyberattacks. It is clear that many use-cases where Compliant Kubernetes has been successfully used in the past are in scope for NIS2, including sectors of high criticality, healthcare, banking and the financial market, and general public administration.
The official FAQ lists the sectors in scope as follows:
Sectors of high criticality: energy (electricity, district heating and cooling, oil, gas and hydrogen); transport (air, rail, water and road); banking; financial market infrastructures; health including manufacture of pharmaceutical products including vaccines; drinking water; waste water; digital infrastructure (internet exchange points; DNS service providers; TLD name registries; cloud computing service providers; data centre service providers; content delivery networks; trust service providers; providers of public electronic communications networks and publicly available electronic communications services); ICT service management (managed service providers and managed security service providers), public administration and space.
Other critical sectors: postal and courier services; waste management; chemicals; food; manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment; digital providers (online market places, online search engines, and social networking service platforms) and research organisations.
How does the NIS2 Directive relate to Compliant Kubernetes?¶
The NIS2 Directive shares a strong connection with two additional initiatives: the Critical Entities Resilience (CER) Directive and the Regulation for Digital Operational Resilience in the Financial Sector, commonly known as the Digital Operational Resilience Act (DORA).
The directives and regulations affect how Compliant Kubernetes is composed on an architectural level and configured for specific use-cases, depending on industry needs. Please see the following pages, also linked in the side bar, for specific implementations made to meet these demands:
- KRITIS (Germany)
- BSI IT Grundschutz (Germany)
- MSBFS 2018:8 (Sweden)