NIS2 Directive: Enhancing cyber security, also in the data center sector

The Network and Information Security Directive (NIS2) is a significant legislative update by the European Union aimed at boosting cyber security and protecting critical infrastructure. In a recent article, we introduced NIS2 and discussed its structure and some of its measures. Now, we delve a little deeper into what NIS2 will mean for data centers, with the help of Arnaud Martin, Expert Cyber security Regulation & Standardisation at Agoria. Agoria is a Belgian employers organisation that has more than 2000 technology companies from the manufacturing industry and the digital and telecom sectors among its members.

What are the main changes introduced by the NIS2 legislation compared to the original NIS Directive?

Arnaud Martin: “The NIS2 Directive broadens the scope of its predecessor. It aims to achieve a high level of cyber security across the EU by standardising measures and responsibilities. If we keep that goal in mind, six main changes stand out:

1. The scope extension includes a whole array of sectors that weren’t included in the NIS directive. Size criteria were also added.
2. Self-registration is an obligation. Originally, the authorities had to designate you as being in NIS. A process that not every country followed equally well. Now companies of a certain size are automatically included, shifting the responsibility of registration to the companies themselves. Delays are eliminated and more comprehensive coverage is ensured.
3. Standardised cyber security measures are now mandatory across member states, reducing fragmentation. If every country has their own guidelines, that doesn’t work. Countries can still add to the standard measures, but at least there is a clear base for everyone.
4. Top management responsibilities are emphasised, holding them accountable for breaches. Cyber security is now a responsibility at the highest level, not just of the IT department.
5. Extended reporting obligations require early notifications and regular updates on incidents. You must alert the authorities and any affected parties.
6. National cyber security response teams have gained more authority to support and coordinate efforts.”

Which sectors are now covered by the NIS2 Directive that were not included in the original NIS Directive?

Arnaud Martin: “NIS2 includes a broad array of new sectors but also subsectors that weren’t included yet. For example, digital infrastructure was already in the original NIS, but now it also covers data centers. Content delivery networks, electronic communications, trust service providers, and ICT service management were also added to that category. The public administration sector is now included, which is crucial as breaches affect large groups of people. Hospitals are now specified, alongside the general healthcare sector. On top of that, Annex II lists other -slightly less- critical sectors that are still considered important like postal and courier services, waste management, chemicals, food manufacturing, and research.”

Why was this NIS directive update necessary?

Arnaud Martin: “The update was necessary to address evolving requirements and existing problems with the original NIS directive. The six main changes discussed above, are the areas that needed improvement and clarity. There were inconsistencies in scope and varying cyber security measures across countries. The new self-registration mechanism ensures comprehensive coverage, and the extended scope addresses sectors previously overlooked. These changes aim to create a more consistent and robust cyber security framework across the EU.”

Do companies still underestimate the importance of cyber security?

Arnaud Martin: “It really depends on the sector. In industries like banking, energy, and telecom, cyber security is ingrained in their operations. However, many companies, even in the digital sector, still do not fully grasp its importance. NIS2 helps level the playing field, as the same regulations apply all over Europe. It will set a new standard, much like what happened to quality management by introducing certifications like ISO9001, which are now well known and commonly used and required.”

Impact on Data Centers

How will the new NIS2 requirements affect the operational procedures of data centers?

Arnaud Martin: “Data centers usually have security, including cybersecurity, very high in their priorities. However, NIS2 might still impact various operational aspects of data centers as it mandates cyber security integration into all critical business processes. This includes identifying those critical business processes and data, and ensuring these are adequately protected, guaranteeing continuity. More specifically: defining and updating policies, maintaining stringent access controls and up-to-date asset handling, and regularly reviewing procedures. It’s a comprehensive organisational challenge that requires continuous updates and clear definitions of roles and responsibilities. Some data centers will already have this covered: a company that is ISO27001 certified is expected to already be compliant with NIS2, since it even goes a little beyond NIS2’s requirements. But even these data centers shouldn’t leave anything to chance. The EU is currently working on an Implementing Act, which will detail specific measures, and data centers need to review and adapt their procedures accordingly. A draft of this implementing act is currently being finalised, detailing the different measures across 27 pages.”

What specific measures must data centers take to comply with the NIS2 regulations?

Arnaud Martin: “Leadership responsibilities are clearly defined. Senior management must approve cyber security measures and undergo training to understand and manage risks. Data centers must also provide regular cyber security training to all staff, ensuring awareness and competence. Worst-case scenarios must be covered, with a disaster recovery plan, proper back-up and crisis management”

How can data centers adapt their risk management processes to meet the NIS2 guidelines?

Arnaud Martin: “Data centers should refine their risk management processes by conducting thorough analyses and evaluating existing procedures. The Implementing Act provides a detailed approach of 10 steps, and compliance with certifications like ISO 27001 can aid in meeting these requirements. Regular updates and audits are essential to ensure ongoing compliance and effectiveness.”

What are the implications of the new supply chain security requirements for data centers?

Arnaud Martin: “NIS2 places significant emphasis on supply chain security, which might become the most impactful change. The draft Implementing Act includes four selection criteria and nine elements to specify in contracts. Data centers must evaluate and monitor their suppliers regularly, ensuring they meet strict cyber security standards. Contracts should specify security measures, including background checks and audit reports. This thorough approach can have a waterfall effect to third and even fourth-party suppliers, necessitating a comprehensive and continuous evaluation process.”

What are the new incident reporting requirements under NIS2 and how can data centers prepare for them?

Arnaud Martin: “NIS2 mandates early notifications to the relevant authorities within 24 hours of detecting an incident, followed by an initial assessment within 72 hours and a detailed report after a month. In view of their criticality, data centers should invest in advanced incident detection and response tools and consider establishing a Security Operations Center (SOC) to handle incidents effectively, if it isn’t in place yet. Preparedness involves having structured procedures and trained personnel ready to respond 24/7 to incidents promptly.”

Are there specific technologies or actions you recommend for data centers to be prepared for the NIS2 requirements?

Arnaud Martin: Data centers should invest in robust incident detection and response tools, such as Extended Detection and Response (XDR) and Network Detection and Response (NDR). When it comes to managing their SOC, Data centers might also consider partially outsourcing incident response for an extra set of eyes. Not fully though, as building your own expertise can be beneficial as well. Regular evaluations and updates of cyber security measures are crucial to stay compliant with NIS2 requirements.

Conclusion

NIS2 represents a significant step towards strengthening cyber security across the European Union. For data centers, this directive brings both challenges and opportunities. By adhering to NIS2 requirements and fostering a proactive security culture, data centers can enhance their resilience against cyber threats and contribute to a more secure digital ecosystem.

Please note that this article is not a substitute for in-depth training on this topic. For further guidance, data centers can consult cyber security experts or refer to the official documentation provided by the European Commission.