Understanding NIS2 Compliance and How SASE Can Help

The European Union’s Network and Information Systems Directive 2 (NIS2) is a big deal for improving the EU’s cybersecurity stance. Kicked off in January 2023—with a compliance deadline of October 18, 2024—the Directive is designed to beef up cyber defences across key sectors. From energy to healthcare, banking to digital infrastructure, if you’re in these fields, NIS2 isn’t just advisable; it’s a must, with fines ranging up to €10 million or 2% of the total global revenue for the previous year and C-level executives held personally liable. You can read a little more about the motivations in this blog post from our archive.  While this all sounds very intimidating, technology can do a lot of the heavy lifting in assisting with compliance.

Who Needs to Plan for NIS2?

Casting a wider net than its predecessor (NIS), the NIS2 Directive now covers 18 sectors including businesses and organisations that provide services which are essential to the EU’s smooth sailing on a societal and economic level. Basically, if your organisation is critical to the EU’s wheels turning smoothly—think energy, healthcare, finance, and several others—you’re on the list. And that list of sectors is broken down in two categories: Highly Critical and Other Critical.

Understanding The Next Layer: Essential vs. Important Entities

If your organisation is within the scope of the NIS2 directive, it’s crucial to grasp the next layer–two further categories defined in NIS2: Essential and Important entities.

Now, both Essential and Important entities are expected to meet the same security standards, but, how they’re penalised and overseen varies, and it usually boils down to your organisation’s size. If you’re classed as Essential, you will be subject to proactive supervision to make sure you are ticking all the boxes of the Directive. If you are classed as Important you will receive only reactive supervision, kicking in only if the authorities receive evidence of non-compliance.

Think You’re Off the Hook with NIS2? Think Again.

Not directly under NIS2’s umbrella? You might not need to scramble for compliance, but don’t tune out just yet. As we saw with GDPR, other countries may well follow suit and require organisations to implement similar basic cyber hygiene and risk management controls. And don’t forget the supply chain ripple effect. With NIS2 covering a broad spectrum, many organisations will need their partners to up their security game. So, you might find yourself pulled into the compliance orbit because your clients are.

How does the Netskope SASE platform help with NIS2 compliance?

We have completed a detailed mapping of the NIS2 Directive to make it clear how a secure access service edge (SASE) approach to security and networking will help you get ready for the deadline. It’s an honest review, so let’s rip the bandaid off quickly: No single platform is going to fully cover all of the 10 minimum security measures required by NIS2 (and we know platforms). But that’s to be expected with any regulation.  

The good news is, the Netskope One platform is a global leader in SASE, with an open architecture designed to support the defence-in-depth approach you need to deliver essential cyber hygiene practices, such as zero trust principles, software updates, device configuration, network segmentation, identity and access management, and user awareness. Our handy NIS2 Directive compliance guide breaks down exactly which elements of NIS2 SASE will help to address—and there are a lot—including key areas like these: 

• Comprehensive Policy Enforcement: Netskope offers tools for mapping, inventorying, and securing Critical Information Systems (CIS) across web, cloud, and on-premises environments, including security assessments, audits, and auto-remediation options for cloud services.
  
• Advanced Incident Handling: The Netskope One platform supports incident management with mitigation controls to contain threats and uses both signature and non-signature-based detections to prevent malicious activities within networks and CIS systems.
  
• Business Continuity: Netskope ensures operational reliability with a 99.999% availability, aligning with NIS2 requirements for business continuity management during security incidents.
  
• Supply Chain Security: The platform aids in identifying security risks in the supply chain, especially for services deployed via the cloud, and evaluates the security posture of 80,000+ Cloud Service Providers through its Cloud Confidence Index.
  
• Robust Security Measures: With SASE capabilities, Netskope ensures secure connections and access to network and information systems, employing zero trust principles and providing both threat and data protection controls to safeguard against cyber-attacks.

The Road to NIS2 Compliance

With NIS2 setting the bar high for cybersecurity standards, the clock is ticking for organisations to align their defences. But as you start to reexamine security investments in the run up to the deadline of October 18, 2024, take the opportunity to squeeze out the waste and establish a cybersecurity ecosystem where each component not only works well, but also  compliments and integrates with one another. 

Download the Netskope guide to the NIS2 Directive here, to find out how we map to each of the security measures required, line by line, control by control, to get your journey to NIS2 compliance off to a great start.