Blog

Preparing for Europe’s Most Extensive Cybersecurity Directive, NIS2 – What AppSec teams need to know

5 min.

February 7, 2024

Regulations are constantly evolving, becoming more punitive with larger fines and penalties. Businesses must stay responsive to the changes around us and part of this means taking into consideration how upcoming legislation will affect your organization and how you should prepare.  This includes understanding what policies and processes must be implemented to remain compliant.  But it is not just about ticking a compliance box, it is also about ensuring you have safeguards in place to protect the business and that your organization remains competitive. As new regulations come into force, you are likely to find that many of your partner organizations will require proof of compliance before doing business with you.

In particular, the regulations that will impact cyber and application security teams in 2024 are the EU Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the Network and Information Security Directive (NIS2).

  • The CRA introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle, and is expected to come into force in 2024; manufacturers will have to apply the rules no later than 36 months afterwards.  
  • DORA is a crucial legislative framework that mandates operational resilience for financial institutions within the EU. DORA comes into force in January 2025, and it requires organizations to prepare for and withstand operational disruptions, including cyberattacks and technology failures.
  • The NIS2 Directive is the most comprehensive European cybersecurity directive to date. It has stricter requirements for risk management and incident reporting, wider coverage of sectors, and more hard-hitting penalties for non-compliance. This will impact hundreds of thousands of organizations who will need to reassess their cybersecurity posture. The EU introduced the NIS2 Directive in January 2023, and it becomes law in October 2024.

Like any new legislation, understanding the precise language used can be daunting. Here I examine what NIS2, the most imminent new regulation, means for application security teams.

NIS2 Explained 

The NIS2 Directive is an updated EU cybersecurity law that builds on the original NIS Directive (NISD). The goals of NIS2 are to boost cybersecurity, simplify reporting, and create consistent rules and penalties across the EU. By expanding its scope, NIS2 requires more businesses and sectors to take cybersecurity measures, with the goal of raising the standard of Europe’s cybersecurity performance in the long run. With stricter rules to overcome previous limitations, NIS2 impacts a wider range of industries. Entities under NIS2 are classified as essential or important, and the directive outlines security requirements as well as a process for incident reporting. It is estimated that 160K+ companies will be affected by NIS2, with a €10 million maximum fine for non-compliance. 

There were several factors that necessitated the replacement of the previous NISD. These factors primarily revolved around the consensus that the legislation needed to be more stringent, and that its implementation required a greater level of uniformity across the EU. This was based on evidence in a 2020 study by ENISA which found that EU organizations allocated 41% fewer resources to information security than their US counterparts, despite NISD being in place for four years.  The report also highlighted that there was unclear guidance around how to apply the Directive. Layer onto this a significant rise in cyberattacks, with organizations across Europe increasingly affected by ransomware and other types of cyberattacks. Additionally, there was a perceived lack of transparency in the reporting of cyberattacks.

Reporting Obligations and Risk Management

To this point, the NIS2 Directive mandates the reporting of “significant incidents” within 24 hours and less significant incidents within 72 hours. Effectively, if you are hacked and the impact will affect your customers and partners, disrupting the products or services you deliver, you must tell the relevant authorities through prescribed channels. If you fail to do this correctly, your organization and its directors can be publicly named as being non-compliant, and fines or other sanctions may be issued.

The directive requires organizations to take a risk management approach to cyber security. Organizations must identify and reduce risk as far as possible, then implement robust procedures to manage incidents. AppSec plays a critical role in risk reduction by providing visibility over vulnerabilities so they can be remediated before they are exploited. An effective AppSec program will contribute significantly to minimizing the number of incidents that have to be reported. In contrast, if you are regularly reporting incidents, you can expect to find your AppSec program under investigation by authorities.    

Therefore, AppSec managers must take appropriate technical, operational, and organizational measures to manage the risks posed to the security of their systems, and to prevent or minimize the impact of incidents on recipients of their services. Additionally, AppSec managers are responsible for making sure their developers are properly trained and that the quality of software development is being maintained. AppSec managers must be able to prove to authorities that they have robust processes for software development and that they deploy secure applications into production.

Every company is part of someone’s supply chain 

Today the regulatory environment is increasingly focused on supply chains, with Biden’s Executive Order 14028 introduced in 2021 now joined by NIS2. Even organizations that aren’t directly in the scope of these regulations will find they are affected if they want to sell to companies that are. Every company is part of someone’s supply chain. 

In part, that’s because open source software (OSS) has become integral to software development. Its use is widespread, making up on average 80% of a typical code base. However, open source packages bring inherent risks such as vulnerabilities and license non-compliance. So, having clear visibility over your open source libraries as well as knowing how your suppliers are protected will be paramount. A sobering thought: the US Securities and Exchange Commission (SEC) recently charged SolarWinds and its CISO with fraudulent internal controls for failing to disclose known material cybersecurity risks and vulnerabilities. While these were risks that were known but not disclosed, organizations are also liable for risks that they fail to identify due to monitoring and due diligence failures. 

NIS2 addresses supply chains in Article 22 and AppSec managers will need to pay close attention to this. Here at Checkmarx our Checkmarx One platform enables AppSec teams to better manage open source and software supply chain risk. It integrates a comprehensive suite of AppSec solutions including SAST, SCA, SCS, API Security, DAST, Container and IaC Security. We believe it’s not just about complying with this new Directive and finding risk but remediating it across the entire application footprint and software supply chain with one seamless process that simplifies compliance for everyone. 

So, what steps should AppSec managers take to get ready for NIS2 compliance?  If you want to learn more, register for our NIS2 webinar here.

For AppSec managers and CISOs it’s important to take reasonable action so that they and their board of directors can sleep well at night without having to worry about cyber incidents. Incidents will continue to happen – we all know that, and it’s part of the reason why regulations like NIS2 exist. The focus should be on doing what you can to prevent them, and preparing our environment so we can follow the rules if an incident happens.