The rapidly evolving threat landscape and the increasing interconnectivity of critical infrastructure systems have raised the importance of cybersecurity in recent years. The European Union (EU) has responded by revising its Network and Information Security (NIS) Directive and launching the new NIS2 Directive to expand security standards and establish incident response as a central component of IT security management. Its aim is to strengthen the resilience of critical sectors against cyber threats.
In this article, we highlight the importance of NIS2 compliance and the pivotal role of incident response in managing IT security incidents. We explore the requirements of the NIS2 Directive and explain how entities will need to adapt their incident response processes to comply with them.
NIS2 Directive: a brief introduction
As soon as it has been transposed into national law, the NIS2 Directive will replace its predecessor from 2016 which required revision. The aim is to boost the level of network and information system security in the EU. The Directive mainly targets critical infrastructures, including sectors such as energy, transport, finance, health care and digital services.
The NIS2 Directive significantly expands the group of covered entities (with approximately 30,000 organizations now affected in Germany) and introduces stricter risk management standards and reporting obligations. Entities classified as “essential” must ensure that their cybersecurity measures are compliant. In addition to organizational measures such as risk assessments and employee training, the Directive places emphasis on the ability to respond to security incidents. This is where incident response comes into play.
The role of incident response in handling IT security incidents
Incident response describes the structured process for identifying, evaluating and resolving security incidents in IT systems. The NIS2 Directive stresses that this aspect is essential, not only in preventing security incidents, but also in responding to them effectively and immediately when they occur.
Incident response is designed to minimize the impact of an incident, prevent further damage from occurring and restore affected systems to normal operation as quickly as possible.
An effective incident response program comprises several phases, some of which precede an actual incident:
- Preparation: Proactive planning is key to successful incident response. Before anything happens, entities must define and document security policies, train employees and assemble incident response teams that can react immediately in an emergency. In addition, communication plans and reporting protocols must be put in place so that actions can be taken quickly and effectively when an incident occurs. As a preparatory measure, retainer contracts with service providers who respond to advanced persistent threats (APT) have become commonplace in the market; their services can then be accessed quickly and without administrative hurdles when needed.
- Identification: This phase is about identifying an actual incident. Rapid identification is crucial to minimize the impact of an attack. This is where technologies such as intrusion detection and prevention systems (IDPS) and security information and event management (SIEM) come into play, which monitor and analyze anomalies and suspicious activities in real time.
- Containment: Once an incident has been detected, it must be contained to prevent the damage from spreading. This can be done by segmenting affected networks or shutting down compromised systems. The response requires careful consideration to avoid unnecessarily jeopardizing business continuity. Professional help, either internal or external, is essential to ensure that the right action is taken and the incident is dealt with effectively.
- Eradication: Once the incident has been contained, its causes must be identified and eliminated. This may include removing malware, closing security gaps or resetting affected user accounts.
- Recovery: In this phase, the affected systems are restored to normal operation. It is vital to ensure that all systems are completely clean and free of vulnerabilities before they go back online. However, the decision is often made to completely rebuild the affected systems to ensure that all potential threats have been eliminated and that they can be safely restarted.
- Lessons learned: Analyzing an incident is crucial to understanding the causes and identifying improvements to avoid vulnerabilities arising in the future and to develop more effective response processes. This requires comprehensive documentation of all activities carried out during the acute incident response phase.
Requirements of the NIS2 Directive for incident response
The NIS2 Directive defines specific requirements for entities relating to incident response and reporting obligations. A major new rule is the obligation to report security incidents that could have a “significant impact” on an entity’s ability to provide a service. This not only refers to successful attacks, but also incidents where a serious threat was detected but successfully averted.
Entities must submit an early warning to the competent authorities within 24 hours, initially providing a first assessment of the impact of the incident. This must be followed by a detailed report describing the incident, the measures taken and an initial damage assessment, to be submitted within 72 hours.
Furthermore, the NIS2 Directive requires entities to include external partners in their strategy for managing cyber incidents. This is to ensure comprehensive responsiveness along the entire supply chain.
Another important aspect is the availability of personnel and resources for incident response. Entities must ensure that trained staff are available at all times so that they can act immediately in the event of a security incident. This also includes working with specialized incident response service providers if internal resources are insufficient.
Technology support for incident response
The NIS2 Directive is predicated on the use of technology solutions by entities to effectively detect and manage security incidents. Automated security tools such as SIEM, IDPS and endpoint detection and response (EDR) are indispensable components of a state-of-the-art incident response program.
Such systems help entities to monitor potential threats in real time and react immediately. They collect data on suspicious activities, analyze it and provide recommendations for action to the incident response team. Combined with artificial intelligence (AI), these systems can also increasingly perform proactive threat analyses and identify suspicious behavior patterns before an incident escalates.
Challenges in implementing the NIS2 requirements
Implementing the NIS2 requirements also poses considerable challenges for entities. Small and medium-sized entities (SMEs) in particular may have difficulty allocating the necessary resources and therefore run the risk of not having an adequate level of protection as defined by the NIS2 Directive. Specialized incident response service providers can be a useful addition to internal resources to meet the Directive’s requirements.
The NIS2 Directive represents a significant step forward in the regulation of cybersecurity within the EU. It demands a higher level of accountability and transparency from entities when handling IT security incidents and emphasizes the central role of incident response. An effective incident response program is essential to comply with the Directive and at the same time minimize the impact of cyber attacks.
Entities that want to meet the requirements of the NIS2 Directive will need to closely examine their incident response processes and adapt them if necessary. While this will require not only investment in technology, but organizational measures also need to be able to react quickly and effectively in an emergency as this is the only way to effectively manage the risks emerging in an increasingly complex threat landscape.
Author
Bodo Meseke
EY GmbH & Co. KG Wirtschaftsprüfungsgesellschaft
Partner, Forensic & Integrity Services
Author
Marco Beck
EY GmbH & Co. KG Wirtschaftsprüfungsgesellschaft
Senior Manager, Forensic & Integrity Services