Preparing for the NIS2 EU directive

Ilkka Turunen at Sonatype outlines what businesses need to know about NIS2 (even if they are not trading directly in Europe)

The Network and Information Security Directive (NIS2) is an essential framework to ensure the cyber-security of digital infrastructure across the European Union across many industries.

Although this directive doesn’t directly affect UK businesses, companies may still feel its impact if they sell software products to the EU, or if their supply chain partners must comply with the NIS2 regulations. This means UK businesses could be indirectly influenced by the directive. 

With the directive’s deadline of 17th October 2024 fast approaching, UK IT organisations create a compliance roadmap for any European operations that might be regulated under this new set of rules. Compliance will be crucial to mitigate the risk of security incidents that could disrupt operations, revenue, and growth moving forward.

As supply chain security gains importance, businesses must understand how threat actors target their supply chains, the consequences of EU partners not complying with NIS2, and whether UK companies should prepare for similar regulations that might and are being introduced by the UK Government in the future.

Understanding software supply chain threats

Many factors contribute to the rise in supply chain attacks. As companies depend more on third-party suppliers, their risk of vulnerability stemming from these third parties increases.

For example, take the recent NHS incident where two central London hospitals had to shut down. This wasn’t a direct attack on NHS systems but came about through one of their third-party vendors being targeted by ransomware attacks. Adversaries motivated by financial and political goals are continuously looking for new ways to breach valuable businesses and exploit them.

As such, third-party suppliers are often easier targets, providing a gateway to influencing a larger target organisation. Although businesses might have been strengthening their defences in recent years, attackers are now focusing on their supply chain as a means to gain access and execute malware. Their tactics are getting more sophisticated by the day.

For example, in April 2024, a unique attack was discovered against an open-source project called XZ, a compression tool, where an adversary posed as a legitimate open source contributor for two years. During this time they snuck in code, which then in turn was distributed by the downstream adopters of the XZ utility. The crisis was only averted at the very last minute as the code was discovered completely incidentally. If successful, the attack would have led to an unprecedented breach in digital systems globally. The attacker created and exploited a relationship with the maintainer of this system to infiltrate businesses across sectors globally.

Luckily, this time the threat was thwarted but it shows how attackers target crucial third parties because it gives them a high return on investment. Exploiting one organisation can open up many additional targets. These stealth attacks can exploit even a hardened target’s vulnerabilities through their software.

This type of attack puts new challenges on an organisation’s cyber-resilience - another example of which was the CrowdStrike outages this July. A well-placed third party can be the soft underbelly in many company’s defences.

NIS2’s impact on UK businesses

The NIS2 directive imposes new risk management, reporting requirements, and penalties to enforce higher security standards for network and information systems. This legislation affects organisations in EU member states operating in 18 key economic sectors, including those with over 50 employees or annual revenues exceeding €50 million ($54.3 million). The directive must be implemented by October 17, 2024.

UK businesses are often closely connected with EU partners. Therefore, they might face the following impacts: 

• EU partners might require UK businesses to adhere to NIS2 standards as a condition of collaboration, especially if UK cyber-security practices are seen as weaker.
• Non-compliance by EU partners increases cyber-risk for UK businesses sharing the same supply chains. Cyber-attacks on poorly protected EU partners could spread to UK organisations, and compromise their data and IT systems.
• Non-compliance by EU partners could disrupt supply chains, causing delays, increased costs, and reputational damage for UK businesses trading across borders.  

From the reporting perspective, businesses must submit an early warning of major cyber-security incidents within 24 hours, which is quick even for an initial report. These reports need to be sent to the relevant Computer Security Incident Response Team, stating if the incident is suspected to have been caused by unlawful or malicious acts. Within 72 hours, the first report must be updated with an initial assessment of the incident, including its severity and impact.

Within a month, a final report is required that includes: 

• A detailed description of the incident, including its severity and impact;
• The type of threat or root cause that likely triggered the incident;
• Applied and ongoing mitigation measures;
• Where applicable, the cross-border impact of the incident. 

While businesses and the media are still unpicking what’s in store under this new Government, the King’s Speech touched on cyber-security. The announcement of a new Cyber Security and Resilience (CSR) Bill signals a major overhaul of the existing cyber-security framework in the UK.

This bill introduces more stringent regulations and expands the scope of mandatory security incident reporting to include a broader range of businesses. The primary goal is to enhance national resilience against cyber-threats by ensuring that all critical sectors implement robust cyber-security measures.

Having strong cyber-security measures builds trust among partners. UK businesses that fail to meet NIS2 standards or secure their supply chains risk losing competitiveness in EU markets, affecting their growth potential and, ultimately, losing out on profits.

It won’t be smooth sailing

A pragmatic step to ensure compliance for UK businesses selling software solutions is to manage and monitor their software components throughout the development lifecycle for any new vulnerabilities that might affect them. 

The industry standard solution that has arisen to solve this problem is the generation and collection of Software Bills of Materials (SBOMs) to track the provenance of components used in each system and, should they be compromised, remedy them.

Think of an SBOM as an ingredient list that itemises the components that make up any piece of software. Generating and monitoring this list in an automated fashion helps react and avoid incidents faster than ever before. Having an exact list of these components, their origin, and their dependencies both internal and external to the business is fundamental to maintaining compliance with NIS2 and other upcoming regulations in the long run. 

The weakest link

While NIS2 targets core infrastructure in the EU, UK businesses should follow suit to avoid being the weakest link in the software supply chain.

Combating these threats means that UK businesses need a comprehensive security approach, enabling them to maintain compliance, visibility, and enforcement, no matter where in Europe their data and applications are stored.

Ilkka Turunen is Field Chief Technology Officer at Sonatype

Main image courtesy of iStockPhoto.com and BlackJack3D