How MFT Supports the NIS2 Directive and Oct. 2024 update

If you are not yet up to speed on the latest developments around the European Union’s (EU) NIS2 Directive, get ready, as they go into effect Oct. 17, 2024. That’s when Member States are required to have transposed the directive into national law. EU countries must have their national legislation on par with the NIS2 requirements and comply with the new, broader requirements. 

This update aims to further improve cybersecurity across the EU with more robust risk management practices, increased measures around cybersecurity, and new reporting obligations.

Just like the original NIS directive, in place since 2016, NIS2 lays out stringent requirements and standards for member states, along with certain businesses and organizations. The overall purpose of NIS2 is to boost the resilience of essential and important entities in the EU, as well as those entities working with or supporting those entities, against cyber threats, it also helps provide a more consistent, unified approach to cybersecurity.

“Taking the time to ensure your organization – whether in the EU or in partnership with an EU-based entity – has the up-to-date technology in place to consistently be in compliance doesn’t have to be complex, said Per Bauer, Director, Solutions Engineering, Fortra. “Robust solutions, such as Managed File Transfer (MFT) can be applied to the exchange of sensitive data consistently and help essential and important entities meet their confidentiality and integrity obligations without unnecessary manual intervention.”

Who Needs to Comply with NIS2?

If your organization is doing business with the EU, you may need to comply with the NIS2 directive if you fall into defined categories or if you have operations that may be specified by the directive within the EU. Briefly, those categories are as follows:

• Essential or important entities within the EU: These are defined as those in the energy, transport, banking and financial market, health, drinking water, and digital infrastructure industries – a large percentage of those comprise what keeps the country up and running, healthy, financially stable, and able to communicate and conduct transactions of any kind. As such, they all must comply with the cybersecurity requirements spelled out by NIS2, as well as practice risk management and incident reporting detailed by the directive.

Essential entities provide the services that are most critical to society and if disrupted could substantially impact the EU's health, safety, and economic position and whose disruption would have a significant impact.

Important entities are, as indicated, “important” but not necessarily essential. These entities or organizations include things like digital service providers (cloud computing, search engines, etc.), mail and parcel delivery services, as well as some food supply/distribution entities.

• Non-EU Companies Needing to Comply with NIS2

If your organization is based outside the EU, you’re not necessarily off the hook NIS2-wise. For example, if you have a significant presence or operations within the EU, provide services such as digital services (online search engines, cloud computing to EU customers, online marketplaces, etc.), or if you are a supplier or partner to essential or important entities based in the EU, you may have contractual requirements around compliance.

The exact obligations can vary, depending on the specific nature of interactions with the EU entities, but it is the responsibility of non-EU entities to ensure all obligations around cybersecurity standards are being met.

What’s Changing from NIS to NIS2?

According to NIS2, by Oct. 17, 2024, “The Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, of online search engines and of social networking services platforms, and trust service providers.”

The overall premise of NIS2 is being broadened. From the scope of industry sectors, to stricter security requirements, to additional cooperation and stronger enforcement, the Oct. 2024 NIS2 update adds more heft to the directive, specifically by:

• Including risk management practices, training, incident reporting, and security measures
• Encouraging more information sharing between EU member states
• Establishing a European Cyber Crises Liaison Organization Network (EU-CyCLONe). This is designed to better coordinate responses to large-scale incidents
• Implementing a zero-trust security model to help minimize cyberattack risks
• Increasing penalties for entities not complying to new cybersecurity standards
• Securing the supply chain by requiring businesses to assess the cybersecurity of their suppliers, including digital supply chains
• Addressing the liability of senior management, making them personally liable for damage incurred by non-compliance of cyber risk management duties

Overall, NIS2 and the October 2024 deadline to bring the directive into national law are designed to improve the resilience of essential and important entities against cyber threats and to create a more unified approach to cybersecurity across the EU.

Role MFT Plays in Meeting NIS2 Requirements

Complying with directives such as NIS2, or other industry requirements such as DORA, GDPR, or PCI DSS, can be easier with a robust managed file transfer (MFT) solution in place to shoulder some of the security burden that comes with exchanging sensitive data.

“Using a robust MFT solution can add the automation, security and centralization as well as control EU organizations need to better comply with NIS2,” added Bauer. “MFT can be applied to each file transfer step or process so that the risk of human error occurring is minimized. The compliance process and security measures can be automatically implemented and can be integrated further with additional security layers to protect sensitive data throughout its lifecycle.”

• With MFT, the requirement to protect sensitive data as it in transit is met by encrypting data both while it is at rest and while it’s in transit.
• In addition, granular control can be applied to limit or define who can send or receive files and who can access them, again helping meet the requirement to control and monitor access to what may be sensitive data by essential and important entities.
• With MFT solutions such as Fortra’s GoAnywhere MFT, the auditing and reporting functionality that provides visibility into all file movement or activity is readily available to meet compliance requirements. This also can aid in the requirement to flesh out required incident response investigations and reporting.
• Automation of data transfer processes with MFT can also help reduce the risk of human error and help meet NIS2 compliance requirements.
• MFT can also be integrated with security solutions such as Threat Protection and Secure Collaboration to add the layered security needed to meet NIS2 requirements.