Knowledge What is the NIS2 Directive? Introducing its requirements and the need for cyber resilience

As the risk of cyberattacks increases worldwide, it has become urgent for global companies with overseas branches to implement comprehensive cybersecurity measures. The NIS2 Directive, established by the EU, aims to strengthen "cyber resilience" to minimize the damage caused by cyberattacks and provides specific guidelines for strengthening security.

This article provides an overview of the NIS2 Directive and the importance of cyber resilience and introduces specific strengthening methods and examples.

1. What is the NIS2 Directive?

NIS2 (Network and Information Systems Directive 2) is a security regulation established by the European Union (EU) in 2022. It requires a wide range of industries that use networks and information systems to strengthen cybersecurity and protect information. In particular, infrastructure and companies that play essential social and economic roles are required to reduce the risks of cyberattacks and improve their response capabilities.

Standards and scope of application

The NIS2 Directive covers 18 industry sectors, categorizing companies into "essential entities" and "important entities."

Companies are obliged to comply with the requirements of the NIS2 Directive if they meet either of the following criteria:

More than 50 employees
Annual turnover of more than 10 million euros

*	Digital service providers are exempt

Target companies are required to implement specific cybersecurity measures. Non-compliance can result in severe penalties, including fines and criminal liability for managers.

Differences from the NIS Directive

The NIS2 Directive is based on the NIS Directive that came into force in 2016 and is designed to create a more comprehensive and robust cybersecurity regime. The main changes are as follows:

Strengthening risk management
Stricter reporting requirements
Introduction of sanctions for violations
Strengthening international cooperation
Standardization of monitoring standards
Expansion of target industries

The NIS2 Directive is expected to promote the uniformity of European security standards and further cooperation between countries.

2. Important NIS2 Requirements for Overseas Branches

For global companies, the requirements of the NIS2 Directive are important issues that require a strategic response. This chapter explains three critical points that managers of overseas branches should pay particular attention to.

Strengthening risk management (Article 21)

The NIS2 Directive requires strengthening risk management systems through measures such as conducting risk assessments, managing threats, establishing incident response procedures, and conducting regular security audits. It is necessary to establish a system that enables rapid detection, response, and recovery in the case of a cyberattack or disaster.

Stricter reporting requirements (Article 23)

The NIS2 Directive sets out strict requirements for reporting incidents. This requirement aims to prevent the expansion and recurrence of cyberattacks by sharing information with countries and related organizations, so each location must share information quickly and transparently.

Item	Report time limit	Report content
Early notification	Within 24 hours	A summary of suspected illegal or malicious activity Is there a possibility of cross-border impacts?
Incident notification	Within 72 hours	Initial evaluation information (severity, scope of impact) Details of indicators of compromise (IoC)
Interim Report	As needed	Providing the latest information when requested by CSIRT*
Final Report	Within one month	Overall evaluation of the incident and response status

*	CSIRT (Computer Security Incident Response Team) = Security incident response team(Subheading)

Strengthening international cooperation (Article 10)

Because there are limitations to security responses provided by overseas branches, the NIS2 Directive recommends establishing CSIRTs in each country and building a cross-border cooperative system. There is a need to develop a framework for preventing the spread of incidents caused by increasingly complex cyberattacks and for cooperating to address issues that a single location, company, or country cannot handle.

Strengthening international cooperation diagram

Source：	Summary of EU NIS2 Directive (Ministry of Economy, Trade and Industry) Japanese）https://www.jraia.or.jp/members/uploads/files/230526_METI_NIS2.pdf
Source：	EUR-Lex Document 02022L2555-20221227 https://eur-lex.europa.eu/eli/dir/2022/2555

3. The Necessity and Benefits of Cyber Resilience

In recent years, cyberattacks have targeted all types of companies, regardless of industry or size. Threats such as ransomware, targeted attacks, and supply chain attacks can cause serious damage, such as business interruptions and information leaks. However, the reality is that it is difficult to completely prevent these increasingly sophisticated attacks. To counter these attacks, it is essential to build a foundation of "cyber resilience" that minimizes damage and enables rapid recovery.

Building cyber resilience can help minimize business disruption in the event of a cyberattack. This will help companies maintain their competitiveness by preventing economic losses and declining credibility.

The benefits of achieving cyber resilience

Building cyber resilience requires significant effort, but there are many benefits for companies.

Rapid response minimizes damage to business

Cyber resilience enables rapid response when an incident occurs, preventing damage from spreading and minimizing the impact on business.

Improving customer trust

Compliance with the NIS2 Directive and strengthening resilience will increase trust from business partners and customers, thereby enhancing corporate value.

Avoiding legal risks

By establishing a system that complies with the laws and regulations of each country, you can avoid fines and sanctions due to violations of laws and regulations. In the supply chain, there is a risk of penalties if security requirements in contracts with business partners are not met. Building cyber resilience can help minimize the risk of contract breaches and maintain a competitive edge.

4. Key Points for Strengthening Cyber Resilience

Strengthening cyber resilience requires measures that address both organizational and technology aspects, centered on risk management based on the NIS2 Directive. The specific points of improvement are explained below.

Conducting risk assessments and setting priorities for countermeasures

First, conduct a risk assessment to inventory IT assets, identify all systems and data, and then evaluate the importance of each. Then, prioritize responses in areas with higher risks to ensure business continuity for the company.

Strengthening organization

When implementing comprehensive measures that will permeate all bases, including overseas branches, the following four points are important:

Establishment of a reporting system

Establish a system that enables prompt and accurate reporting in a unified format when an incident occurs. By clarifying communication channels and standardizing reporting procedures, you can improve the speed and accuracy of information sharing.

Building an incident response framework

Establish a unified incident response process across your organization to expedite response. Security policies and codes of conduct will be established under the headquarters’ leadership, and response procedures will be standardized, such as "firstly, isolate the affected system" and "secondly, identify the scope of the data leak."

Employee education and security management, including the supply chain

To raise the security awareness of each employee, provide regular security training and education, and instill an understanding of the incident response process. Additionally, work with partner companies to prepare for risks through joint training across the entire supply chain.

Establishment of a Business Continuity Plan (BCP)

Create a plan to enable business continuity and share it with the entire company, even after an incident. For example, organize recovery procedures when restoring important systems, such as utilizing backup data in a cloud environment.

Strengthening systems

To build a flexible and robust system foundation, do the following:

Periodic diagnostics execution

Conduct regular vulnerability scans to detect and promptly remediate them. For example, conduct vulnerability scans on a monthly basis and apply patches to address any risks discovered.

Network separation

Implement network isolation and segmentation to restrict access to critical assets and ensure system availability. For example, internal company networks can be separated into "business," "administration," and "visitor" sections to prevent intrusion from outside.

Automation through tool implementation

Introduce tools such as SIEM (log analysis platform) and EDR to enable real-time threat detection and response. Utilize AI and other technologies to create a 24-hour monitoring system, reducing the burden on personnel and improving the efficiency of the security system.

5. Summary

Strengthening cyber resilience based on the EU's NIS2 Directive is not only a security measure but also an important initiative aimed at minimizing risks to business on a global level and maintaining competitiveness. By complying with the NIS2 Directive, companies can not only comply with legal regulations but also strengthen the trust of their customers and business partners, and establish an advantage in the global marketplace.

To build a foundation for cyber resilience, it is important to take comprehensive and continuous steps from both organizational and system perspectives and establish a system capable of rapid response and recovery. KDDI supports customers in complying with the NIS2 Directive and building cyber resilience. Please feel free to contact us.

Do you need more information？

Implementing Zero Trust Using NIST Guidelines

Strengthening Security and Governance at Global Branches