In 2025, the new compliance deadline for the European Union’s Network and Information Systems Directive (NIS2) is set for July 1. This extension was granted to organizations because it became clear that the existing regulatory framework was either too complex to implement by the original deadline of October 17, 2024, or that many companies could not meet that date. Consequently, more than half of the organizations failed to comply, either fully or partially. This regulation impacts various industries, including cloud service providers and their customers.
The NIS2 Directive and its Impact on Cloud Providers
The NIS2 Directive is the second iteration of the EU’s Network and Information Security Directive, aiming to bolster the cybersecurity resilience of essential services across Europe. The directive recognizes the critical role of digital infrastructure, including cloud services, in maintaining the stability of the economy. As Bulgaria, like other EU member states, transposes the directive into national law, cloud providers and their clients must understand the new regulations and implement security measures to comply.
One of the main objectives of the directive is to improve cyber resilience in sectors such as healthcare, energy, transportation, and digital infrastructure. Cloud service and cybersecurity providers are categorized as critical infrastructure providers, which means they must comply with stricter cybersecurity standards. Failing to meet these standards may result in significant penalties of up to BGN 25,000 or EUR 10 million, depending on the size and turnover of the company.
Key Cybersecurity Measures for Cloud Providers Under NIS2
With the NIS2 Directive’s deadline fast approaching, critical providers need to implement robust cybersecurity measures to ensure compliance. Below are some of the key areas of focus:
1. Risk Management and Cybersecurity Assessments
Providers have to conduct regular risk assessments to identify vulnerabilities, potential threats, and the possible impact of cyberattacks. These assessments should be followed by concrete actions to mitigate risks. They will need to continuously monitor their systems and take steps to detect emerging threats.
For example, a cloud provider could conduct regular penetration testing, security audits, and vulnerability scans to identify weaknesses in their infrastructure. By adopting a proactive approach, cloud providers can stay ahead of potential threats and ensure their services remain secure for their clients.
2. Incident Detection and Response
One of the core principles of NIS2 is incident response. Cloud providers are obligated to implement systems that quickly detect and respond to cybersecurity incidents. These systems must be capable of detecting unauthorized access, data breaches, or other anomalies in real-time.
Providers also develop and test incident response plans (IRPs) that define clear procedures for identifying, reporting, and mitigating cybersecurity incidents. The plans should ensure that incidents are contained as quickly as possible to minimize their impact and restore services with minimal downtime. A crucial part of this is setting up a Security Operations Center (SOC) that provides continuous monitoring and rapid response to security events.
For example, in the event of a ransomware attack, a cloud provider’s SOC could immediately detect abnormal activity, isolate affected systems, and notify the affected clients. The provider’s incident response team would then follow pre-established protocols to contain and remediate the attack while keeping the impacted parties informed.
3. Supply Chain Security
With the growing complexity of digital infrastructures, cloud providers depend heavily on third-party vendors and suppliers. Under NIS2, cloud companies ensure that their supply chains are secure, as vulnerabilities in third-party services may lead to significant risks for clients. They also carry out thorough security assessments of their vendors and partners to meet the required cybersecurity standards.
For instance, a cloud provider could require its suppliers to sign agreements that bind them to the same level of cybersecurity standards. This could include stipulations for ensuring that any software or hardware integrated into the cloud infrastructure is secure and regularly updated.
4. Data Protection and Privacy Compliance
Another key aspect of NIS2 is data confidentiality, integrity, and availability. When managing sensitive client information, providers adhere to the General Data Protection Regulation (GDPR) and other relevant data protection laws. They must implement strong encryption techniques to protect data both at rest and in transit and regularly update and patch their software to protect against emerging security threats.
For example, a cloud provider could encrypt customer data stored on their servers using AES-256 encryption and ensure secure communication channels with clients via SSL/TLS encryption.
The Impact of NIS2 on Various Sectors in Cloud Computing
The NIS2 Directive will have far-reaching consequences for various industries relying on cloud computing. Below are two of the key sectors impacted by the directive and the specific security measures they must adopt:
1. Finance and Banking
The financial sector, particularly banks and insurance companies, deals with sensitive financial data that requires high levels of protection. NIS2’s emphasis on supply chain security is particularly important for financial institutions relying on third-party cloud providers to host and manage sensitive customer data. Financial organizations will need to conduct thorough due diligence on their cloud providers and ensure that they have implemented proper security controls.
Additionally, finance and banking institutions must ensure they comply with other regulations such as PSD2 (Payment Services Directive 2) and GDPR while ensuring their cloud provider meets NIS2 cybersecurity standards. This may involve ensuring that data is encrypted and regularly monitored for any signs of unauthorized access.
2. Retail and E-commerce
The retail and e-commerce sectors rely heavily on cloud infrastructure to manage customer data, payment systems, and inventory. Cloud providers supporting retail businesses must ensure that their services meet high cybersecurity standards to protect customer data and prevent fraud.
For example, a cloud provider could implement multi-factor authentication (MFA) for e-commerce platforms to prevent unauthorized access to customer data. Retailers may also require their cloud providers to use tokenization techniques to protect sensitive payment card information.
3. Healthcare
The healthcare industry highly depends on cloud providers to store and process patient data. Under NIS2, healthcare organizations using cloud services must ensure their cloud providers meet high cybersecurity standards to protect sensitive medical data. This includes implementing strong access controls, ensuring data encryption, and establishing clear protocols for responding to data breaches.
For example, a healthcare company could require their cloud provider to comply with both NIS2 and Health Insurance Portability and Accountability Act (HIPAA) standards to ensure compliance with global cybersecurity regulations. The cloud provider must implement regular audits, access monitoring, and incident response measures tailored to the healthcare sector’s specific needs.
Stay tuned for upcoming blog posts on the impact of NIS2 on other major industries like insurance, transport & logistics, manufacturing and more.
How Cloud & Cybersecurity Providers and Their Clients Achieve Compliance
Both providers and their clients must take proactive measures to comply with the NIS2 Directive. Cloud providers should invest in cybersecurity certifications that demonstrate their commitment to maintaining high-security standards. This will help build trust with clients and demonstrate compliance with the directive.
Additionally, cloud & cybersecurity providers should focus on improving employee training to ensure that their teams are well-prepared to address emerging cybersecurity threats. Regular training programs can ensure that staff are up to date on the latest best practices and the importance of security in the cloud environment.
Clients of the providers must also ensure that they are meeting their own cybersecurity obligations under NIS2. This may involve auditing their cloud provider’s security posture, understanding their shared responsibilities, and implementing appropriate security measures on their own infrastructure.
Conclusion
The NIS2 Directive significantly changes the cybersecurity landscape, particularly for many business verticals and cloud providers operating in Bulgaria and across the EU. Cloud providers ensure compliance with the directive and protect their clients’ data from emerging threats by implementing the required cybersecurity measures, such as regular risk assessments, incident response plans, and supply chain security. Both cloud providers and their clients must take proactive steps to address these changes, adopt industry-leading security practices, and invest in employee training to stay ahead of potential cyber risks.
The European Commission has extended the deadline for companies to achieve compliance with NIS2 from October 2024 to mid-2025. It is anticipated that by this time, the majority of businesses will have reached an acceptable level of compliance. Sirma’s cloud and cybersecurity consultants are prepared to assist you with NIS2 compliance. With the deadlines approaching, now is the ideal time to ensure your organization remains resilient against evolving cybersecurity threats. Contact us to discuss your NIS2 cloud and cybersecurity needs.
