NIS2 is almost here. Are you ready? 

NIS2 is Europe’s comprehensive blueprint for cybersecurity resilience for all organizations that support critical infrastructure across 18 sectors including energy, finance, healthcare, transportation, manufacturing and more. In just six months’ time, 180,000 organizations involved in this sector will need to ensure they comply, or face potentially stiff penalties and disruption to their operations.  

The backdrop to NIS2 is territory we are all familiar with. It’s widely known that the scale and complexity of cybersecurity threats is increasing. And the stakes are high when it comes to critical infrastructure, as damage can have far-reaching consequences from business disruption, to financial losses; and even threat to life. Unfortunately, the targeting of critical infrastructure organizations seems ubiquitous given that 41% of all threat notifications Microsoft sent to online service customers between July 2022-July 2023 were to this sector.    

Our investment in security research, innovation, and the global security community gives us a unique vantage point. We are able to analyse 750 million signals per second to understand and protect against digital threats and cyberactivity. Combined with our 15,000+ partners and 10,000 security and intelligence experts from around the world, we are stopping 4,000 identity authentication threats per second, removing domains that criminals use (100,000+ all time) and managing over 135 million devices. 

That unique vantage point has given us insight into the vulnerabilities that critical infrastructure organizations face on their networks and devices. Recent data from our Modern Digital Defence Report shows us that 78% of devices on customer networks have known vulnerabilities that threat actors can exploit, and 46% of these can’t be patched.  That’s an open window for criminals and hostile actors to use.  

NIS2 is an opportunity for everyone to meet the same minimum benchmark across many aspects of cybersecurity. There are however, four you should think about first which can cover the majority, if not all, of what NIS2 is asking critical infrastructure organizations to prepare: 

1. Incident handling 
2. Business continuity 
3. Supply Chain security 
4. Encryption and Cryptography 

Incident handling 

The timely reporting of incidents allows for quicker response and recovery, minimizing the impact on essential services and the wider economy. In the context of critical infrastructure, how well an organization can respond to a cybersecurity incident is crucial.  

But with large organizations often being the target of multiple, complex cyberattacks, the rapid co-ordination of multiple stakeholders, from IT to legal, to senior leaders and communications; can be difficult.  

Using Microsoft Defender and Microsoft Sentinel, security teams can smoothen incident handling with a real time, comprehensive view of any security issues within your IT infrastructure.  

And there is of course the introduction of generative AI into this space as well. With Microsoft Security Copilot, defenders will have the ability to move faster than ever before, identify cybersecurity challenges and get recommendations on how to deal with the incident, as well as write reports. So far, we’re seeing security teams save 40% of their time on core tasks, including investigations, and 60% time savings on reporting too.  

Business continuity  

We know disruptive events including cybersecurity incidents will occur, so having the capability to keep critical infrastructure organizations online and able to recover quickly with a minimal impact on operations is crucial.  

Security teams must ensure that critical functions continue during disruptions like cyberattacks, increasing operational resilience to minimize downtime, financial loses, and increase reputation and customer trust 

With Azure Backup, you can protect your critical business systems and backup data in case of data loss or corruption – giving you that extra resilience for when the worst happens.  

Supply Chain security 

When organizations enhance the security and resilience of their own organizations, cyber-criminals will look for other routes to compromise security via weaknesses in an organization’s supply chain.  

Supply chain security is crucial in the NIS2 regulation from the EU because it ensures the resilience and reliability of essential services by mitigating risks posed by third-party vendors and interconnected systems. 

With Entra ID, Service Trust Portal, Granular Delegated Admin Privileges, you can Control and manage the external access of organizational assets and customer tenants only to the necessary partner roles and for a limited amount of time.  

Encryption and Cryptography  

Finally, let’s consider encryption. Encryption cannot protect your data on its own, but it is an important part of your larger file protection and information protection strategy.  

Microsoft Purview Information Protection and Purview Data Lifecycle Management can help organizations discover, classify, and protect their most sensitive with the use of encryption to prevent risks of data leakage, exfiltration, or unauthorized access. A robust data security strategy becomes crucial to organizations when deploying GenAI models (Copilot for M365) to prevent the risk of data overexposure. 

So, are you ready? 

Taken as a positive, NIS2 is demanding that the most critical organisations in our society remain resilient in the face of an increasingly hostile cyberthreat environment.  

If you are one of these organizations, the time to act is now with the deadline only being a few more months away. And at Microsoft, we can help with our unique vantage point and comprehensive suite of secure cloud-based solutions to help you identify, prevent, and mitigate against the cyberthreats we are facing today and in the future.