What is EU NIS2 and what does the NIS2 directive mean for organisations?

The EU Network and Information Systems 2 (NIS2) directive aims to improve the security and resilience of networks and information systems and to achieve a high common level of cybersecurity posture across the member countries in the EU.

NIS2’s goal is to make the EU a lot more resilient to cyber threats and to strengthen cooperation between Member States on cybersecurity. It builds on the previous NIS Directive and represents a further development of measures to meet the challenges of an increasingly digitalised world, coming into force, once transposed into local law in each member state, by 17 October 2024.

With stricter requirements for risk management and incident reporting, wider coverage of sectors, and more impacting penalties for non-compliance, hundreds of thousands of EU organizations will need to reassess their cybersecurity posture.

What impact would have on the Energy Sector and the Digital Infrastructure used by Energy Companies?

The European energy sector is considered highly critical infrastructure as it provides an essential service across the entire EU, to millions of homes and businesses, while playing a direct part in other sectors like Food, Manufacturing or Transportation.

Due to its critical infrastructure status and being one of the prime targets for cyberattacks, the energy sector is particularly susceptible to the NIS2 Directive. As such, the Directive’s main objective is to increase security and resilience against cyberattacks and other threats by imposing specific requirements on energy companies to safeguard their networks and information systems.

Security of Energy Systems

The NIS2 Directive requires energy companies to implement appropriate technical and organizational measures to prevent, detect and respond to incidents that could impact the security and continuity of energy supply. This includes measures to protect critical infrastructure, data protection and privacy, and the availability of energy services.

Data Protection and Privacy

Energy companies must take appropriate measures to protect the personal data they process. They are also responsible for reporting any incidents that could impact the security of that data. Consumers have the right to be informed of any incidents and to request the deletion of their personal data.

Compliance and Enforcement

To ensure compliance with the NIS2 Directive, companies and organizations operating in the energy sector must appoint a responsible person to oversee implementation, conduct regular risk assessments and cooperate with national competent authorities, who are responsible for enforcing the directive.

NIS2 impact on VAKT

Due to the nature of our clients and services provided by VAKT (SaaS digital infrastructure for the energy sector) alignment with the NIS2 requirements is critical.

Even before NIS2 came into effect, VAKT recognised the importance of having a strong security posture and, as such, we have adopted a certification and attestation roadmap that allows us to provide our services to the most demanding enterprises.

We started with the ISO 27001:2013 (Information Security Management) certification in 2020, followed by ISO 27017:2015 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services) in 2021 and culminated with the attestation report for SOC2 - AICPA TSC 2017 framework in 2022. Each of these frameworks has allowed us to improve and tune our security posture and we are now in a position where are going above and beyond the upcoming NIS2 requirements.

VAKT ISMS (Information Security Management System), the foundation for our ISO 27001 certification, provides VAKT with a mature system that allows us to identify, minimise and manage the security threats to our information assets. This has been augmented with the specific controls from ISO 27017 standard, focused on Supplier Due Diligence for Cloud Service Providers and the administrative operations and procedures associated with the cloud environments and the SOC2 framework controls, focused on the operational aspects, people awareness and training and evidence collection required to meet the selected trust principles and criteria.

How is VAKT helping its Clients from the NIS2 perspective?

Given the current alignment with NIS2 requirements, VAKT would not only reduce the burden on its customers by simplifying the Supplier Due Diligence process associated with the new directive but would also enable the ecosystem participants, that might not meet the directive requirements, to provide their services via a NIS2 compliant infrastructure.

VAKT's modern "Cloud Only" offering, delivered via AWS resilient and compliant services, is underpinned by Blockchain (Distributed Ledger) Technology for encrypted, private, and compliant information storage and distribution. This setup provides comprehensive APIs (Application Programmable Interfaces) and/or UI (User Interfaces), allowing all ecosystem participants to leverage VAKT's security measures and benefit from the advanced product offerings such as vSure (trade entry validation), vLogistics (management of product movements and deliveries), or vActuals (digital quality and quantity actualisation).

‍