RDX and the New NIS Directive (NIS2)

How Overland-Tandberg's RDX Storage Solutions can Help.

Introduction

With the increasing interconnectedness and digitalization of our society, the threat of cyberattacks has grown exponentially. The European Union (EU) responded to these challenges by introducing the Directive on Security of Network and Information Systems (NIS Directive) in 2016, a cornerstone of EU cybersecurity policy. However, due to the rapid evolution of the cyber threat landscape, an updated directive, NIS2, was adopted on December 27, 2022 and comes into force on October 2024 at the latest.

This whitepaper discusses the key aspects of the NIS2 Directive, its implications for businesses, and how Overland-Tandberg's RDX solutions can support compliance and enhance data security.

Background and Motivation

The original NIS Directive aimed to ensure a high common level of security for network and information systems across the EU. It laid the foundation for cooperation between member states and established requirements for operators of essential services and digital service providers.

However, the initial NIS Directive faced several challenges:

1. Inconsistent Implementation: Implementation of the NIS Directive varied significantly across member states, leading to uneven levels of security within the EU.
2. Limited Scope: The Directive did not cover all critical sectors and insufficiently addressed emerging threats.
3. Weak Enforcement: The sanctions and enforcement mechanisms were not robust enough to ensure widespread compliance.

Overview of the NIS2 Directive

The NIS2 Directive aims to address the limitations of the original NIS Directive by expanding its scope, harmonizing security requirements, and strengthening enforcement mechanisms. The primary objectives of NIS2 are:

1. Expanded Coverage: NIS2 now includes additional sectors such as healthcare, water supply, digital infra- structure, and space, ensuring a comprehensive approach to cybersecurity.
2. Unified Security Standards: It establishes clearer and stricter security requirements applicable across all EU member states.
3. Enhanced Enforcement: The Directive introduces tougher penalties and requires member states to ensure effective enforcement through national authorities.
4. Improved Cooperation: It promotes greater collaboration among EU member states, enabling a coordinat- ed response to cyber threats.

Essential Entity (EE) or Important Entity (IE)

The first NIS directive applies to DSPs (Digital Services Providers) and OESs (Operators of Essential Services). These terminologies disappear with NIS2 – even though in practice, the entities covered by NIS are also covered by NIS2.

For its scope, the NIS2 directive distinguishes two types of entities:

• Essential Entities (EE)
• Important Entities (IE)

Essential entities are critical, and service disruptions could seriously impact society. Both groups must follow the same security measures, but essential entities receive proactive supervision, while important entities are monitored only after an incident of non-compliance is reported.

 

 

Key Requirements and Challenges Under NIS2

NIS2 imposes stringent security requirements on organizations, including:

1. Risk Management: Companies must implement robust risk management processes to identify, assess, and mitigate cybersecurity risks.
2. Incident Reporting: Organizations are required to report significant cyber incidents promptly to the relevant authorities, with standardized reporting formats and deadlines.
3. Security Measures: Minimum security measures must be in place, tailored to the organization's specific risks and industry sector.

Implementing these requirements poses several challenges:

1. Complex Compliance: The expanded scope and heightened security standards increase the complexity of compliance.
2. Resource Allocation: Organizations must allocate sufficient resources to meet the demands of the Directive, including investing in technology, staff training, and ongoing monitoring.
3. Data Security and Backup: Ensuring data is securely stored, backed up, and quickly recoverable in the event of an incident is critical for compliance and business continuity.

Enforcement and Sanctions

Enforcement of the NIS2 Directive will be carried out at the national level by the respective regulatory authorities. The Directive introduces stricter sanctions, with penalties varying based on the severity of the violation. Organizations failing to comply with their obligations may face substantial fines, up to €10 million or 2% of their global annual turnover.

The NIS2 directive introduces the notion of top management accountability for security. The objective here is clear: to induce risk ownership by senior managers and the board of directors to ensure better governance. The prospect of sanctions is most effective when individuals are clearly identified as accountable.

Cooperation at the EU Level

The NIS2 Directive strengthens cooperation between member states and at the EU level through:

1. National Cybersecurity Authorities: The role of national cybersecurity authorities is enhanced to ensure effective monitoring and enforcement.
2. EU Cybersecurity Network: A network of national authorities and the EU Cybersecurity Agency (ENISA) is established to improve information sharing and threat response.

The Directive lays the groundwork for a joint crisis response at the EU level in the event of large-scale cyberattacks.

How Overland-Tandberg's RDX Solutions Support NIS2 Compliance

Overland-Tandberg provides robust storage solutions designed to help organizations comply with the stringent data protection and cybersecurity requirements of NIS2. The RDX product line offers secure, scalable, and reliable data storage, backup, and recovery options that safeguard critical information and ensure business continuity.

RDX: Secure Data Protection

The RDX (Removable Disk) solution is designed for reliable data protection and disaster recovery:

1. Rugged and Secure: RDX cartridges are highly durable, making them ideal for secure offline storage. This is essential for protecting data against ransomware attacks and ensuring compliance with NIS2’s data security requirements.
2. Scalability: RDX offers scalable storage options, allowing businesses to expand their storage capacity as needed without compromising on security.
3. Simple and Cost-Effective: The RDX system is easy to deploy and manage, providing a cost-effective solution for businesses of all sizes looking to meet the data protection and recovery mandates of NIS2.

Case Study: Ensuring Compliance with RDX

Consider a healthcare provider that falls under the expanded scope of NIS2. This organization needs to secure sensitive patient data, ensure compliance with the Directive’s reporting and security requirements, and maintain operational continuity in case of a cyberattack.

By deploying Overland-Tandberg's RDX solutions:

1. Data Security: The provider can use RDX cartridges for offline backups, protecting against ransomware and unauthorized access.
2. Disaster Recovery: Rugged, removable disks that can be easily transported offsite, ensure that backups are stored in a separate location, which is crucial for disaster recovery. High data transfer speeds and random- access capabilities allow rapid recovery, reducing downtime in disaster recovery scenarios.
3. Regulatory Compliance: RDX solutions help the provider meet NIS2’s stringent requirements for data protection, backup, and incident response, reducing the risk of non-compliance and associated penalties.

Recommendations for Organizations

To effectively comply with NIS2 and enhance cybersecurity resilience, organizations should:

1. Assess and Upgrade Storage Infrastructure: Evaluate current storage solutions and consider implementing Overland-Tandberg’s RDX systems to ensure robust data protection and compliance with NIS2 requirements.
2. Implement Comprehensive Risk Management: Develop and maintain a risk management strategy that includes secure data storage, regular backups, and a clear incident response plan.
3. Regular Training and Audits: Ensure that staff receive regular training in cybersecurity best practices and that the organization's systems and processes are consistently audited for compliance with NIS2.
4. Engage with Authorities: Collaborate with national cybersecurity authorities to ensure your measures align with regulatory requirements.
5. Invest in Technology: Invest in technologies that enable continuous monitoring and response to cyber threats.

Conclusion

The NIS2 Directive sets a new standard for cybersecurity across the EU, demanding that organizations implement comprehensive security measures, including robust data protection and backup solutions. Overland-Tandberg's RDX storage solutions provide the tools necessary to meet these requirements, ensuring data security, compliance, and business continuity.

By adopting these advanced storage solutions, organizations can not only comply with NIS2 but also enhance their overall cybersecurity posture, protecting their most valuable asset: data.

 

Contact your BackupWorks Account Rep Today and Ask about RDX Removable Disk Storage by Overland-Tandberg.