A new cybersecurity directive (NIS 2) will come into effect as of 2025. This directive will apply throughout Europe and aims to tighten obligations for businesses, with new requirements for data protection and compliance. A new requirement of the NIS 2 directive is the widening of the scope of application, therefore including several thousand organisations and an estimated 16,000 institutions in Europe. Faced with the rise of cybercriminality, this new application aims at strengthening the protection of information systems, IT networks and data.
Essential entities (with a turnover exceeding 50 millions euros and with more than 250 employees) as well as important entities (with a turnover exceeding 10 million euros and with more than 50 employees) from critical and highly critical sectors (see the table below) will be now affected by these regulations aiming at strengthening cybersecurity.
| Highly critical sectors | Critical sectors |
|---|---|
|
|
While the first legislative act of this directive dealt the following issues:
- Improving cybersecurity capabilities at national scale
- Strengthening exchanges within the European Union
- Introducing risk management and incident notification obligations for essential service operators and digital service providers processing data.
The programme of the second act of the NIS 2 European directive unveils new challenges for companies, especially the following guidelines:
- Adopting a risk analysis and management approach (Article 20 – Governance and training)
- Ensuring the continuity of activities and the security of the supply chain
- Ensuring security when implementing, developing and maintaining networks and information systems (Article 21 – Risk management measures)
- Reporting incidents likely to cause significant operational or financial damage within 24 hours (Article 23 - Notification of incidents)
If companies are affected by this new digital regulation, this also applies to suppliers, thus forcing them to ensure the security and maintenance of products but also to report incidents likely to cause operational damage.
According to Securitas Technology's 2024 electronic security barometer, 51% of companies surveyed are investing in equipment in order to identify threats and detect events for better compliance. As threats are increasing and network security standards are rapidly evolving, 85% of companies surveyed wish to anticipate and prevent threats in order to be protected against them. Video surveillance is ranked second among the investments that will increase over the next 18 months for 55% of companies surveyed, behind access control (source: securitas technology’s barometer).
Using time servers is paramount in order to secure computer data and comply with the new European requirements through 3 major challenges:
How to reduce the attack surface?
It is recommended to install a reliable local source in order not to rely on external sources and to eliminate all risks associated with retrieving time on the Internet. The Bodet time server secures networks with the following features:
- Physical partitioning by adding modular network cards
- Logical partitioning according to the 801.1Q standard (VLAN)
- Network filtering according to the 802.1X standard
- Traffic control using an embedded firewall
How to secure a logging system?
Within a computer network, each event must be recorded, especially to guarantee the traceability of information, the anteriority of files, access to data, and even to constitute legal proof. Logging is paramount for upgrading the security of an information system. A Bodet time server provides timestamping for all digital equipment by distributing time information authenticated via a symmetric key meeting the compliance requirements of the new NIS 2 directive.
How to protect the administration of information systems?
The administration of information systems is an attack vector regularly used by cybercriminals in order to compromise the operation and security of a facility as well as its data. Bodet time servers address this issue by offering the following services:
- Web interface available in HTTPS
- Encrypted user authentication using LDAPS or RADIUS
- Encrypted supervision via syslog or SNMPv3
More specifically, the NIS 2 cybersecurity directive focuses on two issues that arise nowadays: the security of the architecture and the logging of the information system for better data protection.
A time server plays a crucial role in meeting these challenges:
- Logging, analysis and correlation of all the computer network: the time server will play a key role in synchronising all equipment on the network and therefore analysing logs.
- Security of the architecture: using a time server will be paramount to let go of external NTP sources.
Today, cybersecurity players are available to help companies transform and comply with this new directive. By providing real solutions and new applications, entities and institutions can avoid potentially costly penalties of up to 10 millions euros or 2% of their annual turnover for non-compliant digital infrastructures. While 2025 may seems a long way off for the implementation of the updated version of the NIS directive, the actual deadline for transition has been set at October 2024, making this a crucial and urgent issue for essential and important European companies. These new regulations are essential for European Union states in order to offer a higher level of cybersecurity and ensure the security of data, which is tomorrow’s financial challenge.
Bodet Time helps companies comply with the NIS 2 directive through the use of the Netsilon time server. For more information about Bodet time servers and their applications, visit our dedicated page.