NIS2: stricter guidelines on encryption

At the end of 2022, the new NIS2 Directive was adopted by the European Council and the implementation period started at the beginning of this year, in which this directive will be incorporated into national legislation.

Although the law is not expected to actually enter into force until 2024, it is important for organizations to prepare for this now.

What exactly does the NIS2 directive mean?

NIS2 stands for Network and Information Systems Directive 2. It is a European law that establishes cybersecurity and risk management requirements for certain organizations operating in essential and important sectors. NIS2 is an updated version of the first NIS Directive and includes new objectives, comprehensive coverage and a stronger emphasis on management responsibility. It aims to strengthen Europe's cybersecurity against an ever-increasing threat and risk landscape by improving the security of network and information systems used to deliver essential services. The advent of the directive should contribute to more European harmonization and a higher level of cybersecurity among companies and organizations.

In concrete terms, the arrival of the NIS2 directive means that organizations must take (even more) measures to bring their cyber resilience to a higher level.

The NIS2 Directive also applies to a wide range of sectors, including Energy, Transport, Banking, Financial Market Infrastructure, Healthcare, Drinking Water, Digital Infrastructure, Wastewater, Public Services, Space and ICT Management services. Characteristic of all these sectors is that they are important for the economy and society.

Duty of Notification and Duty of Care

In accordance with the directive, organizations have a Duty of Notification and a Duty of Care. For example, the directive requires entities to report incidents that significantly disrupt the provision of the essential service to the regulator within 24 hours.

With regard to the Duty of Care, entities are obliged to carry out a risk analysis themselves. On this basis, they can take appropriate measures to ensure the continuity of their services as much as possible and to protect the information used.

Are you doing business with an organization that delivers essential and important activities? Even then, you will need to have general security measures in place.

Encryption and monitoring

In the context of the Duty of Care, a specific role is reserved for the security and monitoring of connectivity. For example, NIS2 includes specific guidelines and procedures for the use of encryption. Not entirely surprising because many organizations take very extensive security measures to secure their own network, but do not always realize that connectivity – so the leased lines between locations that exchange data – also poses a potential security risk.

If you purchase connectivity from a provider of telecom services, do you know, for example, which network devices pass through your data on the public net? Through which Points of Presence (PoPs) does your data traffic run? Can hackers get access?

The solution is to provide your data with encryption. By transporting your data post-quantum encrypted over the line, you can be sure that your data is safe at all times. To ensure maximum security, Arcadiz does not offer shared links, but only end-to-end private connections, where encryption can be applied to both layer 1 and layer 2.

Low-latency

A frequently asked question is to what extent encryption has an impact on latency and performance. This is where Arcadiz's expertise comes to the fore. Our specialists are able to apply encryption without noticeably increasing latency in your network. With more than 20 years of experience, Arcadiz is familiar with all components in a network that affect latency. Optimizing all elements, even in existing legacy systems that cannot (yet) be replaced, is one of our specialisms. Our pragmatic approach also contributes even more to controlling costs.

Data integrity

In addition to security for confidentiality, the reliability of the data is also an important aspect. Data can also be corrupted at standstill due to a calamity. To avoid this risk, it is important to keep the data synchronized at two, preferably sufficiently geographically separated, locations with a third location as a backup.

To this end, Arcadiz offers its know-how to offer high-quality and secure connectivity between locations that allows this. Additionally the separated connections are also continuously monitored. With Arcadiz Advanced Line Monitoring, the fiber optic connections are monitored 24/7. Any change in the fiber optic connection is immediately visible. Whether it is a break in the line, or (an attempted) interception of a connection.

Start upgrading now

If you want to be sure that you remain compliant with laws and regulations in the future, you can start upgrading your connectivity now. Would you like to know more about the possibilities or spar with one of our specialists? Please feel free to contact us!