How to Rock your NIS 2 Compliance: A Tech-Savvy Mapping

If you are an organization that provides essential services or important digital services in the EU, you may have heard of the Network and Information Systems Directive (NIS) 2 regulation, because you will likely fall under this new directive. If you are based in the Netherlands, you can check it via the self-check launched by the NCSC: NIS 2 Zelfevaluatie NL.

In this blog post, I will share the importance of NIS 2 and which Microsoft solutions can contribute to your NIS 2 compliance. Also I will share a link to the technology mapping between NIS 2 and Microsoft Technologies. This mapping is created on the foundation of the Zero Trust framework. Together with my two co-writers, Tony Krijnen and Ronald Schouten I CISM , I will guide you in how Microsoft Technologies can contribute to your NIS2 compliance.

Before diving into the content on which solutions help you in your road towards compliance of the NIS 2 regulation. Let’s take a small step back.

What is the NIS 2 regulation and why do we hear a lot about this regulation?

Well, the NIS 2 is an updated set of rules that aim to improve cybersecurity across the EU by imposing higher standards and stricter obligations on organizations that are vital for the society and economy. It’s a successor of – obviously - the first Network and Information Systems Directive, which was adopted in 2016.

A lot has changed since then. In our beloved technology space, a lot can happen in just one year - I mean AI/Copilot - thank you Microsoft! Therefore, it is time for a successor, because cybersecurity is a key enabler for the digital transformation of the EU and a strategic asset for its resilience and competitiveness. 

"The COVID-19 pandemic was critical in raising awareness of the importance of being able to harness digital opportunities for development and resilience", according to Torbjörn Frederiksson from the UN Trade & Development organization. We have seen in the coronavirus pandemic how much we rely on digital services and infrastructure for our daily lives, work and communication. Think about doing your groceries with a payment card, setting up an appointment at the dentist or even being in surgery in the hospital.

Cyberthreats, internal or external, are becoming more frequent, sophisticated, and therefore more impactful. The effect on one organization, causing severe operational disruption, financial loss, and harm to that organization, to individuals and to other organizations.

Which Microsoft solutions can help me towards NIS 2 compliance?

The NIS 2 regulation requires more than the implementation of technology to achieve and sustain a certain level of cybersecurity. It requires a good foundation, built on governance and strategy. You must dive into your organizational structure and adapt your processes to mitigate risks. On top of that, it also involves people. The impact of people, as they need to adapt to the use of technology, but also the adherence to processes is an important element towards compliance. These two main elements should not be neglected or overlooked when working on your NIS 2 compliance. Our contribution will lay in the technology. With this technology mapping, we aim to support you in your compliance journey by providing a handy overview of which Microsoft Solutions contribute to your NIS 2 compliance.  

We have worked on a technology mapping between the NIS 2 and our Microsoft solutions based on the NIS 2 published on January 16, 2023. To organize this in a structured way, we have used the Zero Trust framework as the basis. Zero Trust is a modern security framework that assumes that every element of your system can be breached and requires explicit verification and least-privilege access for every transaction. Zero Trust extends across six foundational elements: identities, devices, data, applications, infrastructure, and networks.

We have plotted the ten duties of the NIS 2 onto the six pillars of zero trust, which resulted in a one-page overview as seen in Picture 1. We have extended this one-page overview by elaborating per duty the most impactful and industry-agnostic Microsoft solutions.

We are aware that this technology mapping is not exhaustive. There are specific features or other Microsoft solutions that also contribute towards a NIS2 compliance; however, we have aimed at a comprehensive overview to fit our broad audience. This means that features or other solutions should not be neglected and also help with making your organization cyber resilient.

With this technology mapping we aimed at the technology aspect of the NIS 2. However, as highlighted before, compliance of NIS 2 is not only a matter of technological measures. It requires people and processes to meet compliance goals, sustain them and continuously improve your cybersecurity posture. In your road towards compliance, measuring your progress is important.

Microsoft also provides you with guidance, resources, and tools to assess your compliance status, identify gaps, and implement best practices. For example, you can use Microsoft Compliance Manager to access assessment templates with detailed recommendations for NIS 2, as well as other regulations and standards. You can also use Microsoft Secure Score to measure and improve your security posture across Microsoft and third-party solutions.

Start your NIS 2 Compliance journey here by downloading the technology mapping: NIS2 Directive (microsoft.com).

How can I put this into practice?

We have conducted the mapping around the zero trust framework. Let's quickly go over these defense areas and see which solutions are highlighted as an example based on the NIS 2 Tech mapping. More details can be found in the technology mapping.

• Identities: You can use Microsoft Entra ID to manage and protect your identities and access to your resources. Entra ID provides features such as multi-factor authentication, conditional access, identity protection, and privileged identity management to ensure that only authorized and verified users have access to your critical assets.

• Devices: You can use Microsoft Purview to encrypt data at rest and in-transit with the use of sensitivity Labels. Azure Key Vault to manage your cryptographic keys. Microsoft Entra ID Governance provides you with capabilities to ensure that the right people have the right access to the right resources. 

• Data: You can use Microsoft Information Protection to classify, label, and protect your sensitive data wherever it lives or travels. Microsoft Information Protection also includes data loss prevention and insider risk management features to prevent accidental or malicious leakage of your data and to detect and respond to risky user behavior. You can use Microsoft 365 Backup & Archiving to preserve and restore your data across Microsoft 365 services, such as Exchange Online and SharePoint Online.

• Applications: You can use Microsoft Entra Authentication Strengths to specify which combination of authentication methods can be used to access a resource. To enable secured video and text communications, Microsoft Teams Premium offers these advanced communication tools

• Infrastructure: Learn how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization in the Service Trust portal. The new GDAP (Granular Delegated Admin Privileges) grants partners access to customers’ tenants but only to the necessary roles and use permissions for a limited time. This is the way partners can access a customer tenant through their Partner center environment.

• Networks: You can use Microsoft Purview Information protection and Governance to collect, analyse, and respond to data security signals from your entire digital estate. Purview expands beyond the M365 environment and includes Azure, AWS and third-party application by connecting Microsoft Defender for Cloud Apps.

These are just some of the examples of how Microsoft can help you comply with the NIS 2 regulation. Now it's your time to take action as more details can be found in the Technology mapping that is available for download here.

I am excited to share this technology mapping with you and are eager to hear your NIS 2 compliance stories.

NIS 2 compliance is a zero trust journey.