The NIS2 directive as an opportunity to overcome legacy infrastructure

By now, all the CISO and C-Level executives in the EU should be aware of the upcoming NIS2 Directive deadline: 17 October 2024. Member states must adopt and publish the measures necessary to comply with the directive by 18 October 2024. Belgium, France, Germany and Italy already issued the decrees to transpose the directive, although some are still preliminary work. The good news is that things are progressing with the pending deadline.

We are all aware that the NIS2 objective is to expand the scope and strengthen security requirements across all EU countries, increase the baseline protection, harmonize the communications sharing and enforce compliance; and that not only by imposing fines but also with potential legal consequences for the senior leadership.

We see different levels of maturity of adoption, understanding, and funding to become compliant across the EU. However, most of those in charge of NIS2 compliance initiatives are confident about the ultimate result of raising the security posture of their organization.

The Directive can even give the impetus that can potentially lead to a mindshift change of how to approach security overall and result. If organizations come across major gaps in their security infrastructure, the following aspects can be helpful for a redesign of the security setup.

In the following we cover two aspects as foundation for a new tactical or even strategic approach to security.

I'd like to start explaining why the Zscaler Zero Trust Exchange platform is properly suited to help organizations to accomplish the short time goal of compliance and secondly why it has further potential as business enabler to move one step higher

The compliance goal can go along with a technology swap

The Zscaler platform fits the requirements of NIS2. In the directive is in fact written (preamble 89) that: "Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threats, phishing or social engineering techniques".

You may immediately notice that the zero trust framework is what is highlighted, while, all across the document, no mention of VPN (Virtual Private Network) is reflected: it's commonly known that this incumbent technology, that served customers well for many years, has now become a security weakness. The latest Zscaler ThreatLabz 2024 VPN Risk Reportpoints out the dangers of dated technology. 92% of the respondents are concerned about third parties serving as potential backdoors into their networks through VPN access.

Third party management is a key aspect of NIS2, because the whole value chain must be protected by every involved stakeholder. That's why the NIS2 mandates to validate the entire supply chain before using it and exercise due diligence to avoid the risks coming from it. In the Zscaler report NIS2 & Beyond: Risk, Reward & Regulation Readinessfrom April 2024, we discovered that more than 95% of organizations have started to deploy zero trust solutions or, at least, planned to do it.

To comply with NIS2, enterprises don't only need a new technology; rather, they need to improve their procedures and educate their workforce. It's a matter of "people, process and technology". The ZTE platform clearly addresses most of the technical specifications covered in the Article 21 of the directive, but Zscaler can also help to provide guidance and best practice on the procedures to follow leveraging our Professional Services expertise.

One of the most common difficulties faced by organizations is the fact that NIS2 "measures shall be based on an all-hazards approach that aims to protect network and information systems". That's something that is very hard to achieve with a single technology, hence you risk experiencing vendor sprawling with an ever increasing complexity to manage. The ZTE is a comprehensive platform that can provide whatever you need to secure, simply, and help transform your business. You may enable the functionalities of interest, whenever your organization is ready to adopt it, by just enabling some licenses. For examples, you can secure Internet/SaaS traffic or access to private applications, monitoring from device to network to applications with data protection, CASB, and logging. Then, maybe you may want to deploy a zero trust SD-WAN, risk management, and identity protection-the list goes on.

The Zscaler ZTE platform can greatly support customers in accomplishing their goal of security, but it doesn't just protect infrastructure-it simplifies it, too. Complex environments are generally hard to manage, pretty expensive, difficult to troubleshoot, and require longer time to release new services.

The ultimate purpose of the Zero Trust Exchange is to maximize the value delivered to business and support the digital transformation through enabling the critical resources that allow their business (people, apps, device/things, and data) to operate in the most efficient, scalable and secure way possible, abstracting away traditional IT complexity, providing the visibility and insight the business needs to make timely decisions, while minimizing business risk and maximizing profit in the process.

The Zero Trust Exchange eliminates the attack surface by making applications invisible to the internet. Furthermore, because the traffic never touches your network directly, lateral movement is impossible. Ultimately, this approach significantly reduces the organization's risk of falling victim to ransomware and other malware, accidental or malicious data loss, and more.

Public link

Please use the above public link if you want to share this noodl on another website.