On 11th January Cathrin Stover, Alf Moens and Edit Herczog presented an EU Security Union infoshare on the newly released NIS-2 Directive published on 15 December 2022 and the effects of this on NRENs across Europe.
These regulations will be in place within 21 months and so there is a lot of work required both within the Member States and also NRENs before October 2024.
NIS-2 relates to security on Vital Digital Infrastructures, infrastructures that are essential for keeping society afloat, It covers a range of industries including power generation and transmission and healthcare but research and education are explicitly included. For NRENs in particular, NIS-2 states that government agencies, Top Level Domain (TLD) management, DNS and Clouds and Trust services are explicitly covered by these requirements and so most NRENs will fall into the scope.
In general these obligations following on from this directive are logical and are part of the normal work expected but there will be a need to ensure this is documented and compliance is demonstrated.
NIS-2 expects regular auditing of compliance and so it is vital that NRENs are prepared. Some of the key actions NRENs can take already are:
- Establish contacts within your national government
- Appoint a coordinator for compliance and reporting
- Assess your current security baseline status
- Identify your obligations under NIS-2
- Understand what is needed to bring your organisation to the required level.
To help, GÉANT has a range of services including
- GÉANT Security Baseline: Helps you assess your current status
- Policies: A range of Policies, Best Practices including a Risk Management Policy
- SIG-ISM: the security management community for GÉANT members.
To find out more about NIS-2 and how it can affect your NREN you can watch the infoshare here or visit security.geant.org. GÉANT will schedule follow-up infoshares on this subject, the next one will be on March 28th.