The EU Network and Information Systems Security directive (NIS2), which earlier on this year replaced the NIS1 directive, broadens its scope to include more entities, it applies to a larger range of sectors and brings an additional series of obligations previously not covered by NIS1. The deadline for the implementation of this directive is 17 October 2024.
NIS2 will also apply to most National Research and Education Networks (NRENs) and deliver a series of advantages, however its implementation can be complex and resource-intensive as it also brings a risk-based and procedural approach to security that could be at odds with current practice.
GÉANT worked with Stratix, an independent consultancy firm specialised in communication infrastructures and services, to go through the steps that NRENs need to follow and the questions that need to be answered during the NIS2 implementation phase.
These are available in a published report.
According to this report, NRENs need to identify whether they fall under the scope of NIS2, and if so, under which category, in addition they must find ways not only to become compliant, but also to minimise the impact of this directive on their organisations. Recommended starting points towards compliance are, wherever available, the existing network and information security frameworks. For instance, GÉANT and its members are making good progress on this front in the comparison between NIS2 and GÉANT Security Baseline. The report also encourages NRENs to engage with their local governments and, as their connected universities will be facing similar questions in the context of NIS2, it recommends coordination between NRENs and their connected institutions.
In summary, the report, after highlighting the identified potential issues for NRENs, suggests some solutions and closes with a series of recommendations starting from the acceptance of change, following with the implementation of a framework, plus collaboration with GÉANT and user organisations, and engagement with local governments.
Alf Moens, Security Lead for GÉANT comments: “We all know that NIS2 is not a movable feast and will inevitably lead to changes for NRENs, requiring a new balance between technical thinking and regulatory reasoning. We also recognise that NIS2 is a major challenge for R&E and a great deal of detail is still unknown. I believe that this report gives a concise overview of choices and will help NRENs and their stakeholders in the preparation and decision process.”
Stratix is an independent research and consultancy company specialised in communication infrastructures and services. It focuses on sectors where ICT networks play an important role: telecommunications and media, but also energy, scientific research and real estate. Based in the Netherlands, Stratix has an extensive network within industry, government and academia. Stratix is not affiliated with service providers, suppliers or any other organisation.