EU Directive 2022/2055, o NIS2, aims to strengthen the Cybersecurity and resilience of private and public organizations within the European Union. Adopted in January 2023, however, it does not represent an absolute novelty, the new one Network and Information Security Directive it is in fact the update of a series of provisions dating back to 2016 with which the number of subjects called to comply is firstly expanded.
NIS2 must be transposed by Member States by October 17, 2024: this means that there are not many months available to be compliant and it is necessary to prepare in time, also to avoid sanctions which, in the most serious cases of violation of obligations, could reach up to 10 million euros.
Choosing the right partner therefore becomes fundamental, especially with regards to data security. But what are the criteria for choosing the best provider? We try to answer this question by analyzing the functionality of a geo-distributed, sovereign, hyper-resilient and Europen Cloud Storage service like that of Cubbit. Because geo-restriction, data sovereignty and Data Protection are fundamental requirements for NIS2 compliance.
NIS2: objectives and obliged entities
The NIS2 directive aims first and foremost to strengthen Cybersecurity within the Union, especially in a context of growing and increasingly sophisticated cyber threats that have found new allies in generative AI. Organizations affected by compliance obligations must be prepared, aware and promote a safety culture. With this update, the scope of the Directive is also extended to a greater number of sectors, providing common guidelines for the uniformity of national legislation.
The application of NIS2 identifies new categories of subjects “essential” e “important”. Among the first we find the Public Administration, now classified as essential on a par with organizations operating in critical sectors such as healthcare, energy, banking and finance, space, transport and water and digital infrastructure. The “important” subjects refer, however, to the chemical and agri-food sectors, waste management, postal and courier services as well as digital services. This means that even search engines, social networks, cloud providers and e-commerce they must be NIS2 compliant.
The Directive provides that “essential” entities must be subject to supervision starting from its introduction. For “important” ones, however, supervisory measures are triggered ex-post once evidence of non-compliance has been identified. However, it is good to keep in mind that by April 17, 2025 Member States will have to define the list, to be reviewed every two years, of “essential” and “important” entities subject to the obligations, also including service providers for the registration of domain names. The number of organizations required to comply could therefore increase depending on their security risk profile and regardless of size.
Being NIS2 compliant means adopting technical, operational and organizational measures established by law. We will now discover what these interventions consist of, what the consequences of non-compliance could be and why a platform capable of satisfying the requirements of the Directive, such as Cubbit, represents the ideal solution for companies that wish to transform data into value through a service of efficient Cloud storage. Both from a cybersecurity and cost point of view.
NIS2 and compliance paths
NIS2 requires that obliged entities must specify assets, processes and services for which it is necessary to adopt the required security measures. Each sector may require different interventions but the objective is always the same: to protect systems, data and networks through an approach that protects them against different types of risk. Whether due to external or internal threats.
The implementation of these measures, whose effectiveness must be assessed through specific procedures, includes the development of policies for risk analysis and system security. It is then necessary to adopt effective management of possible accidents, as well as crises (Disaster Recovery), as well as ensuring operational continuity thanks to the availability of Backup. Staff training on Cybersecurity and the use of access control strategies by human resources are also of particular importance. In the same way it is necessary to protect accounts and data through two-factor authentication, or continuous authentication, and guarantee the security of text, voice and film communications. The use of cryptography and encryption must be regulated through policies and procedures.
The Directive requires organizations to verify the security of systems and networks in the acquisition, development and maintenance phases, also providing for aspects related to vulnerability management and their disclosure. Also there supply chain it must offer a high level of reliability, because the presence of non-NIS2 compliant elements or actors (even just one) could jeopardize the security of the entire supply chain.
Some are then planned accident reporting obligations. The most significant ones must be reported to the competent authorities of the State of origin which, in turn, must inform the other national authorities and the European Commission to improve collaboration and coordination within the Union. Episodes such as, for example, large-scale cyber attacks, breaches of personal or sensitive data, theft of confidential information and interruptions in the provision of services fall into the category of “significant incidents”.
Why choose Cubbit to be NIS2 compliant
With an increasingly widespread migration of company data from on-premise configurations, i.e. developed locally, to the Cloud, the latter has also assumed an important position in the definition of the obligations envisaged by NIS2. For this reason Cubbit offers a Cloud storage service S3 compatible and natively compliant for anyone who needs to secure their data. Regardless of size.
From this point of view it is fundamental Cubbit’s approach to Data Retention focuses on hyper-resilience. With over 5 thousand partners, customers and companies who rely on its solutions, the provider implements a zero-risk platform against any event that could compromise data or lead to its loss. This is thanks to them fragmentation across multiple geo-distributed nodes and to multi-server replicationtechniques redundancy with which the stored information is always intact, available and accessible, even in the event of hardware failures, serious malfunctions, natural disasters or cyber attacks.
Data protection is also due to the fact that the latter are encrypted con standard AES-256 before fragmentation and distribution on nodes. All these phases take place exclusively on servers located in the European Union: no information is transmitted to third parties and this determines a level of digital sovereignty fully compliant with NIS2. Fragmentation is also a guarantee of privacy and only the owners of the data can access them, users then have complete control over the information through granular management of access and authorizations. Solutions like Cubbit DS3 Composer they also allow you to create and customize your own Cloud Storage service in just a few minutes, being able to scale it at any time based on your needs.
The model adopted is that of storage P2P, in fact the Cubbit Cloud allocation system is not centralized: in each node only a few fragments are stored, indistinguishable from the others, this means that even in the presence of damaged nodes the data is always recoverable and the violation or malfunction of a single node determines the automatic redistribution of the others. Without service interruptions.
Sanctions in case of non-compliance
Failure to comply with the NIS2 Directive could result in sanctions, even very onerous ones, which vary depending on the alleged violation, the classification attributed to the organization concerned and the amount of revenue. “Essential entities” risk having to pay up to 10 million euros or 2% of their annual turnover worldwide. The “important” ones can instead incur fines of up to 7 million euros or 1.4% of the global annual turnover. The calculation of the fine takes place taking into account the higher amount of the two.
With Cubbit Cloud storage, operating costs can be up to 80% lower than those of companies that operate globally like AWS. Why take risks when, in addition to Cybersecurity, investments can also be optimised?
Conclusions
Regardless of the extent of the sanctions provided for failure to comply with NIS2, compliance with the Directive is essential to ensure that your data and that of your customers are always safe. Being compliant also means choosing a partner capable of guaranteeing levels of durability close to 100% (99.999999999% in the case of Cubbit), respect for privacy, resistance to attacks (including ransomware and DDoS) and full control over information…