The NIS2 Directive (The Network and Information Security Directive) is European legislation designed to strengthen the cybersecurity of information systems and networks across EU member states. Log management and SIEM solutions can significantly assist in meeting crucial parts of the directive.

Minimum cybersecurity risk management measures according to NIS2

NIS2 establishes a framework for cybersecurity risk management measures and reporting obligations through 10 minimum cybersecurity risk management measures listed in Article 21 of the Directive

  • policies on risk analysis and information system security;
  • incident handling;
  • business continuity, such as backup management and disaster recovery, and crisis management;
  • supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
  • basic cyber hygiene practices and cybersecurity training;
  • policies and procedures regarding the use of cryptography and, where appropriate, encryption;
  • human resources security, access control policies and asset management;
  • the use of multi-factor authentication or continuous authentication solutions.
  • While the specific technical and organizational measures implemented will vary based on the national transposition of the Directive, they will be largely consistent across the EU.

Article 21 makes it clear that to comply with the NIS2 directive, organizations will need to implement several essential technical measures.

Expected technical measures required by NIS2 

Based on the wording of NIS2 and the drafts of national laws, regulated entities will need to develop competencies in the following areas:

  • Physical security
  • Network security
  • Identity management and authentication
  • Access rights management
  • Detection of cybersecurity incidents
  • Logging of security and relevant operational events
  • Evaluation of cybersecurity incidents 
  • Application security
  • Cryptographic algorithms
  • Ensuring the availability of regulated services
  • Security of industrial, control, and other specialized technical assets

The role of log management and SIEM in the NIS2 Directive

Log management plays a crucial role in meeting the requirements of the NIS2 Directive and the cybersecurity acts of the member states. Let’s examine selected technical measures arising from NIS2 and how log management and SIEM help to meet them.

1. Detection of cybersecurity incidents

As the prevention mechanisms can’t keep pace with the ever changing cyber threats landscape, a key focus of the NIS2 Directive is on strengthening the detection and response capabilities of obligated entities.

A combination of log management and SIEM brings an important value as it allows: 

  • Proactive detection of cyber threats 
  • Alerting on malicious patterns and anomalies
  • Centralized observability of the IT environment
  • Incident investigation and response

When log management delivers visibility across the entire IT environment (endpoints, network, cloud workloads, operating systems, etc.), collects and stores relevant data, SIEM enables data/event correlations and incident analysis, enabling detection of anomalies and suspicious activities, alerting security teams and evaluating potential risks. 

Amongst others, log management tool can help to fulfill NIS2 requirements by:

  • Verification and control of transmitted data within networks and between networks,
  • Verification and control of transmitted data at the network perimeter of networks,
  • Continuous and automatic protection against malicious code,
  • Management and monitoring of communication among applications, their services, and processes,
  • Detection of cybersecurity events,
  • Behavior-based detection of unwanted activity of users, administrators or digital assets.

2. Logging of security and relevant operational events for reporting obligations and auditing 

Obligated entities will be subject to expanded incident reporting obligations, on-site inspections, regular and ad hoc security audits by competent authorities, and other supervisory and enforcement measures. Therefore, collecting data and context about security incidents or relevant operational events will be crucial for meeting NIS2 compliance.

Log management delivers such data in an easily accessible way. It not only allows effective incident investigation and evaluation of their magnitude and impact but also ensures the storage of logs about activities across the IT environment, thus helping to cover the reporting and auditing obligations required by NIS2.

  • Typically, centralized log management tools store logs, metrics, traces, and even events related to relevant security and operational records such as:
  • Type of activity,
  • Identification of the technical asset affected by the particular activity,
  • Identification of the account under which the activity was performed,
  • Success or failure of the activity,
  • and many more.

This information will also play a key role in meeting tight reporting deadlines required by NIS2 for warning notifications (within 24 hours)

3. Evaluation of cybersecurity incidents

The new cybersecurity law will require essential entities to use a tool for continuous evaluation of detected cybersecurity events. This includes collecting, searching, and correlating information to detect and evaluate cybersecurity incidents.

This measure aims not only at proactive responses to emerging threats but also at the continuous optimization of the organization’s resilience by identifying and addressing security weaknesses.

Logmanager enables the collection of necessary information and, thanks to its SIEM functions, also correlates and evaluates these events, thereby fulfilling this obligation.

When does NIS2 come into effect?

The European NIS2 Directive came into effect on January 16, 2023. According to its provisions, EU member states have nearly two years to transpose its requirements into national legislation. Although the directive sets the deadline for October 17, it is possible that the preparation and approval of the new laws in the member states may take a bit longer.

Currently, the expected timeframe for the adoption of the new cybersecurity act is by the end of 2024 or the beginning of 2025. Once it comes into force, regulated entities will have 30-90 days to register with the regulatory institution and then one year to implement measures to comply with the law.

Conclusion

Detection, analysis, and evaluation of cybersecurity events are crucial components of any successful defense against attacks and threats. Thus, they are also foundational elements of the NIS2 directive.

Log management and SIEM tools facilitate compliance with NIS2, including the obligation to maintain information about events, report them, and preserve them for various audits that regulated entities will be subject to.

If you want to learn how log management supports regulatory compliance in practice, explore the following case study.