NIS2 – mandatory disaster recovery

As we’ve covered previously, the cybersecurity space is becoming increasingly heavily regulated. This is nowhere more apparent than in the European Union, where a series of directives regarding data handling, resiliency, and more have been coming into effect. Joining these is the NIS2 directive, a set of regulations governing mandatory reporting and cybersecurity risk management. Let’s take a look at what the directive actually mandates, and what this will mean for your organization:

What is the NIS2 Directive?

In 2016, the European Union passed the so-called Directive on Security of Network and Information Systems – the NIS Directive.  The original NIS directive affected crucial fields: Energy (electricity, oil, and gas), transport (air, rail water, and road), as well as drinking water supply and distribution. All of these fields were judged critical, and were  guided through the directive to achieve a heightened state of digital resilience.

The NIS2 directive, which is being billed as the most comprehensive European cybersecurity directive to date, builds on this original NIS directive. It expands the covered sectors to a total of fifteen, adding health, finance, digital infrastructure, public administration, digital providers, postal services and more to the covered list.

As before, the NIS2 aims to improve European resilience against both current and future cyberthreats. The directive’s requirements can be divided into the following categories:

Risk management

Organizations must take measures to minimize risks; this may include incident management systems or better access control to their internal data. Steps must be taken to ensure that risks are minimized as much as possible.

Reporting obligations

Entities covered by the directive have to put in place processes to promptly report security incidents – either actual cyberattacks or discovered vulnerabilities – that have an impact on their ability to continue providing services. NIS2 sets specific notification deadlines, the most tight being twenty-four hours as an early warning.

Business continuity

Organizations covered by the directive must demonstrate a disaster recovery plan that would allow them to bounce back in the event of a major incident. This should take into account system recovery and standard emergency procedures, as well as setting up dedicated crisis response teams.

Why now?

These measures are largely required due to the lack of standardized security measures across the European Union and the overall state of the field. In general, the state of cybersecurity has generally been lagging behind, one of the reasons for the unprecedented financial support and legislative attention it has received in the last decades.

In general, the rapid digitalization across almost all industries and sectors is at least partially to blame for the issues: organizations that were not used to a digital environment have nonetheless found themselves with an increasing digital footprint, exposing gaps in cybersecurity measures.

What does this mean for your business?

For those companies active in sectors covered by NIS2, there is now a hard deadline they have to contend with. While the directive itself was passed, the deadline for EU Member States to incorporate the NIS2 Directive into their national law is October 17, 2024. This date is crucial for businesses and organizations within the EU, as they must be compliant with the directive’s requirements by then – but it also opens a window for them to come into compliance.

This means, among other things, making sure that your organization has a plan for disaster recovery and business continuity that adheres to the guidelines presented in the directive. This means a way to assess who has accessed your data, and a way to maintain your access to it without an interruption of service.

Archive with contentACCESS

With continuity of service a key aspect, organizations have to look into data management and backup systems. A plurality of the more common backup solutions will, provided they are correctly set up and accompanied by high levels of training for employees, allow companies to recover their data. However, this recovery will take the form of a lengthy restore cycle, during which the company is effectively out of operation.

To avoid this, cut out the restore cycle entirely with contentACCESS archive and backup. With contentACCESS, employees can maintain constant access to their files stored on the archive. In the event of a cyberattack or other interruption of service to the live system, there is no discontinuity of service; keep accessing your required data and working even as the rest of the recovery process happens in the background.

Besides helping maintain your business continuity, our contentACCESS archive and backup meets all other criteria outlined by the NIS2 directive, as well as other regulatory requirements such as GDPR or DORA. Easy access to your files combined with access auditability, eDiscovery capabilities, and more!

Do the possibility in our solution interest you? If so, contact us! Take advantage of our team of experts’ combined decades of archiving experience, and take your organizational security to the next level. Archive smarter – with TECH-ARROW.


Archive your data with contentACCESS

by Matúš Koronthály