The new directive, NIS2 (Network and Information Security Directive), is part of the EU Cybersecurity strategy and a consequence of the increasing cybersecurity threat to EU’s internal market. Worth noticing is that all direct suppliers to affected NIS2 organizations shall expect to meet similar cybersecurity requirements, as NIS2 highlights supply chain cybersecurity risk as essential for the critical suppliers’ ability to deliver.
Cyber threats from highly motivated cybercriminals are a consequence of manufacturers and service providers’ extensive digital transformations and the embedded digital vulnerabilities. This is exposing the organizations, their network and information systems to the risk of loss of availability for services essential for the functioning of society and the economy.
This article will take a look at the NIS2 requirements from the point of view where the organizations’ business critical application for products and services delivery is the SAP ERP platform. But first a short recap of the NIS2 requirements to the organizations included.
Cybersecurity and the Obligations of the Organizations
Many organizations using SAP as their core business operations platform, are already aware of the challenges of maintaining proper Cyber and Information Security posture – resilience to loss of confidentiality, integrity and the availability of assets important for its successful business operations. This includes Risk Management with impact on the Business. With the introduction of EU GDPR in 2018, to regulate the processing of personal data, the Risk Management perspective of the Impact on the Data Subject was enforced as new EU regulation. With the NIS 2 directive a third Risk Management perspective is added – Impact on the Functioning of Society and the Economy. While executing digital transformations, the requirements to the accountability of manufacturers and service providers are significantly increasing beyond own business interest.
The specific obligations of the organization under the Directive will depend on the sector in which it operates and the nature of the services it provides. NIS2 defines 3 main categories of cybersecurity obligations on the organizations:
- Governance (Article 20)
- Cybersecurity Risk-Management Measures (Article 21)
- Reporting (Article 23)
According to NIS2 Governance requirements, the top management is accountable for approving cybersecurity risk-management measures and oversee the implementation of these. Further, top management is required to ensure organizational knowledge and skills to identify risk and assess cybersecurity risk management practices, including own training. The directive also encourages similar employee training on a regular basis. In addition to financial penalties in case of NIS2 compliance breach, top management can be held liable for not fulfilling the measures and obligations of the directive.
Cybersecurity Risk-Management Measures include cybersecurity risk assessments – with the perspective of societal and economic impact – in order to take appropriate and proportionate technical, operational and organizational measures:
- to manage the risks posed to the security of network and information systems, important for their operations and delivery of essential services
- to prevent or minimize the impact of incidents on recipients of their services
NIS2 lists ten types of minimum high-level measures to be established:
- policies on risk analysis and information system security
- incident handling
- business continuity, such as backup management, disaster recovery and crisis management
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- basic cyber hygiene practices and cybersecurity training
- policies and procedures regarding the use of cryptography and encryption, where appropriate
- human resources security, access control policies and asset management
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
Reporting obligations include national CSIRT (Computer Security Incident Response Team) notification of incidents of significant impact, without undue delay. Early warning shall be reported within 24 hours. Further detailed incident notification is to be reported within 72 hours and a final report shall be provided within 30 days. Further, notification of recipients of their services of significant incidents, shall take place without undue delay. The reporting contributes to the EU cybersecurity posture, as the competent authority shall determine any cross-border impact of the incident based on reporting.
Accelerate NIS2 Compliance by Utilizing European and International Standards and State-of-the-Art Security Technologies
The NIS2 obligations on organizations highlight the cross organizational aspects of proper information security management, calling for top management accountability and engagement in the implementation of the organizational capabilities – technical, operational as well as organizational, with a core focus on cybersecurity risk management.
The fastest possible way to get started with this organizational change management process, is to look for inspiration in already established international standards and frameworks on the subject such as ISO 27001 Information Security Management System and the ISO 27x family of standards and the NIST Cybersecurity Framework. All highly recognized frameworks for establishing and operating appropriate cybersecurity measures. The frameworks cover all the required generic capabilities set by the NIS2 obligations, though the specific cybersecurity perspective will need to be reflected in policies, procedures and supporting technologies, to provide evidence of compliance.
Why SAP Application Security is a Vital Element of NIS2 Compliance?
Whether or not NIS2 is directly applicable to your organization, the SAP ERP system is a core component of the organizations digital business transformation strategy, and key to ensuring seamless, trusted, profitable and competitive services and customer value. As such the SAP ERP system represents a business-critical asset of crucial importance. Lack of cybersecurity resilience of the SAP ERP system can cause disruption of the business’ ability to deliver, represents significant risk with severe impact to business and in a NIS2 perspective also societal and economic impact.
With an increasing level of application specific cyberattacks1, application security has become a vital element of the overall cybersecurity strategy. SAP security vulnerabilities have become a natural source of intelligence for the cybercriminals for exploitation. Like “the layers of an onion”, SAP application security is a very important layer of a multilayered cybersecurity strategy.
Considering historical habits of SAP application security where often only SAP Roles and Authorizations draws attention for implementation –not following current standards of SAP Application Security best-practices, it is of crucial importance to rethink the managing of SAP’s security vulnerabilities and cyber hygiene. SAP customers are currently planning the migration from SAP ECC to the new technology platform SAP S/4HANA. To meet NIS2 compliance, security requirements for acquisition and development, maintenance, handling of vulnerabilities and disclosure is a must.
This calls for a change of habits and new SAP security strategies supporting organizational, technical, and operational cybersecurity measures. Read more about SAP Best-Practices Security. Upcoming NIS 2 required cybersecurity risk assessments by organizations using SAP as their core ERP platform, will need to include the SAP best-practice on application security. If not properly attended, history shows a terrifying amount of security vulnerabilities, waiting for accident to happen. The world has changed, and we need to change our SAP application security habits!
Digital Transformation of Security and Compliance
To ensure controlled agility and at the same time high level of quality and integrity of the productive and business critical SAP system, a 3-, 4- or 5-level, multi-tiered system architecture is a best-practice, e.g. Sandbox -> Development -> Quality -> Production systems. Assuring consistent and compliant SAP security baselines across all tier systems, SAP threat detection and managing of SAP vulnerabilities and security incidents, are highly complex tasks, which are only made possible with the use of SAP specific security technologies properly adopted into the organizations’ cybersecurity strategy. Enabling digital transformation of the security and compliance burden, call for state-of-the-art SAP security solutions designed to meet both technical, operational, and organizational measures, international standards and principles of information security management.
Together with our global partner SecurityBridge® we offer a SAP Application Security platform with uniquely designed SAP security controls, supporting 26 of the ISO 27001 technical and organizational security measures. The solution provides a platform for risk-based security roadmap and continuous improvement, cyber hygiene, security patch and vulnerability management, code vulnerability management and threat detection with Security Operations Centre integration, security incident management, cyberattack forensics analysis and security framework compliance reporting. The SecurityBridge solution is a great example of state-of-the-art digital transformation of the SAP security and compliance challenge, bridging the SAP Application Security with the organization’s overall cybersecurity strategy and operations. NTT Security offers Extended Detection & Response solutions integrating SecurityBridge SAP Threat Detection.