It is estimated that up to 40.000 German companies will be affected by NIS2 in the future. The directive is intended to strengthen companies' cyber resilience and security. Sven Richter of Arcserve explains how a SaaS backup solution can help ensure compliance.
The NIS2 (Network Information Security Directive) sets new standards for cybersecurity. It is binding for public and private entities in 18 sectors that either have at least 50 employees or an annual turnover and balance sheet of at least €10 million. The directive aims to strengthen organizations' cybersecurity resilience by implementing comprehensive risk management measures, including data backup management and disaster recovery.
Three key steps to prepare for NIS2 compliance
Meeting the stringent requirements of NIS2 begins with the Map-Prioritize-Test framework. This framework includes three key steps and is suitable for any type of organization that needs to comply with NIS2.
First and foremost is critical systems mapping. This describes a detailed assessment of critical infrastructure, including on-premises, public, and private cloud environments. This process identifies and prioritizes critical systems, including software and SaaS applications, or Entra IDs, to protect identities and credentials.
The second step is prioritizing critical data. This involves identifying data that is critical to maintaining operations, such as financial and customer data. This step also prioritizes which data needs to be restored first in the event of a cyberattack, natural disaster, or technical failure to minimize downtime and ensure business continuity.
The third step is testing the backup systems. The best planning and the best backup solution are useless if the recovery routines don't work in the event of a disaster, resulting in unnecessarily prolonged downtime. Regular testing can provide certainty and confidence in the disaster recovery plan. They also identify areas for improvement that can be addressed before an incident occurs, rather than being a surprise in the event of a serious situation.
The SaaS backup solution matters
Compliance with NIS2 requires the use of a reliable backup and recovery solution. Regardless of whether the solution integrates seamlessly into the existing IT infrastructure, it must contribute to achieving NIS2 requirements. The following criteria must be met in all cases:
Data sovereignty and data protection
A solution must comply with EU NIS2 (and GDPR) regulations. Therefore, it is advisable to choose a solution provider that offers explicit guarantees regarding data sovereignty and ensures that data is stored and processed in compliance with specific laws. Strong access controls are particularly essential to protect sensitive data from unauthorized access.
No compromise on recovery time (RTO)
An NIS2-compliant backup solution must support granular and prioritized recovery options to ensure rapid recovery of critical data without compromise. Only then can downtime be minimized and business continuity ensured.
Maximum protection with encryption and immutability
Even if cybercriminals or other threat actors manage to access a backup, it must be rendered useless. This is achieved with solutions that encrypt data in transit and at rest, as well as support immutable backups to prevent unauthorized modification, deletion, or tampering by ransomware.
Avoid vendor dependencies
History shows that organizations that rely on a centralized provider are dependent on their security efforts, and errors can lead to dramatic situations. Therefore, sensible distribution is advisable – including with the SaaS provider. This should ensure logical and physical separation from the public cloud. Combined with air-gapping measures, this approach protects backups from ransomware attacks and ensures continuous access even if the public cloud provider's services are interrupted.
Compliance with NIS2 and other directives can quickly become a complex IT challenge. Organizations that rely on a backup solution designed to protect hosted data in SaaS application clouds such as Microsoft 365, Entra ID, Microsoft Dynamics 365, Salesforce, Google Workspace, or Zendesk have the best chance of being compliant with NIS2 and other regulations.
More at Arcserve.com
About Arcserve Arcserve offers exceptional solutions to protect the valuable digital assets of companies that require complete and comprehensive data protection. Arcserve was founded in 1983 and is the world's most experienced provider of business continuity solutions for securing multigenerational IT infrastructures with applications and systems in any environment, on site and in the cloud. Companies in over 150 countries around the world rely on Arcserve's highly efficient, integrated technologies and expertise to reduce the risk of data loss and prolonged downtime while reducing the cost and complexity of data backup and recovery by up to 50 Reduce percent. Arcserve is headquartered in Minneapolis, Minnesota with numerous locations around the world.
Matching articles on the topic