For some time now, the NIS2 Directive has been under the spotlight and at the center of numerous discussions in the IT world. The NIS2 Directive entered into force in January 2023 with the aim of improving the level of cyber security in the European Union, building upon the existing NIS Directive.
By adopting NIS2, EU legislation requires Member States to implement the directive’s guidelines into national law, as well as obliging the affected entities to adapt and implement these guidelines by 18 October 2024. Accordingly, in February 2024, the new Cybersecurity Act was adopted. Companies subject to this Act/Directive must implement processes and policies for improved cyber risk management and are required to timely and transparently report cyberattacks and their consequences to the public and all competent authorities.
This blog explains how data centers and cloud services can help companies align with the NIS2 Directive and the Cybersecurity Act.
Challenges and cyber risks in today’s IT
The rapid digitalization of business and the increasing introduction of new devices into IT environments create new vectors for cyberattacks. Managing such a system is often complex and requires exceptional attention when planning cyber resilience to successfully prevent cyber incidents.
According to research by Veeam, in 2023, 85% of companies experienced a ransomware or malware attack. Companies affected by such attacks struggled to restore their backups because in 75% of cases the backup server and backup repository were compromised, making data restoration difficult. Of those affected by ransomware, 82% could not recover in time to restore full operations, while the average recovery time to full functionality was three weeks.
The statistics show how focused attackers are on the victim’s backup files, and disabling backups is the first step in these types of attacks. Ransomware attacks used to focus on encrypting data and demanding payment—usually in Bitcoin—to unlock it. Today’s attacks are far more severe, involving encryption and data exfiltration, extortion of C-level management with threats of public disclosure to media or authorities, significantly increasing the risk of serious financial and reputational damage.
These cyber incidents disrupt business continuity, making the challenges of establishing proper backup and disaster recovery policies more prominent. The obligation to do so is also defined in the Cybersecurity Act and the NIS2 Directive, which poses additional financial and organizational challenges for companies planning to establish secondary recovery sites according to IT best practices.
Data centers and cloud services for NIS2 and Cybersecurity Act compliance
The regulations require measures for managing cybersecurity risks. One such measure is business continuity, including backup management and recovery from disasters, outages, and incidents (Article 30, paragraph 1, point 3 of the Cybersecurity Act). This means that companies must implement best practices for backups, disperse backup copies, and maintain a DR site for business recovery.
Unpredictable and high capital expenses for building and establishing a DR location—or a secondary data center where the company can recover after an incident—are often a major obstacle for many management boards, causing such investments to be deprioritized. In addition to the investment in facilities, equipment, and IT infrastructure, companies also need to train existing staff, who are often overloaded with daily operations, making additional tasks difficult to handle. The alternative—hiring an additional specialist with highly specific expertise—often does not become cost-effective for the company.
Considering these challenges, cloud and data center solutions are viable alternatives for companies required to comply with the NIS2 Directive and the Cybersecurity Act. Cloud services in a Managed Service model and data center infrastructure provide predictable costs while meeting all key security requirements and ensuring service availability.
How can cloud help with regulatory compliance?
You can store additional—or even all—backup copies of your data in the cloud or recover from an IT system outage at your primary location. Our recommendation is that a single backup copy, such as one stored on a NAS or an external drive, is not sufficient. Instead, multiple copies should be created across different media and systems. In the event of system compromise or a ransomware attack, you will likely lose your backups, which has been confirmed in real cases where companies relied on just one backup copy.
We recommend that our clients follow at least the 3-2-1 backup rule. The 3-2-1 rule requires creating three (3) copies of your production data. Two (2) copies must be on two different media, and one copy must be off-site—that is, in the cloud. A more advanced version of this rule is the 3-2-1-1-0 backup rule, which includes all previous requirements, with the off-site backup copy stored as an immutable backup (undeletable and unchangeable), and with zero errors during recovery verification tests.
Disaster recovery in the cloud is a more cost-effective option for companies because it does not require investing in redundant hardware or a secondary data center. While avoiding these costs, companies can still achieve geo-redundancy, rapid recovery, restore operations in the event of any type of disaster, and ensure regulatory compliance. Depending on system configuration and company requirements, recovery time can be measured in seconds.
Advanced technologies and solutions protect your backup files
Creating backups on a NAS or in the cloud does not guarantee that you will recover safely after a ransomware attack. The same applies to replicating servers to a DR location. An attacker can hide inside your backup file or virtual machine image. In such a case, restoring from backup would result in reinfection—one of the most serious challenges we have encountered when taking over backup and DR processes for clients.
The technologies we use in backup and replication help ensure that attackers cannot reinfect the system during recovery or delete your backup files.
Some key features of our solutions include:
- Continuous Data Protection (CDP),
- Proactive Threat Hunting for detecting cyber threats within backup files,
- Recovery Orchestration for automated recovery and backup integrity testing without affecting system performance,
- Monitoring & Analytics providing advanced oversight, analysis, and proactive threat mitigation,
- Immutability to lock backup files against deletion,
- Anti-Malware detection for early identification of malware within backup files.
Is this level of security worth it?
Compliance with regulations is mandatory for all companies classified as essential or important entities. Organizations covered by the law will eventually receive official notification of their categorization under the Cybersecurity Act. Regardless of categorization, even companies not directly covered by the Act will eventually need to adapt if they plan to work with organizations that are subject to the Cybersecurity Act, as the law also governs supply chain security.
Penalties for violating the regulations are significant—both for companies and for their responsible individuals. Therefore, we strongly recommend that even organizations not currently obligated by the Cybersecurity Act, but doing business with those that are, begin implementing data protection and business continuity policies as early as possible. Delaying these activities can be costly, both financially and reputationally.
If you are unsure about the quality of your backup and DR policies, or if you do not have a well-designed backup and DR plan, lack trained staff, or want to avoid investing in new equipment and space for backup/DR systems, feel free to contact us at sales@comping.hr.
