Back to blogs

Blog | JAN 15, 2025

NIS2: How Tributech Can Help

NISTCyber Security

This article aims to provide a detailed overview on how Tributech can be used to support compliance with NIS2. However, we are very much aware that currently the NIS2 directive does not include further specifications or guidelines about the implementation that would allow an organization to claim that the technology is 100% NIS2 compliant. Nevertheless, we have seen that in the past new regulations have embodied existing standards (such as NIST or ISO) and refined and updated them accordingly.

Given the development of the newest NIST publications (e.g.: NIST Cybersecurity Framework 2.0, or NIST 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events) and its increasing focus on data integrity, the likelihood that data integrity will play a crucial role in the technical specifications of NIS2 is very high. Therefore, we will discuss the different articles of the NIS2 directive and how Tributech fits in. The relevance of Tributech within NIS2 covers the general requirements, specific requirements for CSIRTs (Computer Security Incident Response Team), cyber security risk management measures and reporting obligations organizations need to fulfill in order to comply with NIS2.

However, before diving into the topic it is necessary to be clear on some definitions within NIS2:

  • "security of network and information systems" means the ability of network and information systems to resist, at a given level of confidence, any event that may compromise the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, those network and information systems.

  • "near miss" means an event that could have compromised the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, but that was successfully prevented from materialising or that did not materialise;

  • "incident" means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems;

>>Download the detailed overview on how Tributech can be used to support compliance with NIS2<<

General requirements

NIS2 Objective:

“(41) Member States should be adequately equipped, in terms of both technical and organisational capabilities, to prevent, detect, respond to and mitigate incidents and risks. Member States should therefore establish or designate one or more CSIRTs under this Directive and ensure that they have adequate resources and technical capabilities. The CSIRTs should comply with the requirements laid down in this Directive in order to guarantee effective and compatible capabilities to deal with incidents and risks and to ensure efficient cooperation at Union level. Member States should be able to designate existing computer emergency response teams (CERTs) as CSIRTs. In order to enhance the trust relationship between the entities and the CSIRTs, where a CSIRT is part of a competent authority, Member States should be able to consider functional separation between the operational tasks provided by the CSIRTs, in particular in relation to information sharing and assistance provided to the entities, and the supervisory activities of the competent authorities.”

How Tributech helps:

An incident is defined as an event that compromises availability, authenticity, integrity or confidentiality of data. In order to allow a CSIRT to adequately prevent, detect, respond and mitigate incidents affecting data integrity, those teams require technologies to monitor for any compromise of data integrity end-to-end. Furthermore, the integrity monitoring capabilities do not only need to be applied to application or operations data, it is also vital to have it implemented for log data, back-ups and forensic analytics to ensure an adequate level of data integrity is maintained within an organizations system, as outlined in NIST 1800-26.

NIS2 Objective:

“(70) Large-scale cybersecurity incidents and crises at Union level require coordinated action to ensure a rapid and effective response because of the high degree of interdependence between sectors and Member States. The availability of cyber-resilient network and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union and for the protection of its citizens, businesses and institutions against incidents and cyber threats, as well as for enhancing the trust of individuals and organisations in the Union’s ability to promote and protect a global, open, free, stable and secure cyberspace grounded in human rights, fundamental freedoms, democracy and the rule of law.”

How Tributech helps:

The CIA triad which describes information security according to the 3 pillars of confidentiality, integrity and availability is a core concept within the NIS2 directive. Tributech enables organizations to maintain the highest level of data integrity possible. At the point of creation data gets notarized, which means that an immutable cryptographic proof is being created directly at the source. This provides an immutable proof for data lineage and integrity across systems, applications, and infrastructures, allowing organizations to maintain the highest level of data integrity end-to-end.

Requirements focusing on service providers, supply chain & MSSPs

NIS2 Objective:

“(85) Addressing risks stemming from an entity’s supply chain and its relationship with its suppliers, such as providers of data storage and processing services or managed security service providers and software editors, is particularly important given the prevalence of incidents where entities have been the victim of cyberattacks and where malicious perpetrators were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third-party products and services. Essential and important entities should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. Essential and important entities should in particular be encouraged to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers. Those entities could consider risks stemming from other levels of suppliers and service providers.” “(86) Among service providers, managed security service providers in areas such as incident response, penetration testing, security audits and consultancy play a particularly important role in assisting entities in their efforts to prevent, detect, respond to or recover from incidents. Managed security service providers have however also themselves been the target of cyberattacks and, because of their close integration in the operations of entities pose a particular risk. Essential and important entities should therefore exercise increased diligence in selecting a managed security service provider.”

How Tributech helps:

In general, there are two different viewpoints for these requirements:

  1. How can an MSSP prove the security and integrity of the services provided to an organization?

  2. What can an organization demand from an MSSP to ensure that the services consumed are adequately secured and protected?

The most common service MSSP provide are Managed SOC, which means that the infrastructure of the MSSP and the organization are very closely connected. One of the most important data source for SOCs is the log data created within the customer organization, which will go directly into the different security tools (such as SIEM, EDR, etc.) of the MSSP. These logs are the basis for decision-making within the Managed SOC. Hence, having the possibility to prove and ensure the integrity of the log data will increase the trust of the customer into the provided service and can protect the MSSP from any claims or penalties that might arise. In this case Tributech allows both parties to verify that every action was based on trusted log data.

Tasks and requirements for CSIRTs

NIS2 Objective:

1. Each Member State shall designate or establish one or more CSIRTs. The CSIRTs may be designated or established within a competent authority. The CSIRTs shall comply with the requirements set out in Article 11(1), shall cover at least the sectors, subsectors and types of entity referred to in Annexes I and II, and shall be responsible for incident handling in accordance with a well-defined process. 3. The CSIRTs shall have the following tasks: a) monitoring and analysing cyber threats, vulnerabilities and incidents at national level and, upon request, providing assistance to essential and important entities concerned regarding real-time or near real-time monitoring of their network and information systems; b) providing early warnings, alerts, announcements and dissemination of information to essential and important entities concerned as well as to the competent authorities and other relevant stakeholders on cyber threats, vulnerabilities and incidents, if possible in near real-time; c) responding to incidents and providing assistance to the essential and important entities concerned, where applicable; d) collecting and analysing forensic data and providing dynamic risk and incident analysis and situational awareness regarding cybersecurity

How Tributech helps:

For CSIRTs to properly execute the stated tasks it’s necessary to have the right technologies at hand to support their work. That includes various security tools to protect the integrity, authenticity, availability, and confidentiality of data. In this setting Tributech presents a wholistic integrity monitoring solution that allows CSIRTs to monitor and protect data integrity end-to-end. This integrity monitoring solution can be applied to any type of data, such as log data, operations data, customer information, sensor data, application data and forensic data.

Cybersecurity risk-management measures

NIS2 Objective:

“1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.”

How Tributech helps:

Most people associate cyber-attacks with ransomware attacks that either impact confidentiality or availability of critical information and/or systems. Confidentiality attacks expose sensitive information to unauthorized parties through data theft. Availability attacks focus on making data unavailable temporarily or permanently. A Denial-of-Service attack on a website is an example of an Availability attack. The integrity attack is where either existing data is manipulated or changed without authorization or where fake data is added, again without authorization. This attack is also known as Data Poisoning or Data Tampering. Integrity attacks are extremely dangerous for organizations, as they are hard to detect and can disrupt the whole operations of an organization. Given the ongoing reliance on data for mission critical systems, from AI to making critical business decisions, it is safe to say that organizations need to:

  • Include the threat of Data Poisoning (or Data Tampering) and its impacts on their risk radars and business impact analysis activities for the foreseeable future.

  • Invest in Data Notarization systems that can provide the ongoing and near-real time assurance of data integrity throughout the data flow and lifecycle.

NIS2 Objective:

“2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: a) policies on risk analysis and information system security; b) incident handling; c) business continuity, such as backup management and disaster recovery, and crisis management; d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; g) basic cyber hygiene practices and cybersecurity training; h) policies and procedures regarding the use of cryptography and, where appropriate, encryption; i) human resources security, access control policies and asset management; j) the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.”

How Tributech helps:

Tributech’s integrity monitoring solution supports several of the stated risk management measures:

  • Incident handling: For adequate incident handling it’s important to understand the magnitude of a cyber incident. For example a ransomware attack might not only compromise the availability of a system, the used encryption mechanisms could also modify certain datapoints during the process of encrypting it.

  • Business continuity and disaster recovery: In order to recover faster from an incident, organizations need to have a clear picture of the level of data integrity which they have had before the incident. Furthermore, an end-to-end integrity monitoring solution enables organizations to get back to regular operations quicker, by being able to automatically determine which data can be trusted.

  • Policies and procedures regarding the use of cryptography: Tributech’s Data Notarization incorporates cryptographic technologies to secure the integrity & authenticity of data. To effectively monitor and ensure data integrity over the entire data lifecycle different policies and procedures can be defined to notarize highly sensitive data and regularly verify that data for integrity and authenticity.

Reporting obligations

NIS2 Objective:

“3. An incident shall be considered to be significant if: a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned; b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.”

How Tributech helps:

Data tampering attacks have the potential to disrupt our society dramatically. Imagine the impact tampered data can have when it’s used for the operations of critical infrastructure (such as energy, healthcare, or finance). In the past data tampering attacks already affected different sectors, classified as critical infrastructure: a blackout was caused because of tampered sensor data, wrong patient diagnosis was made because of tampered CT scans, citizens debts have been erased by mouse click because attackers published access to a critical database. Large scale data tampering incidents could erase trust in any piece of digital information; therefore, it is vitally important to implement an integrity monitoring solution.

NIS2 Objective:

“4. Member States shall ensure that, for the purpose of notification under paragraph 1, the entities concerned submit to the CSIRT or, where applicable, the competent authority: a. without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact; b. without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; c. upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates; d. a final report not later than one month after the submission of the incident notification under point (b), including the following: i. a detailed description of the incident, including its severity and impact; ii. the type of threat or root cause that is likely to have triggered the incident; iii. applied and ongoing mitigation measures; iv. where applicable, the cross-border impact of the incident; e. in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident. How Tributech helps:

By way of derogation from the first subparagraph, point (b), a trust service provider shall, with regard to significant incidents that have an impact on the provision of its trust services, notify the CSIRT or, where applicable, the competent authority, without undue delay and in any event within 24 hours of becoming aware of the significant incident.” The process of recovering from a cyber incident can put organizations in front of enormous challenges. Tributech enables organizations to detect any event corrupting data integrity immediately. This allows for real-time monitoring of data integrity. In order to meet these reporting requirements Tributech enables organizations to provide an immutable proof of data lineage and integrity, which allows for a very fine granular reporting on the level of data integrity that is maintained within an organizations system.

NIS2 Objective:

“4. Member States shall ensure that, for the purpose of notification under paragraph 1, the entities concerned submit to the CSIRT or, where applicable, the competent authority: a. without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact; b. without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification, which, where applicable, shall update the information referred to in point (a) and indicate an initial assessment of the significant incident, including its severity and impact, as well as, where available, the indicators of compromise; c. upon the request of a CSIRT or, where applicable, the competent authority, an intermediate report on relevant status updates; d. a final report not later than one month after the submission of the incident notification under point (b), including the following: i. a detailed description of the incident, including its severity and impact; ii. the type of threat or root cause that is likely to have triggered the incident; iii. applied and ongoing mitigation measures; iv. where applicable, the cross-border impact of the incident; e. in the event of an ongoing incident at the time of the submission of the final report referred to in point (d), Member States shall ensure that entities concerned provide a progress report at that time and a final report within one month of their handling of the incident. How Tributech helps:

By way of derogation from the first subparagraph, point (b), a trust service provider shall, with regard to significant incidents that have an impact on the provision of its trust services, notify the CSIRT or, where applicable, the competent authority, without undue delay and in any event within 24 hours of becoming aware of the significant incident.” The process of recovering from a cyber incident can put organizations in front of enormous challenges. Tributech enables organizations to detect any event corrupting data integrity immediately. This allows for real-time monitoring of data integrity. In order to meet these reporting requirements Tributech enables organizations to provide an immutable proof of data lineage and integrity, which allows for a very fine granular reporting on the level of data integrity that is maintained within an organizations system.

NIS2 Objective:

9. The single point of contact shall submit to ENISA every three months a summary report, including anonymised and aggregated data on significant incidents, incidents, cyber threats and near misses notified in accordance with paragraph 1 of this Article and with Article 30. In order to contribute to the provision of comparable information, ENISA may adopt technical guidance on the parameters of the information to be included in the summary report. ENISA shall inform the Cooperation Group and the CSIRTs network about its findings on notifications received every six months.

How Tributech helps:

Tributech allows organizations to take part of the burden of regular reports away by offering a solution that automatically shows the level of data integrity that organizations have within their systems. The technology allows to determine on a very fine granular level if a data point is still true in integrity or not. Tributech’s integrity monitoring solutions allows organizations to cover the integrity reporting part within NIS2.

Download NIS2 Table

Download the detailed overview on how Tributech can be used to support compliance with NIS2.