How Cyber Threat Intelligence Can Help Boost Critical Infrastructure Resiliency for NIS2
The October 17 deadline for EU Member States to transpose the EU’s NIS2 Directive to lift the cyber resilience of critical infrastructure across Europe is here. NIS2 and the rapidly evolving digital threat landscape make it more important than ever for security and risk teams, management, and boards to have timely, relevant, and actionable cyber threat intelligence (CTI) to guide cyber risk management strategies into the next decade.
Many “essential” and “important” entities affected by NIS2 however face uncertainty. As of this week, only Belgium, Croatia, Hungary, and Lithuania have passed NIS2 implementation laws. Over a dozen EU Member States have only published draft implementations to replace laws passed for the NIS Directive of 2016 (NIS1), which impacted far fewer organisations. Germany, for example, adopted its NIS 2 Implementation and Cyber Security Strengthening Act in late July. It is expected to pass its laws early 2025, impacting an estimated 30,000 entities. France’s NIS2 law will impact over 10,000 entities. The Netherlands, Sweden, Poland, Romania, Spain, Greece, Latvia and others will also likely pass their respective NIS2 laws in 2025.
Despite these delays, one thing is certain: affected entities should prepare for NIS2, the most consequential European cyber security legislation to-date in this decade. Belgium’s competent authority, the Center for Cyber Security Belgium (CCB), has described NIS2 as “NIS1 on steroids” because it’s bigger in scope, obligations, supervision, reporting, sanctions, and reach. Administrative fines of no greater than €200,000 under NIS1 will increase to up to €10 million, or 2% of annual global turnover, whichever is higher for essential entities. NIS2 affects tens of thousands more mid-sized and large organisations in energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and space.
NIS2 is a major shake up of how entities of critical services manage cyber risks, requiring proactive security policies, business continuity, vulnerability management, and incident response. It will require considerable investments in cybersecurity infrastructure across the public and private sectors. By April 17, 2025, Member States must have identified essential and important entities for national registers. Entities may also be required to self-register and be prepared to provide documented compliance. Competent authorities are to “proactively” supervise essential entities, meaning potential inspections without cause, while important entities face supervision only after an incident. Authorities can also issue binding orders for entities to carry out audits and remediate exposures. And management bodies must oversee the implementation of cyber risk management measures and may be held individually liable for non-compliance.
NIS2 comes into force as more business and technology leaders seek timely CTI and cyber-focussed geopolitical intelligence to help navigate diverse digital threats that are increasingly shaped by regional flashpoints, superpower rivalries, and the ongoing criminal scourge of ransomware. This new reality affects every sector, demanding intelligence-led cyber risk management for IT, operational technology (OT) environments, and supply chains.
Many organisations have taken stock of this situation. Almost three quarters (74%) of mature CTI practices are already developing Priority Intelligence Requirements (PIRs) in preparation for NIS2, according to the 2024 SANS CTI Survey: Managing the Evolving Threat Landscape. Most of these mature CTI practices (75%) consume CTI of adversaries’ behaviours and tactics, techniques, and procedures (TTPs) to drive threat hunting programs that proactively identify undetected threats in their environment. This CTI also improves incident response, vulnerability management, security operations, and compliance.
However, NIS2’s broader scope than NIS1 means that many affected entities lack mature CTI programs to shape cyber risk management under NIS2. Mature CTI practices are refining PIRs to align their risk management strategy to the current threat environment, including the risks and impacts of significant cyber incidents to IT, OT and other assets they are responsible for securing.
Moreover, since NIS2 is not prescriptive about security controls, CTI plays a key role in determining the “proportional” risk management measures required by NIS2 to “ensure a level of security for network and information systems appropriate to the risks posed.” Regulatory supervision will focus on entities’ security policies, business continuity, supply chain security, incident handling, cyber hygiene, identity and access management, encryption, and authentication.
To understand how to utilise multiple CTI sources to improve NIS2 maturity in key risk domains, organisations can refer to the CTI Capability Maturity Model (CTI-CMM), a vendor agnostic, “stakeholder-first” model to help organisations build successful, impactful CTI programs. Intel 471 sponsored this model and co-authored it with 27 CTI industry expert peers from Belgium’s CCB, IBM X-Force, Signify, BP, and Gojek, among many others.
Reporting and information sharing are key obligations in NIS2. Entities should coordinate with their CTI partner to create reporting that fosters executive-level awareness of cyber risks. Trusted CTI partners can help entities implement controlled incident reporting to share with authorities valuable intelligence, such as the likely causes of a breach and indicators of compromise, without divulging confidential and proprietary enterprise data.
The world’s largest critical infrastructure organisations choose Intel 471 as their trusted “eyes and ears” beyond the wire. Intel 471’s researchers specialise in cyber human intelligence (HUMINT), enabled by direct relationships with key cybercrime threat actors that have been nurtured over years. This work, aided by human-validated automated collection, provides organisations with unmatched insights into current threat actor activity and adversaries’ evolving TTPs, resulting in up-to-the-minute actionable intelligence about threats that matter to them.
Here are some ways critical infrastructure operators work with Intel 471 to reduce their attack surface:
Organisations of all sizes can leverage CTI and threat hunting to improve NIS2 compliance. For more information on harnessing CTI for NIS2 programs, please contact Intel 471 or join our experts on an intelligence planning exercise.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
The Android malware landscape is expanding, with new malware families, innovative distribution methods and a rise in underground offerings appealing to nontechnical cybercriminals. This poses new threats to enterprises.
Google SecOps customers can now access and use Intel 471’s library of advanced behavioral threat hunt packages on the HUNTER behavioral threat hunting content platform. HUNTER hunt packages go beyond reactive detections for indicators of compromise (IOCs) and provide threat hunters with security platform queries verified to identify advanced threat behaviors and adversary tactics, techniques and procedures (TTPs).
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.