How Google Cloud can help customers achieve compliance with NIS2

With the European Commission’s adoption of the Network and Information Systems Directive 2.0, or NIS2, Europe is taking an essential step forward in its strategy to protect consumers, businesses, and government organizations from escalating threats in cyberspace. NIS2 will help to drive a consistent high level of security and resilience across key sectors of the European economy. 

NIS2 also represents a seismic shift in the expectations and obligations of private entities to adhere to cybersecurity best practices, and to factor security into everyday business decisions. For European organizations, including Google Cloud customers, NIS2 may require new investments in security tools, talent, and processes to achieve a higher overall security baseline. Customers should consider this an opportunity to use the cloud as a platform for managing risk and for streamlining compliance. 

Google Cloud and Google Workspace offer a range of tools and resources to help customers meet their NIS2 compliance goals through building secure and resilient applications, managing cyber risks, responding to incidents, and enabling new modes of business built atop a secure foundation.

NIS2: Compliance challenge or opportunity?

NIS2 outlines new security requirements for tens of thousands of essential and important entities in critical sectors, including energy, transportation, healthcare, financial services, and digital infrastructure. Covered entities must adopt risk management practices, establish business continuity plans, enhance supply chain security practices, develop cyber hygiene and training programs, and implement more rigorous minimum security controls. 

In addition, entities must report “significant” cyber incidents to the relevant national authorities. Failure to comply could lead to enforcement measures including costly fines and reputational damage.

NIS2 and other regulations are already translating into higher cybersecurity spending. European organizations expect to allocate an average of 9% of their IT budgets on security in 2024 – up from 7.1% in 2023, according to recent research by ENISA, the European Agency for Cybersecurity. 

Still, organisations continue to struggle to hire and retain sufficient numbers of skilled cybersecurity professionals. As a result, organisations that succeed in driving down the complexity and cost of meeting their NIS2 requirements will be at a competitive advantage over those who do not.

At Google Cloud, we believe in shared fate and in our commitment to support customers as a trusted partner in their security and compliance journeys. We provide customers industry-leading tools to enhance visibility into their online assets and to address risks. 

We can help customers achieve a higher security baseline through strong inherited controls, such as encryption and multi-factor authentication (MFA). For example, Google Workspace customers experienced three times fewer incidents than those using Microsoft 365, according to a study by cyber-insurer At Bay. 

We also simplify IT lifecycle management and enable customers to focus on managing their businesses, rather than managing technical debt. We also partner closely with regulators to build trust and to support customer regulatory compliance needs on-demand. 

For these reasons, European customers should strongly consider partnering with Google Cloud to meet their compliance goals.

How Google Cloud can help our customers achieve their NIS2 goals

Google Cloud offers a set of solutions and resources to help guide customers through their NIS2 compliance journey. 

Risk management: Under NIS2, covered organizations must take appropriate information risk management measures based on international and European standards, including performing risk assessments and implementing a risk treatment plan. 

First, with management now accountable for managing cyber risks under NIS2, we offer a range of free educational resources on the topic of risk governance, including best practice guides and our Insights Hubs for CISOs and for boards of directors. Even before moving to the cloud, organizations can use our Risk Assessment and Critical Asset Discovery solution to evaluate their current IT risks, identify where critical assets reside, and view recommendations for improving their security posture and resilience. 

Once in the cloud, customers can take advantage of Google Cloud Monitoring to view the real-time performance, availability, and health of their applications and infrastructure. Security Command Center Enterprise provides organizations visibility into their  security posture and empowers them to surface and remediate vulnerabilities and misconfigurations.

Partnering with Google Cloud also allows customers to take advantage of our extensive compliance offerings, best practices, and easy access to documentation. Our products routinely undergo independent verification of security, privacy, and compliance controls captured in frameworks such as ISO/IEC 27001, which is aligned to NIS2 requirements referenced in the draft ENISA Implementing Guidance.

Organizations can also take advantage of risk management services offered by Mandiant Consulting, including security program assessments, penetration testing, and cybersecurity due diligence — even if they’re not a Google Cloud customer.

Incident handling: NIS2 requires covered entities to monitor for cyber threats and notify national authorities of significant incidents within 24 hours, file a detailed incident report within 72 hours, and issue a comprehensive final report within one month.

These requirements will test the ability of even the most sophisticated security teams to detect incidents, gather evidence, and submit reports by the deadline — while also containing and eliminating the threat. Google Cloud offers tools and resources to assist security teams in designing collaborative incident management processes, strengthening preparedness planning, and accelerating incident response efforts. 

For incident management in the cloud, Google Security Operations (SecOps) offers security practitioners a modern platform for threat monitoring, detection, investigation, and response. The SecOps platform provides organizations the ability to tap into insights from Google Threat Intelligence to track novel threats, as well as analyze petabytes of telemetry and collaborate on cases using a single platform. Built-in generative AI unlocks the ability to create custom incident playbooks on-demand to accelerate response and reporting. 

Google Cloud customers and non-customers alike can tap into Mandiant Incident Response services for in-depth forensic analysis, crisis management support, and recovery operations.

Google Cloud will notify customers of service disruptions impacting the underlying products and services they rely on using programmatic alerts via our Personalized Service Health Dashboard and via public dashboards. Google Cloud also notifies customers of security and privacy incidents via Advisory Notifications.

Business continuity: NIS2 requires organizations to implement tools and processes to ensure business continuity in the event of significant cyber incidents, including establishing an incident response team or creating backups.

There is growing recognition among customers and policymakers that cloud-based tools offer advantages in sustaining a high level of operational resilience. We perform rigorous disaster recovery testing to ensure our infrastructure will continue to run despite a range of disaster scenarios. Our data centers are certified as ISO/IEC 22301 compliant after undergoing an independent audit. 

Customers can leverage the Google Cloud Architecture Framework as a starting point for guidance on building reliable applications and robust disaster recovery capabilities. We offer a range of managed backup and disaster recovery solutions to protect customer workloads against threats such as ransomware. Google Workspace is not only a highly-reliable, highly-secure email and collaboration platform in its own right; organizations can also configure Workspace as a backup in the event their primary email platform becomes compromised.

Minimum security requirements: NIS2 requires covered organizations to adopt basic security controls and technologies, such as encryption, MFA, and identity and access management.

Customers can review our whitepaper on how we design security into Google Cloud infrastructure from the ground up. Our security model starts with overlapping physical security measures to protect Google data centers and network infrastructure. We use specially-designed Titan hardware security chips to authenticate legitimate Google devices and to verify the integrity of the software components. 

Zero trust is at the core of Google Cloud’s security model: our infrastructure continuously authenticates and authorizes every identity, device, and service to prevent lateral movement on the network. We encrypt customer data at-rest and communications in-transit between data centers. 

Further, we’re adding an additional layer of protection by making MFA mandatory for all Google Cloud customers worldwide in 2025. Customers can also refer back to the Google Cloud Architecture Framework for guidance on building secure-by-default applications in the cloud.

How Google Cloud is approaching NIS2 compliance

As a covered entity, Google Cloud will be responsible for meeting cyber risk management and incident handling requirements under NIS2 while supporting our customers along their compliance journeys. We are working closely with national authorities to demonstrate the strength of our security model and our compliance with all NIS2 requirements. 

NIS2 requires covered entities to implement strong supply chain risk management measures, including the need to codify minimum security requirements in supplier contracts and service level agreements. Customers can learn more about Google Cloud’s contractual responsibilities with respect to physical security, vulnerability management, incident notification, personnel skills and training, and subprocessor security by reviewing our Cloud Data Processing Addendum. Please contact your Google Cloud representative for further details.

Looking ahead

Google Cloud is committed to supporting a strong and secure European digital ecosystem. Under our Cloud on Europe’s Terms initiative, we are delivering a portfolio of trusted cloud solutions and sovereign controls to support customers in achieving digital transformation and unlocking innovation from AI. 

To help European organizations train and hire the next generation of cybersecurity professionals, we’ve awarded thousands of scholarships for the Google Cybersecurity Certificate program. In addition, Google.org will award $15 million over the next year to support hands-on cybersecurity education at universities across Europe, Africa, and the Middle East as part of our Cybersecurity Seminars program. 

We’re also proud to support the European Union and EU member states in efforts to combat malicious cyber activity targeting European businesses, governments, and individuals. Our cybersecurity teams already collaborate closely with more than a dozen European governments to share intelligence and disrupt threats. Customers and partners of all sizes can take advantage of free threat analysis resources we publish on our Threat Intelligence blog.

NIS2 represents an essential step forward in strengthening Europe’s collective cyber resilience. As a technology provider and security innovator, Google Cloud will continue to support our customers as we work together to build a safer Internet for all.