How Google Cloud is preparing for NIS2 and supporting a stronger European cyber ecosystem
VP/CISO, Google Cloud
Senior Director of EMEA Government Affairs & Public Policy, Google Cloud
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.Subscribe
Online data theft is a significant risk for organizations around the world and in Europe. European businesses stand to lose roughly 10 terabytes of data each month to cyber theft, according to a July 2022 report from the European Union Agency for Cybersecurity (ENISA). Meanwhile, cyberattacks cost European businesses and consumers an estimated €180 billion to €290 billion annually.
To help combat this threat, the EU passed the Network and Information Security Directive 2.0 (NIS2), a signature policy response that took effect in January. NIS2 builds on the EU’s previous efforts to raise the baseline level of cybersecurity throughout the region. NIS2 outlines new security requirements for companies operating in critical sectors, such as energy, healthcare, financial services, and digital infrastructure. The directive will introduce new obligations for cloud service providers such as Google Cloud. We recognize NIS2 as an essential step forward in Europe’s strategy to protect consumers, administrations, and businesses from threats such as ransomware and industrial espionage.
Now that NIS2 has been adopted by the European Council and Parliament, the process shifts to the EU’s 27 member states, which must codify the directive into national law by October 2024. But the road ahead is far from straightforward. Compared to the original NIS Directive, NIS2 may expand the number of regulated organizations by 10 times or more. This expansion may lead to new compliance challenges for organizations of all sizes and place additional strain on national cybersecurity authorities tasked with oversight and enforcement.
As a regulated entity under NIS2, Google Cloud is committed to ensuring that our cloud platform and security tools support the highest standard of compliance. We’ve spent more than a decade developing mature processes for risk governance, incident reporting, and vulnerability management to support our compliance journey. And we’re committed to partnering with national authorities to share knowledge and best practices in areas including Zero Trust architecture, software supply chain security, compliance automation, and threat intelligence to help facilitate NIS2’s implementation at the national level.
As part of our Cloud On Europe’s Terms initiative, we will continue to focus on building trust with European governments and enterprises by delivering cloud solutions that meet their regulatory, digital sovereignty, sustainability, and economic objectives.
What does NIS2 mean for our customers?
NIS2 builds on the 2016 NIS Directive with a broader scope and set of requirements. We see higher cybersecurity standards as a necessary and positive step forward for the European digital ecosystem. But for many European businesses, including Google Cloud customers, NIS2 compliance may require new investments in security tools and processes to achieve a higher overall security baseline – a challenge for mid-sized, resource-constrained organizations.
As part of our shared fate model, we will support our customers with the tools and expertise they need to help improve their cybersecurity maturity and meet stricter NIS2 incident reporting and risk management requirements. Rather than facing their compliance journey alone, customers of all sizes can look to Google Cloud as a trusted advisor and partner for secure-by-default infrastructure, deployable blueprints and frameworks, training resources and workshops, and streamlined compliance tools and processes.
Incident reporting: NIS2 establishes a framework for notifying competent national authorities and relevant customers of any cyber incident with a significant impact in terms of operational disruption, financial loss, or physical harm. In the event of a significant incident, covered organizations will be required to file an initial report within 24 hours, a requirement that will test their reporting capabilities. Organizations will then be required to file a more detailed report within 72 hours, and a final, comprehensive report within one month.
Google Cloud is working to help you meet NIS2’s stricter reporting requirements through our industry-leading incident response function that combines rigorous processes, world-class talent, and multi-layered information security and privacy infrastructure. We routinely review our approach to incident management based on industry best practices and evolving regulations like NIS2. Customers who must meet the same requirements can depend on our sophisticated tools like Security Command Center that help enable them to independently monitor for misconfigurations or vulnerabilities, generate automated compliance reports, and share data with SIEM/SOAR platforms, such as Chronicle Security Operations, to accelerate incident reporting.
Risk management and liability: Compared to the 2016 NIS Directive, NIS2 is far more prescriptive in terms of the risk management measures that regulated entities must implement. NIS2 will require covered organizations to develop (if they haven’t already) policies on risk analysis, incident handling, supply chain security, vulnerability management, encryption, security awareness training, access management, multi-factor authentication, and many other areas. Further, NIS2 requires that these policies must be ratified by the organization’s highest governing body – a move aimed at boosting internal transparency of cyber risks and mitigations.
NIS2 assigns accountability for implementing cybersecurity and compliance requirements directly to the senior management of regulated organizations. In certain cases, accountability could mean holding managers directly liable for negligence or failure to comply with key risk management requirements.
The possibility of being held personally liable for poor cyber risk management may be a source of particular concern. By partnering with the Google Cybersecurity Action Team (GCAT), managers and their boards can take advantage of premier strategic advisory services to help build confidence and mature their cybersecurity teams. GCAT offers comprehensive security advisory and training resources, including online courses, compliance support, security solutions engineering, deployable blueprints and frameworks, as well as interactive workshops and incident response exercises to help prepare managers to face cyber threats.
Vulnerability management: Under NIS2, vulnerability management and supply chain security become core risk management responsibilities for regulated entities and their managers. In addition, the directive tasks ENISA with building a cyber vulnerabilities database and overseeing a European coordinated vulnerability disclosure program.
A key benefit of partnering with global cloud providers like Google Cloud is that we can eliminate much of the guesswork for our customers when it comes to monitoring for vulnerabilities and implementing new security patches. Together with Mandiant, a global leader in security operations and incident response, we’re helping our customers assess risks to their cloud environments, battle test their systems for vulnerabilities, and quickly remediate incidents. We are also committed to working with ENISA to support a European coordinated vulnerability disclosure program that ensures transparency without putting users at risk.
Coordination and capacity building: NIS2 establishes a European Cyber Crises Liaison Organisation Network, or EU-CyCLONe, overseen by ENISA, as the principal intergovernmental body supporting management of major cyber incidents targeting critical infrastructure. EU-CyCLONe will operate as a central coordination point between national computer security incident response teams (CSIRTs) and serve as a link between technical and political stakeholders responding to future crises.
We are committed to partnering with cybersecurity coordination bodies such as EU-CyCLONe, CERT-EU, and the European Cybercrime Centre (EC3), and supporting joint preparedness exercises. Similarly, we welcome the opportunity to work with national regulatory authorities to support their capacity building efforts in cooperation with customers and partners facing new regulatory obligations under NIS2.
We’re equipping our customers and regulators with insights into the threat landscape through our quarterly Threat Horizons reports, and we will continue to make our cybersecurity leaders available to understand the needs of EU and Member State authorities and to share expertise.
As EU member states start the process of NIS2 transposition, there are still outstanding questions about the sector-specific schemes that organizations will use to certify compliance with NIS2, which could substantially impact how the legislation operates in practice.
Similarly, the work of EU legislators is not finished yet. There are important details still to be clarified through Delegated and Implementing Acts, such as the threshold for triggering incident reporting obligations. It’s essential that these details are aligned wherever possible to globally-established cybersecurity best practices so that critical entities have a clear pathway to compliance.
As EU member states take up the task of transposing NIS2 into their national laws, it’s important to keep in mind that digital transformation and cybersecurity go hand-in-hand. We urge lawmakers and national cybersecurity authorities to promote innovation and resilience through adoption of modern IT infrastructures that protect citizens' data using globally-distributed networking, secure-by-default hardware and software, Zero Trust architecture, and customer-managed encryption tools, rather than restrictive data localization measures.
Now more than ever, governments around the world are taking steps to protect their citizens and critical infrastructures from cyber threats. As an industry leader in security we will do our part to support our European partners working hard to implement these evolving requirements.
DORA's implementation period starts now. What we're doing to prepare for the new law
European financial organizations will be required to comply withDORA by 2025. We present Google Cloud’s plan to help support their compliance with the new regulation.
By Tanya Popova-Jones • 3-minute read