NIS2 and AWS — A New Era of Cybersecurity in Europe
PL version here
Facing increasing challenges in cybersecurity, the European Union has introduced the NIS2 Directive, aimed at strengthening resilience and response capabilities to incidents in both the public and private sectors. The document “NIS2 Considerations for AWS Customers” sheds light on key aspects that, as users of Amazon Web Services (AWS), we should consider in the context of these new regulations.
What is NIS2?
The NIS2 Directive, succeeding the 2016 NIS Directive, introduces a series of heightened requirements regarding security and reporting of cyber incidents. It focuses on key sectors such as energy, transportation, healthcare, banking, and digital infrastructure. The goal of NIS2 is to harmonize cybersecurity practices across member states and improve resilience and incident response capabilities in vital and significant sectors (see Annexes I and II of NIS2). Member states have 21 months (until October 17, 2024) to implement NIS2 regulations into national law.
AWS and NIS2 Shared Responsibility Model
The AWS shared responsibility model emphasizes that cloud security is a joint task of AWS and its customers. AWS provides security of the cloud infrastructure, while clients are responsible for protecting their data and applications. In the context of NIS2, this collaboration becomes even more important.
Adapting to NIS2
The document indicates that AWS offers a range of services and tools that support customers in adapting to NIS2 requirements. This includes, among others, cybersecurity risk management, incident response support, business continuity and crisis management, as well as securing the supply chain.
Key Areas of AWS Support:
- Tools for classifying controls as preventive, detective, or corrective. Examples include AWS IAM for authorization management, providing control over access to resources and operations. AWS CloudTrail for tracking user activities and API events, and AWS Config for monitoring configuration changes, which is key to effective risk management.
- The Customer Incident Response Team (CIRT) provides 24/7 support during active security events. Tools like AWS CloudTrail record API calls, enabling analysis and response to incidents. AWS Security Hub integrates various security data sources, providing a unified view of a customer’s AWS environment security status.
- Operational resilience is ensured through redundancy and failure isolation in the global infrastructure. AWS customers can use multiple Availability Zones and regions, increasing resilience to local failures and ensuring service continuity.
- The possibility of managing subcontractors and suppliers through AWS Data Processing Addendum (AWS DPA), which offers transparency and security controls throughout the supply chain.
- A secure environment for developing and maintaining cloud applications and services includes patch management, configuration control, and the use of secure virtual machine images and containers.
- Cryptographic services and tools, including AWS Key Management Service (KMS) for managing cryptographic keys and data encryption at rest, as well as options for encrypting data in transit, such as TLS.
- Training programs and educational resources to help increase users’ cybersecurity awareness and skills. This includes AWS Security Awareness Training, AWS re/Start, AWS Skill Builder, as well as various guides and whitepapers.
The NIS2 Directive poses significant challenges for AWS users, but it also offers the opportunity to strengthen their security systems and resilience. AWS, as a leading cloud service provider, delivers tools and support that help customers adapt to new requirements while emphasizing their own responsibility for data and application protection. Cooperation between them in the context of NIS2 is key to enhancing the overall level of cybersecurity in Europe.
