Understanding NIS2 Compliance and Data Security
NIS2 compliance is essential for businesses handling sensitive data within the EU. But how do you track your data effectively? This guide provides a structured approach to achieving compliance and strengthening security.
Data is the lifeblood of modern businesses. Managing it securely and following NIS2 regulations is crucial to ensure protection and compliance. The European Union’s NIS2 directive highlights the need for businesses to track data movement and maintain transparency. Compliance isn’t just about storing data securely—it’s about understanding its entire journey, from creation to deletion.
Why NIS2 Compliance Requires Data Tracking
NIS2 compliance ensures businesses implement robust data security practices beyond just legal requirements. To comply, organizations must track data throughout its lifecycle. This includes monitoring supply chain security and network system acquisition, as outlined in NIS2 Article 21, Paragraph 2:
“(d) Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure”.
Businesses must monitor where data travels and identify which data processors and subprocessors handle it. Understanding data flow helps uncover vulnerabilities and reduce risks.Your business might handle data securely and you possibly even have a certification like ISO 27001. But what happens when data leaves your control?
The Benefits of NIS2 Compliance and Data Tracking
1. Enhanced Cybersecurity
Cyber threats are evolving, and tracking your data’s journey is essential. NIS2 compliance improves visibility into data handling, reducing security risks and protecting against cyberattacks. Without proper tracking, businesses cannot effectively mitigate threats.
2. Effective Risk Management
Sometimes, data might end up being moved, used, or kept in ways or places you didn’t plan for. Every new step your data takes can bring new dangers and by knowing where your data goes, you can spot these problems early on. This lets you come up with quick solutions to fix these issues before they turn into bigger problems.
3. Increased Trust & Compliance
Customers and partners expect businesses to safeguard their information. Demonstrating NIS2 compliance builds credibility, proving a company prioritizes data protection and cybersecurity.
Challenges in NIS2 Compliance
However, keeping track of your data can be complex. Companies using cloud services or subcontractors face challenges in maintaining control over data movement. Digital businesses evolve, requiring continuous updates to security practices.
To deal with these challenges, you need to be thorough and pro-active in determining how you keep track of data. This means doing detailed checks to understand exactly how data moves and where it goes. Furthermore, setting up strong rules for managing data helps make sure that everyone who touches your data handles it in a safe and legal way, and that is not just a one-time effort.
How to Track Data for NIS2 Compliance
So now we know why it is important and even beneficial to follow your data, We are going to give you a few guidelines that can help you do it yourself.
Step 1: Assess Your Service Providers
Third-party services, including cloud platforms and analytics providers, process your data. Ensure they comply with NIS2 regulations by reviewing their Data Processing Agreements (DPAs) and security policies.
Step 2: Identify & Evaluate Subprocessors
Subprocessors are additional third parties handling your data. To ensure NIS2 compliance, businesses must:
- Conduct audits or request compliance reports.
- List all subprocessors managing your data.
- Verify security measures, such as ISO 27001 certification.
Step 3: Monitor Data Flow Beyond Direct Control
Many businesses lose track of their data once it moves beyond direct oversight. NIS2 compliance requires continuous monitoring and clear tracking mechanisms. Implement:
- Data management tools to visualize movement.
- Access controls to restrict unauthorized access.
- Encryption for securing data in transit and storage.
Overcoming Challenges in NIS2 Compliance
Hidden Risks in Data Transfers
Some companies sell data or engage in unauthorized transfers. For instance, Microsoft’s new Outlook app shares user data with over 750 third parties once the privacy policy is accepted.
Last week, the Dutch Intelligence Service (the CIA of the Netherlands), alerted us about security issues that arise related to the American government. It even got to the national news (Dutch article). It is about the fact that the American government can see all data of American companies under their Patriot Act and Cloud Act. That includes essential companies and governmental organizations too, in the Netherlands and the rest of the world.
Example: Microsoft
The products Microsoft provides are still used by a lot of companies. Let’s look at how an analysis would look like with Microsoft, without going too much into detail about whether your data is actually safe from analysis by foreign governments and if you want your data to be with a company that got fined billions of euro’s, that is with a B, for privacy violations last year.
Firstly, Microsoft presents a significant challenge in terms of transparency, complicating the efforts of companies to ensure thorough cybersecurity and compliance. While Microsoft discloses a list that includes 47 subprocessors and 36 data centers at the time of writing, the specifics regarding their operations, how they handle data, and their security protocols remain less clear.
This issue is made more complex by the global spread of subprocessors, which operate under different data protection laws depending on their location. Although Microsoft ensures that subprocessors comply with GDPR, we need to keep in mind that Microsoft itself keeps violating the GDPR, so you might ask yourself what their word actually means. It also does not necessarily say something about data security, as they have had a lot of hacks and breaches last year too.
It is actually very hard to check on subprocessors yourself, as parent companies of these subprocessors are from various countries, adding more complexity and potential security risks. While a subprocessor itself might be located in the United States, the parent company is not always. You can check this yourself too, but you end up with Chinese government owned companies more than once if you follow the trail.In addition, a lot of these subprocessors do not provide a published list of subprocessors or privacy related policies, requiring you to seek contact with them in one way or another and that takes time too and might prove practically impossible.
The Market Shift Toward Secure, EU-Based Solutions
If it is your job to assess Microsoft in light of NIS2, you might be thinking about just quitting your job and moving to another country, and you would not be the only one that feels like this is a daunting task. What we notice is that this realization, together with privacy and security concerns, has prompted more and more companies and governmental organizations to create policies against their service providers using subprocessors for data handling and processing, or at least limiting them. This change is driven by an understanding that subprocessors add layers of complexity to data security, making it sometimes extremely difficult to ensure comprehensive protection.
By reducing or completely avoiding the involvement of subprocessors, you make your life a lot easier. As said by the Dutch Intelligence Service in last weeks article, it is currently unthinkable that ties with America deteriorate, but you never know what may happen in the future. We think the EU will keep investing in local infrastructure and with that, new laws and directives. So that may be another reason to consider having your data fully within EU borders.
How to Simplify Your NIS2 Compliance
If you consider all this, it is the perfect time to move away from providers you might be using now in order to save yourself and your company a lot of unnecessary work and at the same time improve your security and privacy standards.
There are a lot of companies in the EU that provide all kinds of services and have a lot of products for all different kinds of challenges your business might face. You just need to look for those companies, that align with your business policies.
If we would compare a simplified data journey with Microsoft, you would go from the situation in the image below, with dozens of subprocessors in different countries and the possible selling of your data…
… to the situation below, with fewer providers, fewer subprocessors and hosting in the EU. In the case of vBoxx that would mean products hosted in the Netherlands with no subprocessors and with personal support.
Your Next Steps
The Dutch Government has released a tool that helps you quickly check your NIS2 compliance (Dutch). We would highly recommend this tool.
If you would like to discuss your use-case we are happy to help you figure out what you might need. We offer a lot of what your business needs, like cloud storage, email, video conferencing, password management, but also servers, web hosting and way more.
We do not have any subprocessors, we and our datacenter are ISO 27001 certified and fully EU-owned, so no non-EU parent companies are involved. Just send us an email, call us, or start a chat and you will be helped immediately.
