Blog

August 13, 2024

NIS2 Reporting Obligations: Binarii Labs’ Insights

In 2023, our focus was on refining user management, enhancing security protocols, and optimizing document handling within our application. We introduced a more sophisticated document management system that not only streamlined file uploads and downloads but also improved document encryption and security. This included implementing MFA (Multi-Factor Authentication) to bolster user authentication processes and revising password management policies for greater security.

We expanded the capabilities for document manipulation, allowing users to add digital signatures, apply watermarks, and manage document sharing with precision. The user interface saw significant improvements, with a redesigned file organization system featuring a comprehensive file tree, advanced search functionality, and better notification management.

User management underwent a transformation with the creation of a more intuitive interface that supports a wide range of actions, including user tracking, activity logging, and efficient data management. Organization administrators were equipped with powerful tools to manage user roles, configurations, and security settings, giving them greater control over their organizational hierarchies.

Additionally, we enhanced the user experience by incorporating features such as automated email notifications, limited-time file sharing options, and advanced metadata editing capabilities. These developments were aimed at improving overall productivity, ensuring secure data handling, and providing a seamless user experience.

Our efforts also extended to developing solutions for secure message exchange within the system. This includes scenarios where a user accesses a stored file, modifies access permissions, or amends the file, ensuring that all actions are securely tracked and managed within the application.

Reporting Obligations (The NIS 2 Directive, Final Text Article 23, Reporting obligations2022)  

1.        Incident Notification: Each Member State shall ensure that Essential and Important Entities notify, without undue delay, its Computer Security Incident Response Team(CSIRT) or competent authority of any incident that has a significant impact on the provision of their services. Entities must also notify the recipients of their services of significant incidents likely to adversely affect service provision. Entities are required to report any information enabling the CSIRTor competent authority to determine any cross-border impact of the incident.The act of notification does not increase the entity’s liability. o    For cross-border or cross-sectoral significant incidents, Member States must ensure that their single points of contact are informed promptly.  

2.        Communication of Cyber Threats: Entities must communicate, without undue delay, to the recipients of their services any measures or remedies they can take in response to a significant cyber threat. Entities should also inform recipients about the threat itself, where appropriate.  

3.        Significant Incident Criteria: An incident is considered significant if it:  o       Causes or can cause severe operational disruption or financial loss.  

o    Affects or can affect other persons by causing considerable material or nonmaterial damage.  

4. Notification Timeline:  

o  Early Warning: Within 24 hours of becoming aware of a significant incident, entities must submit an early warning, indicating if the incident is suspected to becaused by unlawful or malicious acts or if it could have a cross-border impact.

o  Incident Notification: Within 72 hours of becoming aware of the significant incident, entities must submit an incident notification, updating the early warning information and providing an initial assessment, including severity, impact, and available indicators of compromise.  

o  Intermediate and Final Reports: Entities must submit an intermediate report upon request and a final report within one month of the incident notification, detailing the incident, its severity, root cause, mitigation measures, and any cross border impact.

o  In ongoing incidents, progress reports are required alongside the final report within one month of handling the incident. Trust service providers must notify within 24 hours for significant incidents affecting their services.  

5.       CSIRT Response: The CSIRT or competent authority must provide a response to the notifying entity within 24 hours of receiving the early warning, including initial feedback and guidance on possible mitigation measures. Additional technical support is available upon request, especially if the incident is suspected to be criminal in nature.  

6.       Cross-Border Communication: Relevant information must be shared with other affected Member States and ENISA in cases of cross-border incidents, preserving the entity’s security and confidentiality.  

7.       Public Awareness: If necessary, to prevent or deal with significant incidents, public disclosure can be made after consulting the affected entity.

8.       Summary Reports: Single points of contact must submit quarterly summary reports toENISA, including anonymized and aggregated data on significant incidents and cyber threats. ENISA will provide technical guidance to ensure comparable information.  

9.       Information Sharing: CSIRTs or competent authorities must share information about significant incidents with relevant authorities under Directive (EU) 2022/2557.

10.Implementing Acts: The Commission may adopt acts specifying the type of information, format, and procedure for notifications. By 17 October 2024, the Commission will specify significant incident criteria for various service providers, with advice and cooperation from the Cooperation Group.  

How Binarii Labs Can Help with NIS2 Compliance  

Binarii Labs offers comprehensive solutions to ensure NIS2 compliance, enhancing your organization's cybersecurity posture and operational resilience:

•      Complete Business Continuity: In the event of a cloud location going down or being breached, your data remains 100% accessible with zero interruption.  

•      Mitigated Disaster Recovery Actions:With no downtime and continuous access to your data, even if a cloud location is down or breached, disaster recovery actions are minimal and involve little or no downtime.  

•      Reduced NIS2 Reporting: If one of your cloud locations is breached, there would be no"significant incident" requiring obligatory reporting. Instead, you may voluntarily report a threat occurrence with no data subject harmed.

•      Proof of Record: Binarii Labs provides unique, independent blockchain-generated proof of the date, time, and provenance of data files. This proof can never be tampered with and is always reliable.  

•      Automated Redundancy: Each data file is uniquely and individually duplicated on upload aspart of the proprietary encryption, fragmentation, and multi-cloud distribution process, ensuring independent backups are happening live 24/7.

•      Sovereign Ownership of Data: Benefit from an automated multi-cloud storage solution for each datafile, choosing your own cloud providers. However, no single provider becomes the custodian of any complete data file.  

•      Ease of Use for Staff: No technical literacy is required by any staff member user, ensuring smooth operations.  

•      Cost Effective: Binarii Labs offers a cost-effective SaaS billing model with no tech consultancy fees, providing a fair and inexpensive pay-per-use model.

By leveraging Binarii Labs' advanced solutions, organizations can confidently navigate the requirements of NIS2, ensuring compliance while maintaining robust security and operational efficiency. To learn more about how Binarii Labs' data security solutions can help your organization achieve compliance with NIS2,DORA, and GDPR regulations, visit our website at Binarii Labs.