Utilizing AI to Manage the Challenges of NIS2 Regulations

1. The NIS2 directive

In 2020, the NIS2 directive was proposed as a revision of NIS1. It aims to tackle new and developing cyber threats and change technology environments. Implementing new and more stringent cybersecurity regulations seeks to improve the resilience of vital services, digital service providers, and critical infrastructure. NIS2 seeks to enhance incident reporting and response methods, promote greater collaboration among member states and other stakeholders, and adapt to the growing interconnection of digital systems.

For entities in scope, NIS2 distinguishes between two categories: important and essential services The requirements for entities in both categories will be the same. However, there will be a difference in the fines and oversight procedures. With the implementation of NIS2, essential entities will have to comply with supervisory requirements, and important entities will be under ex-post supervision, which means that if authorities find proof of non-compliance, they will take appropriate action. If they fail to do so, it can result in severe penalties or even a ban from the industry. 

 

Why is it a burden and for who? 

·         Costs associated with compliance: Implementing NIS2 standards frequently necessitates large financial outlays for infrastructure, technology, employee training, and compliance procedures. It could be especially difficult for startups or small and medium-sized businesses (SMEs) to commit the resources necessary to achieve these compliance requirements.

·         Administrative Burden: NIS2 adds new administrative responsibilities, including frameworks for risk management, incident response protocols, and reporting requirements. It can take a lot of time and resources to fulfill these commitments, which could take them away from important business operations.

·         Complexity: Organizations operating across various jurisdictions or those with varied business strategies may struggle to grasp and implement the regulatory framework provided in NIS2. It can be difficult to comprehend the directive's subtleties and ensure compliance fully.

·         Impact on Innovation: Although the goal of NIS2 is to encourage innovation the strict regulatory requirements could inhibit innovative developments, especially for smaller businesses that would find it difficult to keep up with compliance requirements. This can reduce competition and impede the advancement of innovative technologies.

·         Competitive disadvantage: Businesses that operate in areas not covered by NIS2 may see it as a hardship because, to enter the European market, they may need to modify their operations to conform to EU laws. Because of this, they can be at a competitive disadvantage compared to companies that are already based in the EU.

 

How can Anove help?

Anove developed an app explicitly addressing these issues. In addition to general aspects such as privacy management, risks, and security controls, the Anove app automatically generates an in-control statement for each regulation, such as DORA, NEN, GDPR, or NIS2, in our case. These unique features enable you to be proactive in your reporting and show you are in control of whoever requests it. This also allows you to be compliant with frameworks in other regions or growth markets, such as NIS2.

Anove allows you to create an in-control statement that is tailored to your organization in just a few clicks. This can easily be done in the ‘Compliance’ section at the strategic level.

 

Figure 1: In Control statement generation in the “Compliance” module at the strategic level

 

Figure 2: A complete In Control statement generated for NIS2 in less than 10 seconds.

 

As a result, NIS2 appears to be a challenge for many European companies, and as the digital landscape evolves with the emergence of new technologies such as Artificial Intelligence, new regulations are being imposed for various European actors, such as the very recent Artificial Intelligence Act, which primarily focuses on AI-based technologies with many similarities to NIS2.

 

2. The EU AI Act

The rapid development of AI-based technologies has led to the creation of new regulations and directives to address potential risks associated with the widespread use of AI in our daily lives and across businesses.

As a result, in April 2021, the European Commission proposed the first EU regulatory framework for AI. It says that AI systems used across different applications are analyzed and classified according to the risks they pose to users. The various risk levels will mean different levels of regulation.

Although NIS2 and the AI Act are two different texts addressing different issues linked to data privacy and cyber security, they share some noticeable similarities.

In fact, it is the case of the risk assessment, security, and notification obligations.

a.     Risk Assessment Obligations

·         NIS2 requires vital service operators and digital service providers to conduct risk assessments to detect and manage network and information system security vulnerabilities.

·         The AI Act requires suppliers of high-risk AI systems to do risk assessments to examine potential hazards to fundamental rights, safety, and liabilities associated with the deployment and use of AI systems.

b.     Security Obligations

·         NIS2 requires operators of vital services and digital service providers to implement sufficient security measures to protect their networks and information systems from cybersecurity attacks.

·         The AI Act establishes security duties for suppliers of high-risk AI systems, requiring them to achieve specified robustness, reliability, and accuracy standards to limit risks and maintain AI system safety and security.

c.     Notification Obligations

·         NIS2 mandates critical service operators and digital service providers to notify the competent authorities of any significant incidents affecting the security of their networks and information systems.

·         The AI Act mandates suppliers of high-risk AI systems to notify designated authorities of certain information, including incidents, malfunctions, and changes in the AI system's intended purpose or design, that may impact Act compliance.

Now you may wonder how we will address all these issues within your company with Anove technology.

Indeed, our AI-powered technology can provide you with the solution you need to “test once, comply many”. There is no need to consider the ton of requirements coming from NIS2 or AI Act or any future regulation; we propose a solution to comply with all the SRF (Standards, Regulations, and Framework) within the scope of your company at once.

 

3. How can these common challenges be successfully addressed with the Anove App

a.     AnoveAI supports you in drafting controls. 

AnoveAI streamlines the control writing process, saving Information Security Officers substantial time and effort. Based on our significant expertise, we trained AnoveAI to provide exact, relevant, and complete control descriptions. These descriptions methodically handle critical factors such as Who, What, when, how, and why, guaranteeing a systematic approach to meeting criteria. Our solution is intended to generate comprehensive, industry-standard control documentation. 

 

Figure 3: AnoveAI is incorporated directly in the control management section and is accessible via one simple button.

To do this, we rigorously trained our large language model utilizing a variety of control examples, sticking carefully to Kipling techniques, and targeting specific user scenarios. Whether the audience is comprised of control owners, risk managers, or auditors, using the Kipling technique (5W1H) guarantees that the results are clear and coherent. Finally, we aim to bring more visibility by successfully helping you deploy and evaluate your controls to demonstrate your compliance during audits.

 

Figure 4: AnoveAI assisting the user in writing controls following the Kipling method (5W1H).

With AnoveAI, we ensure increased simplicity for control owners. Indeed, AnoveAI provides control owners with a thorough set of guidelines so they can concentrate on implementation. In the context of risk management, a control is a commitment to risk mitigation and to keeping it at a manageable or low level. You can get assurance from the control owner even if you might not be fully aware of every control. From an auditor's perspective, controls represent the organization's commitment to managing risks and to implementing internal procedures to meet external requirements. Auditors assess controls related to specific internal or external requirement sets. The subsequent maintenance and evaluation processes are made more efficient by precisely establishing controls.

b.     Test once, and comply to many.

Each framework doesn't need to have its own in-control statement. Frameworks often overlap in terms of the controls they propose. This overlap can be mapped to determine where the frameworks intersect. One ''parent'' framework is proposed, corresponding to several ''child'' frameworks and their “child” controls. You just need to test this parent control in the parent framework to ensure compliance with several other underlying controls, as illustrated in Figure 5. 

This mapping is already available in technologies like Anove and is updated whenever the framework changes. Companies can now submit a single in-control statement that applies to several frameworks.

 

 

Figure 5 : An example of "test once, comply many" control of identification and authentication control.

c.      AnoveAI proactively proposes actions out of ineffective control testing.

You have probably noticed that many actions to perform to improve ineffective controls are repetitive within an ISMS, such for example:

-        Penetration Testing (Simulate cyberattacks to identify vulnerabilities in systems and controls. This can expose weaknesses in access control, security policies, or incident response procedures.) or

-        Monitoring (regular monitoring of the effectiveness of implemented changes and conduct reviews to ensure controls remain relevant in the face of evolving threats).

Therefore, thanks to AnoveAI, we provide an AI-powered assistant that proposes remediation actions to improve ineffective controls. We rigorously trained the AI LLM engine based on the years of experience of our experts in the field to advise you at each step.

In conclusion, with the appearance of regulations increasing in complexity in the European market such as NIS2 and AI Act, organisations must shift to a more proactive approach that combines innovation and simplicity of use. Moreover, as we can see with AI Act, AI has become a central actor in GRC as we have more stringent regulations on it. In this case, organisations should leverage AI itself as an ally to face this compliance burden. It's like using venom to cure venom, a paradoxical yet effective remedy in today's medical advancements. 

Therefore, Anove is a strategic partner in improving Digital assurance. With our advanced technology, AnoveAI, we help you efficiently comply with NIS2 and the AI Act, following our core principle: “test once, comply many.” Trust Anove to not just help you write and implement controls within your ISMS but also to provide you with the insight you need at the Strategic and Tactical levels to guide your organisation towards a future where Digital assurance is seamless and success is inevitable.

 

Want to read more:

Anove leverages AI in simplifying all NIS2 and AI Act requirements. Want to know more about how we do it? Click here https://www.anove.ai/post/unlocking-the-power-of-ai-anoveai