The October 17 deadline for EU Member States to transpose the EU’s NIS2 Directive to lift the cyber resilience of critical infrastructure across Europe is here. NIS2 and the rapidly evolving digital threat landscape make it more important than ever for security and risk teams, management, and boards to have timely, relevant, and actionable cyber threat intelligence (CTI) to guide cyber risk management strategies into the next decade.
Many “essential” and “important” entities affected by NIS2 however face uncertainty. As of this week, only Belgium, Croatia, Hungary, and Lithuania have passed NIS2 implementation laws. Over a dozen EU Member States have only published draft implementations to replace laws passed for the NIS Directive of 2016 (NIS1), which impacted far fewer organisations. Germany, for example, adopted its NIS 2 Implementation and Cyber Security Strengthening Act in late July. It is expected to pass its laws early 2025, impacting an estimated 30,000 entities. France’s NIS2 law will impact over 10,000 entities. The Netherlands, Sweden, Poland, Romania, Spain and others will also likely pass their respective NIS2 laws in 2025.
Despite these delays, one thing is certain: affected entities should prepare for NIS2, the most consequential European cyber security legislation to-date in this decade. Belgium’s competent authority, the Center for Cyber Security Belgium (CCB), has described NIS2 as “NIS1 on steroids” because it’s bigger in scope, obligations, supervision, reporting, sanctions, and reach. Administrative fines of no greater than €200,000 under NIS1 will increase to up to €10 million, or 2% of annual global turnover, whichever is higher for essential entities. NIS2 affects tens of thousands more mid-sized and large organisations in energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and space.
NIS2 is a major shake up of how entities of critical services manage cyber risks, requiring proactive security policies, business continuity, vulnerability management, and incident response. It will require considerable investments in cybersecurity infrastructure across the public and private sectors. By April 17, 2025, Member States must have identified essential and important entities for national registers. Entities may also be required to self-register and be prepared to provide documented compliance. Competent authorities are to “proactively” supervise essential entities, meaning potential inspections without cause, while important entities face supervision only after an incident. Authorities can also issue binding orders for entities to carry out audits and remediate exposures. And management bodies must oversee the implementation of cyber risk management measures and may be held individually liable for non-compliance.
The Cyber-Geopolitical Nexus Is Driving CTI-led Risk Management
NIS2 comes into force as more business and technology leaders seek timely CTI and cyber-focussed geopolitical intelligence to help navigate diverse digital threats that are increasingly shaped by regional flashpoints, superpower rivalries, and the ongoing criminal scourge of ransomware. This new reality affects every sector, demanding intelligence-led cyber risk management for IT, operational technology (OT) environments, and supply chains.
Many organisations have taken stock of this situation. Almost three quarters (74%) of mature CTI practices are already developing Priority Intelligence Requirements (PIRs) in preparation for NIS2, according to the 2024 SANS CTI Survey: Managing the Evolving Threat Landscape. Most of these mature CTI practices (75%) consume CTI of adversaries’ behaviours and tactics, techniques, and procedures (TTPs) to drive threat hunting programs that proactively identify undetected threats in their environment. This CTI also improves incident response, vulnerability management, security operations, and compliance.
However, NIS2’s broader scope than NIS1 means that many affected entities lack mature CTI programs to shape cyber risk management under NIS2. Mature CTI practices are refining PIRs to align their risk management strategy to the current threat environment, including the risks and impacts of significant cyber incidents to IT, OT and other assets they are responsible for securing.
Moreover, since NIS2 is not prescriptive about security controls, CTI plays a key role in determining the “proportional” risk management measures required by NIS2 to “ensure a level of security for network and information systems appropriate to the risks posed.” Regulatory supervision will focus on entities’ security policies, business continuity, supply chain security, incident handling, cyber hygiene, identity and access management, encryption, and authentication.
To understand how to utilise multiple CTI sources to improve NIS2 maturity in key risk domains, organisations can refer to the CTI Capability Maturity Model (CTI-CMM), a vendor agnostic, “stakeholder-first” model to help organisations build successful, impactful CTI programs. Intel 471 sponsored this model and co-authored it with 27 CTI industry expert peers from Belgium’s CCB, IBM X-Force, Signify, BP, and Gojek, among many others.
Reporting and information sharing are key obligations in NIS2. Entities should coordinate with their CTI partner to create reporting that fosters executive-level awareness of cyber risks. Trusted CTI partners can help entities implement controlled incident reporting to share with authorities valuable intelligence, such as the likely causes of a breach and indicators of compromise, without divulging confidential and proprietary enterprise data.
To learn how CTI and intelligence-driven solutions for threat hunting and external attack surface management can help drive NIS2 maturity, download Intel 471’s NIS2 White Paper.
See how Intel 471’s CTI solutions map to NIS2 risk management measures and reporting obligations in Intel 471’s NIS2 Point of View report
Partner with a Trusted CTI Provider for NIS2 Maturity
The world’s largest critical infrastructure organisations choose Intel 471 as their trusted “eyes and ears” beyond the wire. Intel 471’s researchers specialise in cyber human intelligence (HUMINT), enabled by direct relationships with key cybercrime threat actors that have been nurtured over years. This work, aided by human-validated automated collection, provides organisations with unmatched insights into current threat actor activity and adversaries’ evolving TTPs, resulting in up-to-the-minute actionable intelligence about threats that matter to them.
Here are some ways critical infrastructure operators work with Intel 471 to reduce their attack surface:
Access Intel 471’s Cyber Geopolitical Intelligence reports for forward-looking insights into how significant political events in Russia, the Middle East, and Asia impact cyber risks for European and NATO organisations. See how hostile states use espionage, information warfare, and malware to disrupt critical infrastructure. A combined team of geopolitical and CTI experts forecasts the most likely scenarios for cyber attacks, how and who they will impact the most, and provide hypothetical scenarios to stress test risk management.
Deploy Attack Surface Intelligence to continually monitor external digital assets, including cloud resources, for new vulnerabilities, and prioritise remediation based on threats.
Adopt the Intel 471 General Intelligence Requirements (GIR) framework for classifying, tracking, and researching threats. Use the GIR to map emerging threats to assets for proactive defence, threat hunting, and incident response.
Steer risk management with expert HUMINT sourcing and reporting available in Intel 471’s Adversary Intelligence, Malware Intelligence, Vulnerability Intelligence, Identity Intelligence, and Fraud & Abuse Intelligence solutions.
Identify and remove advanced threats that are missed by reactive detection methods. Security teams use Intel 471’s HUNTER471 platform to run and coordinate intelligence-driven threat hunts that identify malicious behaviours in their environment and close logging visibility gaps in security tools.
Organisations of all sizes can leverage CTI and threat hunting to improve NIS2 compliance. For more information on harnessing CTI for NIS2 programs, please contact Intel 471 or join our experts on an intelligence planning exercise.
