Six reasons to work with SUSE on NIS2

In the coming months, tens of thousands of businesses and organizations across Europe will be required to comply with the new EU Network and Information Security Directive (NIS2). SUSE can help you achieve full NIS2 compliance in time. With our solutions, you can increase the security and reliability of your IT, gain greater visibility, and achieve higher levels of compliance faster.

Implementation of NIS2 is moving forward. And while it is not certain that the new cybersecurity directive will go into effect in all EU countries as planned on October 17, 2024, business and IT managers should take the necessary technical and organizational steps now. Not only does NIS2 increase the requirements for network and information security, but it also significantly increases the threat of penalties for violations. In addition, managers are personally liable for implementing  the prescribed measures. These regulations have a much greater potential for disruption than the GDPR.

Affected organizations and their executives would be well advised to take the requirements of the NIS2 directive seriously and implement effective strategies and solutions to secure their IT infrastructure in order to avoid executive liability.

How SUSE is helping to prepare for NIS2

SUSE is helping organizations and government agencies meet the requirements of NIS2 in a number of ways. In particular, our solutions have been proven to strengthen the security of IT infrastructures in six areas, making it easier for organizations to comply with the new standards.

1. Supply chain security: NIS2 requires all affected organizations to continuously assess potential cyber risks in their supply chain and take appropriate security measures. However, it is almost impossible for software users to perform an independent assessment of the entire software supply chain. The time required for this would be enormous – at the same time, there would always be the risk of being held liable for an overlooked security vulnerability.
   SUSE simplifies this process for all SUSE Linux Enterprise Server (SLES) based solutions: The operating system is Common Criteria EAL 4+ certified by Germany’s Federal Office for Information Security (BSI). This makes SUSE the only vendor of a current general-purpose operating system to have successfully passed a comprehensive evaluation of its product, development and security update processes. With this officially recognized certification, companies can avoid the hassle of conducting their own evaluation and can demonstrate at any time that the supply chain security of their operating system has been verified by an independent body.
   Rancher Prime, SUSE’s enterprise container management platform, also helps secure the software supply chain. The solution was recently certified against the Supply-chain Levels for Software Artifacts (SLSA). This framework, developed by Google, is designed to ensure the integrity of software as it is built into binaries. Measures such as an automated build process and complete Software Bill of Material (SBOM) documentation protect software from tampering and provide a secure traceability of the source code.
2. Encryption: Another important aspect of NIS2 is cryptography. Article 21 of the directive requires all affected organizations to use up-to-date encryption technologies to ensure the security and integrity of sensitive data. SUSE helps organizations implement this by following the U.S. government’s Federal Information Processing Standards (FIPS) 140-2 and 140-3, which define the security requirements that cryptographic modules must meet in U.S. government agencies.
   SLES 15 SP2 is FIPS 140-2 validated, providing a secure foundation for encrypted communications and data storage. The certified cryptographic modules can also be used in SP3. The cryptographic modules in SLES 15 SP4 are currently undergoing certification to the successor standard, FIPS 140-3. Once the National Institute of Standards and Technology has completed its review, modules such as the Kernel Crypto API, GnuTLS, libgcrypt, mozilla-nss, and OpenSSL will be certified to this standard.
3. High availability: To comply with NIS2 and DORA (Digital Operational Resilience Act), many organizations need to improve the resilience of their IT infrastructure and take additional measures to ensure business continuity. SUSE offers solutions that maximize system availability and minimize downtime. One such solution is the SUSE Linux Enterprise High Availability Extension. With features such as geo-clustering, multi-site data replication and rules-based failover, organizations can ensure that their most critical IT applications are always available-and that they can quickly recover from unforeseen events.
4. Edge computing and IoT security: NIS2 affects all operators of critical infrastructure in sectors such as energy, manufacturing, telecommunications, transportation, and logistics. Today, these organizations often use edge and IoT devices to control their infrastructure. These devices and the applications running in edge environments also need to be protected from potential cyber threats.
   SUSE Edge 3.0 can help. The technology stack, based on Rancher, NeuVector and SLE Micro, not only simplifies the management of distributed devices, but also provides comprehensive security for edge infrastructures of all sizes. With NeuVector, for example, security policies can be enforced pervasively and attacks on edge environments can be blocked in real time. SLE Micro enhances the security of edge devices with the pre-installed SELinux security framework and an immutable file system. In addition, the OS provides the ability to enable a FIPS mode to ensure strict compliance with NIST-validated cryptographic modules and applying system hardening best practices.
5. Vulnerability and risk management for containers and Kubernetes: Many organizations today are modernizing their application landscape and increasingly relying on cloud-native applications that are agilely developed and highly dynamically deployed. This needs to be considered when planning a NIS 2 strategy. SUSE NeuVector provides end-to-end vulnerability management, automated CI/CD pipeline security, complete run-time security, and protection against zero-day and insider threats in the Kubernetes environment. At the same time, the container security solution performs checks and access controls during the development, testing and deployment of new applications. SUSE NeuVector scans containers, hosts and orchestration platforms at runtime and verifies host and container security. All of these features help organizations to comply with the required cybersecurity risk-management measures of NIS 2 directive for modern cloud-native applications.
6. Enhanced incident reporting: The NIS 2 policy also includes enhanced security incident reporting requirements. Affected organizations must report incidents to the appropriate government agencies within 24 hours. Within 72 hours, they must submit a comprehensive report. SUSE makes this requirement easier to meet: Products such as SUSE Manager, Rancher and NeuVector provide comprehensive monitoring and reporting capabilities. These tools can help you monitor the health of your IT infrastructure in real time, detect anomalies, quickly identify security incidents and automate the processes involved. They can also help you gather the information you need to investigate an incident and report it to the authorities.

At SUSECON 2024 (June 17-19 in Berlin, Germany), you can learn more about how SUSE supports compliance with standards such as the NIS2 directive and the EU Cyber Resilience Act (CRA). Our experts François-Xavier Houard and Knut Trepte will discuss compliance and supply chain security from the operating system to the container level.