Detection & Response in Light of NIS2: 5 Key Observations

#1 Detection & Response: The Shift to Managed Services

The concepts underlying NIS2 were largely familiar even before the directive officially emerged. Many aspects, such as the rising number of serious cyber incidents, the increasing sophistication of cybercriminals, and the evolving nature of attacks, have been central to cybersecurity for years. Additionally, the integration of IT with critical infrastructures and daily business operations has intensified.

According to Willem Janssens, Product Manager for Cybersecurity at Cegeka, these factors make managed detection and response (MDR) the preferred approach for many organizations today. 
“You need the capability to monitor and detect threats 24/7 with sufficient knowledge and resources, followed by swift responses. Given the significant investments required, most organizations cannot manage this internally. Advanced technologies and specialized security professionals are essential, and they must also work outside the typical 9-to-5 schedule,” he says.

For organizations covered under NIS2, managing this internally becomes even more challenging due to requirements like the mandatory reporting obligation. Willem notes, “The market has been steadily shifting towards MDR, and NIS2 is accelerating this trend.”

#2 Reporting Obligations and Supply Chain Challenges

NIS2 expands its scope in several areas, such as the sectors covered (now including "essential" and "important" entities) and the stricter requirements organizations must meet. Compared to frameworks like ISO 27001 and NIST CSF, NIS2 introduces more stringent demands.

Stanley Kemkes, Security Solutions Architect at Cegeka, explains: “A logical first step towards NIS2 compliance is an assessment, which we conduct using our Continuous Security Assessment Framework (CSAF). During the gap analysis, part of CSAF, organizations evaluate their status against NIS2 requirements and identify what needs implementation.”

Many organizations are now addressing common gaps, particularly in proactive supply chain management and incident reporting obligations. “In the detection and response pillar, the ability to monitor the entire environment is another significant challenge,” Stanley adds.

#3 Reporting Requires Specialized Forensic Expertise

NIS2 mandates reporting significant incidents in three stages to the national regulator. Stanley elaborates: 
“Within 24 hours, an initial report must be filed, followed by a detailed assessment within 72 hours, including descriptions of the incident, its impact, and urgency.”

This process demands thorough forensic investigations conducted by security professionals with expertise in IT, legal matters, and forensic techniques. Stanley emphasizes the need for skills in areas like logging, operating systems, and preserving the chain of evidence. 
“At Cegeka, this work is handled by our CSIRT (Computer Security Incident Response Team) specialists,” he says.

Willem adds that 24/7 availability is crucial. “NIS2 doesn’t recognize weekends. An incident on a Friday afternoon must be thoroughly analyzed and reported by Monday. Given the complexity and availability demands, only a few organizations, including Cegeka, can provide this level of forensic service.” 

#4 Monitoring Entire IT and OT Environments Is Complex

NIS2 implies that organizations must monitor and secure their entire IT and OT environments and networks. Willem points out, 
“Using tools like XDR (Extended Detection and Response) for workplace monitoring doesn’t guarantee full coverage of the entire environment. This is one of the biggest NIS2 challenges in detection and response. Few organizations have complete visibility into their environments.”

Monitoring OT (Operational Technology) environments is even more challenging, as they often involve outdated technologies and lack client software. Stanley explains, 
“OT environments frequently require network connection monitoring through sensors. Incident response in these settings is also more complex because you can’t simply shut down critical processes or equipment.”

Willem adds, “Often, even internal IT staff are unaware of the OT environment’s intricacies. While attack patterns in OT resemble those in IT, standard actions might not be feasible in OT environments. Effective mitigation requires close collaboration with the affected organization.”

#5 NIS2 Compliance as a Continuous Process

While the focus is currently on achieving compliance and resilience under NIS2, maintaining these standards is equally critical. Willem explains, 
“In our cyber resilience model, we define four pillars: assess, prevent, detect & respond, and recover. These represent cyclical steps aimed at continuous security improvement. Insights from incidents feed back into the prevention pillar to strengthen defenses.”

Cegeka supports this entire cycle, from assessment (CSAF) to recovery (via the Cegeka Modern SOC platform). Additionally, Cegeka can manage full IT outsourcing for its clients. Stanley notes, 
“When clients centralize their security services with us, we achieve higher security levels due to improved collaboration and information sharing.” 

Willem highlights practical advantages: “Managing multiple vendors creates bottlenecks. At Cegeka, we streamline operations and provide real-time insights through our Security Observability Dashboard, offering a comprehensive view of vulnerabilities, incidents, and compliance.”

Learn More

Whether you are subject to NIS2, work with NIS2 organizations, or have a broader interest in cyber resilience and MDR, you can gain valuable insights during a webinar hosted by Stanley Kemkes and Willem Janssens: “An Effective Way for Incident Detection, Response, and Reporting”.