NIS2 Requirements for Basic Cyber Hygiene Practices & Data Sanitization

25 Sep 2024 | Hannaleena Pojanluoma
European flag with text NIS2 Directive Cyber Hygiene Requirements Explained

The Network and Information Systems Directive 2 (NIS2) is a European Union regulation designed to enhance cybersecurity across the EU. As the scale and impact of security breaches continue to rise, NIS2 aims to fortify the EU’s digital infrastructure and safeguard citizens from cyber threats. This directive builds upon the original NIS framework introduced in 2016, bringing updated legal measures to address evolving risks.

In this blog, we explore the NIS2 requirements for basic cyber hygiene practices and provide insights on how organizations can prepare to meet its data sanitization guidelines

NIS2 in a Nutshell

  • When?
    NIS2 was adopted by the European Union in November 2022. EU member states are required to begin following the directive by 17 October 2024.
  • What?
    NIS2 seeks to create a unified standard of security for network and information systems across the EU, making cybersecurity requirements mandatory for all member states. In addition to defining these requirements, the directive introduces enforcement mechanisms and penalties for both member states and organizations that provide critical services.
  • Who?
    Organizations that offer essential services to EU member states in the following sectors must comply with NIS2:
    - Aerospace 
    - Banking and financial market infrastructure 
    - Digital infrastructure
    - Digital service providers
    - Energy
    - Food
    - Healthcare
    - Manufacturing of critical products, such as pharmaceuticals or medical devices
    - Postal and courier services
    - Public administration
    - Public electronic communications networks or services
    - Transport
    - Wastewater and waste management
    - Water supply
     

How to Prepare for NIS2

By following these 5 steps, your organization can effectively prepare to meet the NIS2 requirements:

NIS2 list of 5-step compliance process

1. Identify Obligations
Begin by thoroughly reviewing the NIS2 directive to understand how it applies to your organization and determine your specific responsibilities.

2. Review & Align Policies
Assess your existing policies, standards and procedures, then update them to align with the NIS2 regulation when necessary.

3. Assign Accountability
Designate responsible individuals or teams within your organization to oversee compliance efforts and ensure that the necessary actions are taken.

4. Conduct a Gap Analysis
Perform internal or external assessments to identify any gaps between your current practices and the NIS2 requirements, pinpointing areas that need improvement.

5. Implement & Monitor Actions
Put the necessary measures in place, and establish a process for ongoing monitoring, auditing, and updating of your compliance efforts to ensure long-term adherence.

What Does NIS2 Say About Cyber Hygiene? 

By following these steps in your NIS2 preparation, you'll quickly recognize that implementing cyber hygiene plays a critical role in your compliance efforts. Here is what the directive states about cyber hygiene: 

Article 21: Cybersecurity risk-management measures 

Logo with EU flag and broom in the middle to represent cyber hygiene requirements of NIS2

1. “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services...

2. “The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: …"

(g) “basic cyber hygiene practices and cybersecurity training”.

What Does Basic Cyber Hygiene Mean?

While NIS2 outlines the need for “basic cyber hygiene practices”, the directive provides only general guidance on what this means. In practice, cyber hygiene involves the regular completion of key tasks in order to keep systems and networks safe. These tasks may include: updating software, using strong passwords with multi-factor authentication, managing access, backing up data with encryption, using firewalls and AI-based threat detection.

An essential component of cyber hygiene is removing unnecessary data to minimize security risks. Using secure wiping solutions helps to prevent breaches by ensuring sensitive files and deleted data cannot be recovered.

Data Sanitization & Wiping Requirements to Comply with NIS2

To assist your organization in maintaining strong cyber hygiene and managing the risks associated with third parties recovering sensitive data, here are 3 types of data that should be securely erased using trusted wiping software when necessary.

  • Secure File Deletion: Achieve Ongoing Cyber Hygiene & Data Compliance
    Simply deleting files from your systems is not enough to meet data protection and compliance standards. Deleted files can still be recovered with widely available recovery tools, leaving sensitive data at risk. To protect sensitive organizational data, ensure compliance and achieve basic cyber hygiene, it’s essential to use enterprise-focused wiping tools that permanently erase files and folders. 

    Centralized management solutions also allow organizations to monitor and enforce file-wiping policies across their entire infrastructure. By automating and deploying recurring tasks, your organization can maintain cyber hygiene and reduce the risk of data breaches. 

    Best Practice Tip: Schedule regular free space wiping across systems to eliminate residual data traces and comply with security standards. This also removes junk files, temporary files and hidden shadow copies, as well as contributing to a more secure environment that helps maintain regulatory compliance. 
     
  • Online Activity: Managing Browser Data & Cookies
    In an enterprise environment, online activities generate a substantial amount of sensitive data—ranging from browsing histories to cache files and cookies. Over time, this accumulation of data can pose a significant privacy and compliance risk, particularly when dealing with customer or proprietary information.

    To mitigate these risks, organizations should regularly employ data wiping software to clear browsing history and remove tracking cookies that may compromise data privacy. Centralized management of these tasks ensures that browser data is securely erased on all devices, supporting enterprise-wide compliance with data protection standards. Using software with a centralized management feature also gives organizations the option to schedule tasks, for example creating a company-wide policy to wipe browsing history once a week. 

    Best Practice Tip: For added privacy protection, disable Windows 10 and 11 default tracking features using the free BCWipe Privacy Guard software. This no-cost tool further strengthens your organization’s data privacy posture.
     
  • End-of-Life: Secure Disk Wiping & Repurposing for Retired Devices
    When devices reach the end of their life or are ready to be repurposed, simply deleting files or formatting the hard drive is not enough to safeguard sensitive data. Full disk wiping is essential for ensuring that no data remains on the device before disposal or reassignment within an organization.

    For businesses reusing laptops or other hardware, secure disk wiping and hardware decommissioning should be part of their basic cyber hygiene practices. Additionally, generating erasure reports and Certificates of Destruction is important for compliance and auditing purposes. These reports provide evidence that all information stored on a particular device was wiped with due diligence and is now irretrievable, even with the most advanced forensic tools.

    Best Practice Tip: Always perform a full disk wipe before repurposing or disposing of devices, and ensure you have erasure reports for compliance and audit records.
     

Use BCWipe to Comply with NIS2

One of the most effective ways to comply with Article 21 of the NIS2 directive is to use reliable data wiping solutions to securely erase files beyond forensic recovery. Jetico's BCWipe provides 2 unique solutions for securely erasing data, as well as a free tool to guard against Microsoft’s default tracking features.

To request a free trial or learn more about our solutions, contact our Data Protection Specialists. For more information on complying with NIS2, find out how to meet the directive’s encryption security measures.

Hannaleena Pojanluoma photo Jetico CEO and blog writer
Hannaleena Pojanluoma

Hannaleena Pojanluoma has been leading Jetico as CEO since May 2023, bringing with her more than 20 years of sales, marketing and technology experience. Previously working for a range of international companies in her native Finland, Pojanluoma has a broad understanding of diverse international markets.

Pojanluoma has been essential in driving sales growth since joining Jetico in October 2015. Her efforts have been concentrated on boosting sales and brand awareness in key European countries such as the United Kingdom, Germany and Italy.

As a member of Jetico's Board of Directors, she joins influential figures such as Tommi Rasila and Umeshchandra Gowda.

View all blog posts

Thank you for contacting Jetico!
We will respond to you as soon as possible.

Send us a message - we'll reply within 24 business hours.

Need help now? Call Us
US: 202 742 2901 EU: +358 50 339 6388