Precision time and cybersecurity: ensuring NIS2 compliance
2023 truly was the year of EU cybersecurity regulation, with two major pieces of legislation coming into play. After taking a look at DORA and its relevance to financial institutions, it’s time to turn the microscope on an equally important set of regulations: the updated Network and Information Systems Directive, or NIS2.
NIS2 aims to raise the common level of cybersecurity among businesses across the EU, including those in financial services – and in today’s digital landscape, this hands a newly central role to those institutions’ timing systems.
With an impending compliance deadline of October this year, the window for businesses to fall in line with the new requirements is even shorter than that for DORA. For many, both within and beyond the financial world, the timing conversation has become an urgent one.
It’s about time: NIS2 and timing as a cybersecurity essential
NIS2 casts a wide net, applying to a wide range of businesses either designated as ‘Operators of Essential Services’ (OESs) or ‘Digital Services Providers’ (DSPs). The former includes financial institutions, plus other sectors like ICT, transport and water. In the DSP category are services like cloud computing and search engines.
The new regulations require organisations in these areas to be proactive in identifying and responding to cyber risks, with new obligations for risk management, incident reporting and response, operational changes, and supply chain security. Alongside its counterpart-of-sorts DORA, NIS2 adds up to a large-scale rethinking of cybersecurity across the EU. And it has much to tell us about the importance of timing.
Take the issue of incident reporting – this relies on businesses having access to accurate, synchronised time, and can be rendered ineffective by stack jitter. Resilience is also crucial – time feeds that derive their time solely from GPS sources, for example, are in danger of being spoofed, a vulnerability that NIS2-enforced risk assessments should flag.
Needless to say, the dangers of non-compliance can be severe, from the risk of large fines or the enforced suspension of business operations, to the threat of devastating cyber attacks. In the age of enhanced cybersecurity measures, time has taken its place not only as a key factor in regulatory compliance, but as a mission-critical utility.
Looking into a post-NIS2 future
NIS2 has a predecessor: the original NIS, which came into play in 2016. That an updated set of regulations was needed so soon testifies to the rate of change that the cyber landscape has seen since then. Our dependence on digital infrastructure, both within and beyond the financial sector, has only increased – and this is a trend that’s only headed one way.
With such an increased dependence comes an increased risk of this infrastructure, including timing systems, being used as a tool of attack. Recent years have seen some high-profile time-related cyber attacks: one which led to the loss of $450m worth of assets on the Mt Gox cryptocurrency exchange, and one which caused the Ukrainian power grid to malfunction. Both were triggered by the transmission of malicious timing information – and both therefore underscore the need for secure, resilient and accurate time.
At Hoptroff, we have designed our Smart Timing Software around robust security measures to protect sensitive timing data, including encryption protocols, access controls and auditing mechanisms, which safeguard against unauthorised access to, or manipulation of, timing information.
Our software also synchronises all devices on your estate with nanosecond accuracy to prevent stack jitter and enable effective incident reporting, while our Time Feed is derived from multiple UTC sources to remain resilient to GPS/GNSS outage. And to ensure peace of mind when it comes to regulatory compliance, our software includes ongoing audits and security updates.
The importance of shared infrastructure
Given that timing systems are only going to become more critical to cybersecurity, it should be as easy as possible to access time this secure, resilient and accurate – like turning on a tap, or a light switch. Rather than leaving businesses to their own devices, we’ve built Traceable Time as a Service (TTaaS®) to offer time as a utility that they can subscribe to instead.
In a post-NIS2 world, this model of shared infrastructure is vital. NIS2 already encourages collaboration and information-sharing between organisations to introduce a deep-rooted culture of cybersecurity and prevent uneven security levels between institutions. Shared digital infrastructure is an easy, low-cost way to put these principles into practice and to ensure no-one gets left behind.