NIS2 vs SOC2 - Core Differences

19th June 2024

NIS2 vs SOC2

If you’re short on time and you’d simply like to understand the fundamental differences between NIS2 vs SOC2 then skip to that section here;

What is NIS2?

The NIS2 Directive is the EU-wide legislation on cybersecurity that came into force in 2023, following rules introduced in 2016 (NIS).

NIS2 expanded the scope of sectors and entities who need to (legally) comply with the framework. The increased scope aimed to cover the “most” critical sectors, which are vital for the economy and society, though are heavily reliant on IT.

The NIS2 sectors are split into “High” criticality, including;

• Energy
• Transport
• Banking
• Financial market Infrastructure(s)
• Healthcare
• Drinking Water / Wastewater
• Digital Infrastructure
• ICT Service Management
• Public Administration
• Space

Alongside “others” including;

• Postal and courier services
• Waste management
• Chemicals
• Food
• Manufacturers
• Digital Providers
• Research Organizations

A Detailed and expanded list of NIS2 sectors is here.

Primarily Operators of Essential Services (OES) organisations are required to meet the requirements of an OES return, requested by their relevant sector regulator (“competent authority”);

There are four primary objective areas and 14 further principal areas that OES providers need to comply with.

Objective and Principle areas;

1. Objective A: Managing Security Risk
   1. Governance
   2. Risk management
   3. Asset management
   4. Supply chain
2. Objective B: Protecting Against Cyber Attack
   1. Service protection policies and procedures
   2. Identity and access control
   3. Data security
   4. System security
   5. Resilient networks and systems
   6. Staff awareness and training
3. Objective C: Detecting Cyber Security events
   1. Security monitoring
   2. Anomaly detection
4. Objective D: Minimising the Impact of Cyber Security Incidents
   1. Response and recovery planning
   2. Improvements

 

What is SOC2?

System and Organization Controls or SOC (previously referred to as Service Organization Controls) is a predominantly North American standard developed by the Association of International Certified Professional Accountants (AICPA).

The AICPA SOC audits are split into three categories and two types;

• SOC1 – Primarily focuses on the internal controls and functions in place relevant to financial management and reporting.
• SOC2 – Focusses on the technical security controls in place and assesses their effectiveness against (upto) 5 trust service categories;
  • Security (mandatory)
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy
• SOC3 – are similar to SOC2, though the reporting is aimed at a wider distribution and reports are consolidated in their detail.

The two types of SOC1 and SOC2 audits are;

Type 1 – An audit that is carried out on a predetermined date; similar to an ISO27001 audit.

Type 2 – An audit that reviews controls evidence across the Service Categories selected from the past 9-12 months (though a minimum of 6 months is sometimes acceptable for mature organisations).

SOC audits are often utilised by Managed Service or Managed Security Service Providers (MSP / MSSP) or organisations offering Software as a Service (SaaS) to businesses and consumers.

 

SOC cautionary note;

We have seen numerous SaaS companies and others provide (or refer to) the SOC1/SOC2 reports and attestation of their (upstream) service providers, as evidence of a SOC report. This isn’t an acceptable approach for you as the end client; the SOC audit should be relevant to the organisation providing the service(s).

For example large infrastructure service providers, such as AWS and Microsoft Azure provide SOC reports;

• AWS SOC2 report(s) – https://aws.amazon.com/blogs/security/tag/aws-soc-reports/
• Microsoft Azure SOC2 – https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-soc-2
  • If you have an appropriate login the detailed reports can be found in the Service Trust Portal located here; https://servicetrust.microsoft.com/viewpage/SOC

Though many providers place their own infrastructure atop of these large service providers infrastructure(s). Therefore, it’s fine for an organisation to refer to AWS / Microsoft Azure and others that they utilise SOC audited backbone infrastructure(s). But an organisation providing a service via one of those backbone providers should also be conducting their own SOC audits, of their OWN infrastructures, services and controls to demonstrate to their clients a commitment to and the independent validation on the security controls in place. The SOC audit(s) is ONLY relevant to the controls in place at the organisation in scope.

 

NIS2 vs SOC2 – the differences;

• NIS2 is a legal (EU) requirement for those listed in the critical sectors here;
• SOC is a framework for organisations (that want) to be audited by a Certified Public Accountant (CPA).
• NIS2 requires critical sector organizations to complete an Operators of Essential Services (OES) return, often on annual basis.
  • The OES return is reviewed, assessed and recommendations are made by a competent authority, relevant to that sector.
• SOC2 audits, especially Type 2 audits require an organisation to show evidence of controls implementation, adherence and functionality across any point in time of their defined audit period.
  • This means you must have the controls in place that you say you do, with an ability to provide evidence of those controls at any given date(s) the CPA auditors request to see from the audit period.
• SOC audits are assessed by means of minor and major non-compliance(s).
  • A minor non-compliance could be a small deviation from a policy or process or lacking a full body of evidence against a particular control. Though it’s clear the control is in place but may need refinement.
  • A major non-compliance could be something as serious as there being no centralised authentication and authorisation capabilities, alongside other controls. That would likely show a poor understanding and implementation of Identity and Access control(s).
• SOC audits, especially SOC2 Type2 audits require a large body of evidence to be provided to the auditors, who will then assess and may also request to see those controls “in action” either physically (on site assessments) or virtually (remote assessments).
• NIS2 non-compliance with regulations may result in fines, liabilities or bans;
  • Fines up to 10 million EUR or 2% of the total global annual turnover for essential entities – in the preceding financial year, whichever is higher.
  • Fines up to 7 million EUR or 1.4% of the total global annual turnover for important entities – in the preceding financial year, whichever is higher.
  • Senior Management liability
  • Potential bans against senior management
  • Possible suspension of services
• SOC non-compliance may result in a failed audit report, should a major non-compliance be found. Often where minor non-compliance(s) are found,  the organisation can respond (in writing) to those non-compliance(s) and those responses are included in the final report.
  • Thus this then provides the ability for an organisation to share its report (to clients) though those clients can also identify any areas of non-compliance discovered, understand them and hold the organisation to account for any resolution(s) that may be required.

 

KEEP provide NIS2 and SOC2 consultancy services, to help your organisation to prepare for either and be ready for audit. Including guidance to ensure controls are implemented, evidence collation and how the audit(s) are conducted. Speak with a consultant today to book a discussion to understand what you organisation needs to do.

Back to Top ↑