With the NIS2 Directive now in force, organizations across the EU are working toward compliance to meet stricter cybersecurity requirements. In the Netherlands, this will be formalized through the forthcoming Cyberbeveiligingswet.
For many organizations, partnering with a Managed Detection and Response (MDR) provider is essential for managing threat detection, incident response, and data retention for forensic investigations. While MDR-services are critical to maintaining a strong security posture, they also play a pivotal role in ensuring compliance with the visibility and incident handling requirements of NIS2.
The Data Retention Challenge
One of the most significant challenges under NIS2 is the responsibility to retain log and telemetry data for extended periods, ensuring root cause investigations can be performed following cybersecurity incidents.
However, most MDR providers base their pricing on the volume of data ingested and stored, which forces organizations to limit data ingestion into their security platforms to manage costs. Typically, complying with NIS2’s extended data retention requirements can increase data ingestion costs by a factor of 3–10x, creating a difficult trade-off between staying compliant and managing operational expenses.
NIS2 Reporting and Data Retention Requirements
The NIS2 Directive introduces strict timelines for incident reporting, placing significant demands on data retention and analysis capabilities:
- 24 hours: Submit an initial notification within 24 hours of identifying a significant incident to initiate quick action and mitigate threats.
- 72 hours: Submit a detailed incident notification, including the impact and severity assessment, and sharing available indicators of compromise.
- 1 month: Submit a final report within one month, including the root cause analysis and lessons learned. For ongoing incidents, progress reports are required.
To meet these requirements, organizations need comprehensive log and telemetry data covering the entire attack lifecycle, enabling thorough investigations and timely reporting.
Figure 1. Incident reporting timelines mandated by NIS2
How Hunt & Hackett’s MDR Service Supports NIS2 Compliance
At Hunt & Hackett, we’ve designed our MDR service to tackle the data retention challenges posed by NIS2 without burdening clients with unexpected costs. Our approach balances the need for compliance, cost-efficiency, and forensic readiness.
Key Features of Our Approach
- Visibility of Threat Landscape: We track 500+ threat actor groups, cataloging their TTPs (Tactics, Techniques, and Procedures) and Tools to create tailored threat landscapes for each sector. This ensures our data sources and detection logic focus on capturing and monitoring the most critical attacks, directly supporting NIS2 compliance.
- Forensic-Ready Data Retention: Our service continuously collects and stores essential security telemetry, enabling in-depth root cause investigations when needed. This approach meets NIS2’s data retention requirements without hidden costs or additional services.
- Assume Breach Mindset: We operate under the assumption that attackers may already be in your network, structuring detection, alerting, and response to identify signs of lateral movement. This proactive approach ensures early threat detection, long before attackers reach business-critical assets.
- In-Depth SOC Research & Response: Our Security Operations Center (SOC) conducts forensic-level investigations in real time, covering the entire attack path. This ensures we meet NIS2’s strict reporting deadlines (24 hours and 72 hours) while actively containing threats. Complex cases are escalated to our Incident Response (IR) team as necessary.
The figure below outlines our approach to data retention and storage compared to a standard MDR offering where telemetry is decentralized.
Figure 2. Hunt & Hackett's approach to data retention & storage compared to a standard MDR offering
What Makes Hunt & Hackett’s Approach Unique?
Hunt & Hackett’s MDR service is designed to prioritize forensic readiness while seamlessly aligning with your organization’s threat landscape.
- No hidden costs: Our pricing model avoids penalizing clients for extended data retention.
- Proactive compliance: Our services are NIS2-ready from the outset, eliminating the need for costly adjustments.
- Efficient investigations: Our analysts leverage relevant data to quickly meet compliance deadlines and mitigate risks effectively.
Conclusion
The NIS2 Directive sets a high bar for incident reporting and data retention, requiring organizations to submit early warnings (24 hours), incident notifications (72 hours), and final reports (1 month). Meeting these requirements demands comprehensive telemetry and robust incident investigation capabilities.
At Hunt & Hackett, we’ve built our MDR service to ensure Forensic-Ready Data Retention from the ground up. By focusing on an Assume Breach approach and linking the threat landscape of your organization with the right data sources and detection logic, and avoiding hidden costs, we help your organization maintain NIS2 compliance while strengthening its cybersecurity posture.
For more information about how our MDR service supports NIS2 compliance, get in touch with us at sales@huntandhackett.com.