The NIS2 Directive is a European Union legislative text on cybersecurity that supersedes the first NIS (Network and Information Security) Directive, adopted in July 2016.
NIS vs. NIS2
While the first NIS (Network and Information Security) Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed with digitalisation and the surge in cyber-attacks, the Commission has submitted a proposal to replace the NIS Directive and thereby strengthen the security requirements, address the security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.
NIS2 strengthens security requirements in the EU by expanding the NIS scope to more sectors and entities, taking into account
the security of supply chains,
streamlining reporting obligations,
introducing monitoring measures,
introducing more stringent enforcement requirements,
adding the concept of “management bodies” accountability within companies, and
harmonizing and tightening sanctions in all Member States.
To achieve the above mentioned goals, NIS2 requires member states to take a number of measures that forces them to work together:
Establish or improve information sharing between member states and a common incident response plan that coordinates with other member state plans
Establish a national Computer Emergency Response Team
Strengthen cooperation between public and private sector entities
In a nutshell, companies can stay compliant with the NIS2 Directive by
establishing an effective monitoring system that can detect intrusions, detect suspicious activities, and alert the authorities when necessary
developing comprehensive plans that detail how they will respond to an attack and what steps they will take to recover from it.
The official website of the EU for the NIS2 Directive has prepared an FAQ with many good questions and answers.
However, what the website is not saying (for good reasons) is how should companies start to prepare for implementing the directive.
How to start the compliance path
In order to successfully start implementing the requirements, the following steps should be implemented in this order. We will publish articles about pretty much each of these topics.
1.Conduct a gap analysis
Assess your company’s current cybersecurity practices, policies, and infrastructure against the requirements of the NIS2 directive.
Identify any gaps or areas that need improvement to comply with the directive.
2.Designate a responsible person or team
Appoint an individual or a team responsible for overseeing the implementation of the NIS2 directive within your company. This could be a dedicated cybersecurity team or an existing department with relevant expertise.
3.Establish a cybersecurity framework
Develop or update your company’s cybersecurity framework to align with the NIS2 directive. This framework should include policies, procedures, and technical controls to protect your network and information systems effectively.
4.Perform a risk assessment
Conduct a comprehensive risk assessment of your company’s network and information systems. Identify potential threats, vulnerabilities, and risks that may impact the availability, integrity, and confidentiality of critical systems and data. This assessment will help you prioritize security measures and allocate appropriate resources. Risk management and assessments are an ongoing process. Once one risk assessment is carried out, it is important to schedule regular updates to ensure all steps are maintained.
5.Implement security measures
Based on the risk assessment findings, implement appropriate security measures to mitigate identified risks. This may include network segmentation, access controls, intrusion detection systems, incident response procedures, encryption, employee training, and regular security updates, among others.
6.Establish incident response capabilities
Develop an incident response plan and establish procedures for detecting, responding to, and recovering from cybersecurity incidents. Ensure the assigned employees are trained on how to recognize and report security breaches promptly. Business continuity is a very complex topic, which must be planned with a lot of time in advance and it requires extra resources (both human and financial).
7.Continuously Monitor and review
Implement mechanisms to continuously monitor and assess your network and information systems for potential threats. Regularly review and update your cybersecurity measures to adapt to emerging risks and changes in the threat landscape.
8. Maintain documentation and records
Keep comprehensive documentation of your cybersecurity measures, risk assessments, incident response activities, and any other relevant information. This documentation will serve as evidence of compliance and may be required for regulatory audits or investigations. A good record might save your company legal and regulatory repercussions in case of a major incident (cyber related or not).
9.Engage with regulatory authorities
Stay informed about any reporting or notification obligations outlined in the NIS2 directive. Establish communication channels with the relevant regulatory authorities and comply with any reporting requirements or inquiries they may have. NIS2 strives to improve EU-wide communication and sharing of cyber events in order to better prepare answers and reactions. Communication has never been more important than now.
10. Define KPIs for cybersecurity and measures taken based on them
In order to measure the effectiveness of the cybersecurity, you need to define metrics that allow identifying and quantifying changes. Example of metrics are number of incidents, types of incidents, how many trainings have been made, how many people were trained, how many pentests were made and how many issues were identified, and many more.
We will address the first topic: Perform a gap analysis.