Posts

NIS2 Fulfillment through TISAX Assessment and ISA6

/in

ENX has released an interesting article about how NIS2 requirements map to TISAX requirements. For this, there is a short introductory article called “TISAX and Cybersecurity in Industry – Expert Analysis Confirms NIS2 Coverage” and

and a full article of 75 pages : https://enx.com/TISAX-NIS2-en.pdf

An analysis conducted within ENX’s expert working groups examined how well a TISAX assessment based on the ISA6 catalog aligns with the requirements of the NIS2 Directive.

The key findings include:

  • All relevant NIS2 requirements are addressed, including risk management, incident response, supply chain security, governance, and technical safeguards.
  • TISAX goes beyond minimum legal requirements, incorporating structured maturity assessments, systematic vulnerability management, and continuous improvement mechanisms.
  • The established three-year assessment cycle is considered appropriate in the context of NIS2.
  • TISAX labels are publicly accessible via the ENX database, enabling transparent verification.
  • Additional national requirements must be addressed separately. This includes, in particular, country-specific reporting obligations to authorities or national CSIRTs. While not part of the TISAX standard, these requirements can be effectively managed using existing TISAX structures.

 

Here is the summary of the PDF above created with NotebookLM (9 pages):

Detailed Briefing Document: NIS2 Fulfillment Through TISAX

Date: October 26, 2023 Prepared for: Key Stakeholders concerned with NIS2 Compliance in the Automotive Industry Subject: Review of the “NIS2 fulfilment through TISAX” Expert Opinion, detailing how TISAX assessments align with NIS2 Directive requirements.

Executive Summary

The automotive industry, through the ENX Association and the ISA requirements catalogue, has proactively addressed cybersecurity for years, culminating in the TISAX assessment standard established in 2017. This expert opinion, published by the ENX Association, concludes that companies with TISAX-compliant sites fully implement the requirements of the NIS2 Directive. The ISA catalogue and TISAX assessments go beyond NIS2 requirements, defining and continuously upholding the “state of the art” in information and cybersecurity for the industry. Independent auditors confirm implementation in a three-year cycle, deemed appropriate even when compared to the two-year cycle for critical infrastructure operators under German law. A common exchange mechanism allows organizations to query TISAX status and, by extension, NIS2 compliance, of partners.

Key Takeaway: Organizations with a valid TISAX label are generally well-prepared for the material requirements of NIS2, with the caveat that they must still manage national reporting requirements in parallel and ensure that their TISAX assessment objectives reflect their overall risk and cover all NIS2-affected sites.

1. Introduction and Overview of NIS2 and TISAX

The NIS2 Directive (EU) 2022/2555 aims to strengthen cyber resilience across the European Union, replacing the NIS1 Directive. It expands the scope of affected organizations, including many in the automotive industry. The automotive industry recognized the need for industry-wide information and cybersecurity and developed the TISAX Assessment standard and its underlying ISA requirements catalogue. The purpose of this analysis is to demonstrate that TISAX assessments, based on ISA6, can be considered proof of compliance with NIS2 requirements.

  • Purpose of Analysis: To assist companies in the automotive industry in assessing whether TISAX compliance covers NIS2 requirements.
  • Scope of Analysis: Focuses exclusively on NIS2 Directive requirements with specific implementation guidelines for companies. It does not provide implementation assistance or confirm a company’s readiness for NIS2 outside of TISAX. Country-specific implementations and additional material requirements are not covered.
  • Target Audience: Experts from companies affected by NIS2 that use or undergo TISAX assessments, and authorities responsible for NIS2 compliance and supervision.

2. TISAX Assessment and Underlying Catalogue of Requirements (ISA6)

TISAX assessments, conducted by independent auditors in a three-year cycle, are based on ISA catalogue version 6 (ISA6). A critical distinction is made between TISAX scope definition and ISO management system certifications:

  • TISAX Assessment Scope: Utilizes a generally defined standard scope, ensuring comparability and a similar level of security across companies. This contrasts with ISO/IEC 27001, where the audited organization defines its ISMS scope. For the conclusions of this document to apply, TISAX Assessment objectives must reflect the company’s overall risk, and all NIS2-affected sites must have corresponding TISAX labels.
  • TISAX Assessment Objectives: Allow for scaling the assessment content based on risk and criticality of information processed (e.g., Confidential, Strictly Confidential, High Availability, Very High Availability, Data, Special Data, Prototype Protection).
  • TISAX Assessment Levels (AL):AL 1: Self-assessment, auditor checks completion, low confidence, not used in TISAX.
  • AL 2: Auditor performs plausibility check of self-assessment, checks evidence, conducts interviews (usually web conference).
  • AL 3: Comprehensive review, auditor verifies documents, conducts planned and unplanned interviews, observes implementation, and considers local conditions. Generally takes place on-site at all locations.
  • If multiple objectives are used, the highest AL is applied to the overall assessment.
  • TISAX Group Assessments (Simplified Group Assessment – SGA): Designed for companies with many locations and a centralized, highly developed ISMS.
  • S-SGA (Sample-based): Main site extensively assessed, sample sites assessed, other sites assessed at one AL lower.
  • R-SGA (Rotating Schedule-based): Main site extensively assessed, other locations assessed at the same AL but distributed over the three-year validity period. Not available for prototype protection objectives.
  • TISAX Control Questions and Requirements:Requirements are categorized (Must, Should, Additional requirements for high protection needs, Additional requirements for very high protection needs, Additional requirements for SGA).
  • “Must” requirements are strict, “Should” allows for justified deviations.
  • Additional requirements are subdivided by protection objectives (Confidentiality (C), Integrity (I), Availability (A)).
  • Individual control questions cannot be excluded as “not applicable”; they must be implemented holistically.
  • Deviations in TISAX Model: TISAX includes a maturity model (six levels, target is “established”) to assess practical implementation. Identified deviations require corrective action plans with defined implementation periods (up to 3, 6, or 9 months). Failure to correct deviations results in a failed audit.
  • Validity Period: TISAX assessments are valid for three years. Companies must continuously implement specified measures, conduct regular internal audits, and report significant changes affecting the ISMS or physical conditions, potentially requiring interim assessments.

3. NIS2 Article 20: Governance and Training

NIS2 Article 20 focuses on the governance body’s responsibility for cybersecurity risk management and their participation in relevant training.

  • NIS2 Article 20 (1): Governing Body’s Role in Risk Management: Requires the governing body to establish and monitor structures for cybersecurity risk management.
  • TISAX Fulfilment: Fully covered by ISA6 controls (1.2.1, 1.2.2, 1.4.1, 1.5.1, 1.5.2, 7.1.1). These controls check for defined ISMS scope, determined requirements, management commissioning and approval of ISMS, communication channels, regular reviews of ISMS effectiveness, defined responsibilities, resource availability, adequate security structure, qualified employees, conflict of interest avoidance, regular risk assessments, risk classification and allocation, security risk handling, compliance verification, independent ISMS reviews, and consideration of regulatory/contractual provisions.
  • Summary: “The requirement that the governing body of an organization has created appropriate structures to implement and monitor the implementation of the cybersecurity risk management measures taken to comply with Article 21 (NIS2 Article 20 (1)) is described by the controls defined in the ISA6 assessment standard and is fully checked for existence and implementation by the responsible auditor within a TISAX assessment.” The three-year TISAX cycle is considered appropriate given NIS2’s risk-based approach.
  • NIS2 Article 20 (2): Training for Governing Body and Relevant Members: Requires regular training for governing body members and other relevant individuals to acquire sufficient knowledge and skills in cybersecurity risk identification, assessment, and management.
  • TISAX Fulfilment: Checked by ISA6 control 2.1.3 (“To what extent is staff made aware of and trained with respect to the risks arising from the handling of information?”). This includes comprehensive training for all employees (including management), an awareness training concept covering relevant areas, consideration of target groups, regular execution, and documentation of participation.
  • Summary: While ISA does not explicitly list “management body” for training, it mandates training for “all employees” and differentiation by “target group,” implicitly covering management. This ensures the requirements of NIS2 Article 20 (2) are met.

4. NIS2 Article 21: Risk Management Measures

NIS2 Article 21 mandates appropriate and proportionate technical, operational, and organizational measures to manage risks to network and information systems.

  • NIS2 Article 21 (1): General Measures for Risk Management: Requires appropriate and proportionate measures to manage risks and minimize incident impact, considering the state of the art and implementation costs.
  • TISAX Fulfilment: Covered by ISA6 controls 1.2.1 (“To what extent is information security managed within the organization?”) and 1.4.1 (“To what extent are information security risks managed?”). These check for defined ISMS scope, determined requirements, existence and regular updating of risk assessments, assignment of risk owners, and action plans for risks.
  • Summary: “The requirements of NIS2 Article 21 (1) are described by the controls defined in the ISA6 assessment standard and are checked for existence and implementation by the auditor responsible during a TISAX assessment.” The TISAX assessment ensures a risk-based approach tailored to the company’s circumstances.
  • NIS2 Article 21 (2) a) – j): Specific Measures: These sub-articles detail specific areas for cybersecurity measures.
  • a) Policies on Risk Analysis and Information System Security: Fully covered by ISA6 controls 1.4.1, 5.2.7, 5.3.1, checking for procedures to identify, assess, and address risks, network management requirements, and information security consideration in new/developed IT systems.
  • b) Incident Handling: Fully covered by ISA6 controls 1.6.1, 1.6.2, checking for definition of reportable events, reporting channels, communication strategies, and incident processing procedures (categorization, qualification, prioritization, response, escalation). “The processes for detection, reporting channels and procedures, classification, processing and escalation (if necessary), go beyond the requirements stipulated in NIS2.”
  • c) Business Continuity, Backup Management, Disaster Recovery, Crisis Management: Fully covered by ISA6 controls 1.6.3, 5.2.8, 5.2.9, checking for crisis management preparedness, IT service continuity planning, and backup/recovery of data and IT services.
  • d) Supply Chain Security: Fully covered by ISA6 controls 1.2.4, 1.3.3, 1.6.1, 1.6.2, 1.6.3, 5.3.3, 6.1.1, 6.1.2. This includes defining responsibilities with external IT service providers, ensuring use of evaluated services, incident reporting and management from external parties, secure removal of information from external services, ensuring information security among contractors and partners, and contractual non-disclosure agreements. “The requirements in the ISA6 assessment standard go beyond the requirements of NIS2 and additionally include, for example, compliance with information security standards beyond the direct providers or service providers.”
  • e) Security in Network and Information Systems Acquisition, Development, and Maintenance (including vulnerability handling): Fully covered by ISA6 controls 1.2.3, 1.2.4, 1.3.4, 5.2.1, 5.2.4, 5.2.5, 5.2.6, 5.3.1, 5.3.2, 5.3.3, 5.3.4. This extensive coverage includes considering information security in projects, responsibilities with external IT service providers, approved software usage, change management, event logging, vulnerability identification and addressing, technical checks of IT systems, security in new/developed IT systems, network service requirements, and information protection in shared external services. “The assessment goes beyond the requirements of NIS2 by considering the return and secure removal of information assets from IT services outside the organization.”
  • f) Policies and Procedures to Assess Effectiveness of Cybersecurity Risk-Management Measures: Fully covered by ISA6 controls 1.2.1, 1.4.1, 1.5.1, 1.5.2, 1.6.2, 5.2.6, checking for regular review of ISMS effectiveness by management, up-to-date risk assessments, regular compliance checks, independent ISMS reviews, continuous improvement based on security events, and regular technical audits of IT systems and services. The three-year cycle is considered appropriate.
  • g) Basic Cyber Hygiene Practices and Cybersecurity Training: Covered by a wide range of ISA6 controls (1.1.1, 2.1.2, 2.1.3, 4.1.3, 4.2.1, 5.1.1, 5.1.2, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.3.1, 5.3.2, 5.3.3, 5.3.4). This includes information security policies, contractual obligations for staff, comprehensive training, secure management of user accounts/login info, access rights management, cryptographic procedures, information protection during transfer, change management, separation of environments, malware protection, event logging, vulnerability management, technical audits, network management, continuity planning, backup/recovery, and secure handling of information assets.
  • h) Policies and Procedures Regarding Cryptography and Encryption: Fully covered by ISA6 controls 5.1.1, 5.1.2, checking for adherence to industry standards, technical rules, lifecycle management of cryptographic keys, key sovereignty, and protection of information during transfer (including encryption).
  • i) Human Resources Security, Access Control Policies, and Asset Management: Fully covered by a comprehensive set of ISA6 controls (1.3.1, 1.3.2, 1.3.3, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 3.1.3, 3.1.4, 4.1.1, 4.1.2, 4.1.3, 4.2.1, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9). This includes identification and classification of information assets, use of approved external IT services, employee qualification for sensitive roles, contractual obligations, training, mobile work regulations, handling of supporting assets, mobile device management, identification means management, user access security, user account/login info management, access rights, change management, separation of environments, malware protection, event logging, vulnerability management, technical audits, network management, continuity planning, and backup/recovery.
  • j) Multi-factor Authentication, Continuous Authentication, Secured Communications, and Emergency Communication Systems: Fully covered by ISA6 controls 1.6.3, 4.1.2, 4.1.3, 5.1.2, 5.2.8. This involves crisis planning for communication, user authentication procedures (including strong authentication/MFA for privileged accounts), secure management of user accounts/login info, protection of information during transfer (secure voice/video/text communication), and continuity planning that includes alternative communication strategies.
  • NIS2 Article 21 (4): Immediate Corrective Measures for Non-Compliance: Requires immediate necessary, appropriate, and proportionate corrective measures upon awareness of non-compliance with Article 21 (2) measures.
  • TISAX Fulfilment: Fully covered by ISA6 controls 1.5.1, 1.5.2, checking for verification of policy observation, regular review of policies/procedures, documented results, regular compliance checks, and initiation/pursuit of corrective measures based on internal and independent reviews. The three-year cycle is deemed appropriate.

5. NIS2 Article 23: Incident Reporting

NIS2 Article 23 outlines requirements for reporting security incidents.

  • NIS2 Article 23 (1): Notification of Significant Security Incidents: Essential and important entities must notify their CSIRT or competent authority without undue delay of significant security incidents. Recipients of services must also be informed immediately. Information enabling cross-border impact determination must be provided.
  • TISAX Fulfilment: Almost fully met by ISA6 controls 1.6.1, 1.6.2. These check for defined reportable events, known reporting mechanisms based on severity, available reporting channels, handling of events by category, knowledge of reporting obligations and contact information, and communication strategies.
  • Summary: “One exception here is the disclosure of cross-border effects, which is not explicitly required within the ISA. It has already been defined here that emergency communication must be expanded to include the specifications from NIS2. Once this extension has been considered, the requirements are fully met.”
  • NIS2 Article 23 (2): Communication of Remedial Actions to Recipients: Entities must promptly communicate to affected recipients any measures or remedial actions they can take in response to a significant cyber threat, and inform them of the threat itself.
  • TISAX Fulfilment: Covered by ISA6 control 1.6.2. This includes categorization, qualification, and prioritization of reported events, appropriate responses, and communication strategies considering target recipients and reporting periods.
  • Summary: “The explicit contact information, reporting channels and languages must be included in the Business Continuity Management (BCM) by the companies following their publication by the EU member states. The auditor cannot guarantee that this information is available, as the information to be included is company-specific and can therefore take a variety of forms.”
  • NIS2 Article 23 (3): Definition of Significant Security Incident: Provides an informative definition (serious disruption or financial/material/immaterial damage).
  • TISAX Fulfilment: Purely informative, no assessable measures.
  • NIS2 Article 23 (4): Reporting Timelines and Content: Specifies detailed reporting timelines (early warning within 24 hours, incident notification within 72 hours, intermediate reports, final report within one month).
  • TISAX Fulfilment: Covered by ISA6 controls 1.6.1, 1.6.2, 1.6.3. These check for defined reportable events, mechanisms based on severity, accessible reporting channels, obligation to report, feedback procedures, categorization/prioritization, maximum response times, escalation, and crisis communication strategy.
  • Summary: “In addition to the knowledge and existence of the necessary reporting channels and deadlines, the ISA standard also requires the establishment of crisis-proof communication. At this point, the requirements of the ISA go beyond the requirements of NIS2.” Similar to 23(2), explicit contact information and channels are company-specific and not directly assessed by TISAX.
  • NIS2 Article 23 (5-11): No explicit demands on affected companies requiring preparatory measures.

6. NIS2 Article 24

  • NIS2 Article 24 (1): No explicit demands on affected companies that require preparatory measures.
  • TISAX Fulfilment: No assessable measures.

7. NIS2 Article 25: European and International Standards

NIS2 Article 25 addresses the application of European and international standards for network and information system security.

  • TISAX Fulfilment: “The requirements of NIS2 Article 25 to use European and international standards and technical specifications for the security of network and information systems to ensure the implementation of the requirements for companies resulting from NIS2 are met by an audit of an organization’s ISMS carried out in accordance with TISAX, as this report demonstrates.” No explicit demands for preparatory measures are made on companies.

8. NIS2 Articles 22, 26-29

  • NIS2 Article 22: Coordinated Risk Assessments for Critical Supply Chains: No specific requirements for companies, not considered further in this report.
  • NIS2 Articles 26-28 (Jurisdiction, Register of Entities, Domain Name Registration Data): No measures to be examined for companies, not considered in this document.
  • NIS2 Article 29: Exchange of Cybersecurity Information: “The requirements of NIS2 Article 29 are not assessed within the TISAX assessment.”

9. Overall Summary and Conclusion

The “NIS2 fulfilment through TISAX” document strongly asserts that TISAX assessments, based on the ISA requirements catalogue, provide comprehensive evidence that companies meet the material requirements of the NIS2 Directive.

  • State of the Art: ISA and TISAX are considered “state of the art” for information and cybersecurity in the automotive industry due to their continuous development by experts, application by thousands of companies, and resulting knowledge gain.
  • Management Responsibility and Risk Management: A TISAX label indicates that the management of an assessed company fulfills the responsibility required in NIS2 Article 20 and has implemented all state-of-the-art risk management measures of Article 21, provided the assessment objectives reflect overall risk and all NIS2-affected sites were included.
  • Audit Cycle: The three-year TISAX audit cycle is deemed appropriate, even compared to the two-year cycle for critical infrastructure operators under German law, due to the continuous monitoring and documentation obligations within the cycle.
  • Preparation for NIS2: Companies with a valid TISAX label are “well positioned to meet the requirements of the NIS2 directive in these areas.”
  • Reporting Requirements: TISAX provides proof of established mechanisms for mandatory reporting to authorities and customers. However, companies are responsible for integrating country-specific additional requirements and verifying them against implemented measures.

In essence, TISAX is presented as a robust framework that aligns with and often exceeds the cybersecurity requirements set forth by NIS2 for the automotive sector.

 

 

The post NIS2 Fulfillment through TISAX Assessment and ISA6 first appeared on Sorin Mustaca’s blog.

Maping NIS2 requirements to the ISO 27001:2022 framework

/in

We described here the process needed to perform a gap analysis for NIS2, but we did not add the details on how to approach this.

This article references on the ISO27001:2022 series, especially on the description of the Annex A controls. Make sure you are familiar with the ISO 27oo1:2022 requirements and the with the Annex A.

Introduction

The NIS2 Directive, aimed at strengthening network and information system security across the European Union, necessitates a thorough alignment with the latest iteration of the ISO 27001 standard, which was updated in 2022. This article explores a comprehensive methodology for conducting a gap analysis to ensure compliance with NIS2 using the framework provided by ISO 27001:2022.

Understand NIS2 Requirements

The NIS2 Directive expands upon its predecessor by setting stringent cybersecurity and resilience measures for essential and important entities across various sectors. Its key focus areas include incident response, supply chain security, and the security of network and information systems. These areas are critical in maintaining the integrity and availability of services that are vital to the internal market and public welfare.

 

The NIS2 Directive does not prescribe a specific set of controls for the affected companies.

Rather, it states that they should adopt measures that are appropriate to their specific risk profile, considering factors such as:

  • The state of the art in cybersecurity

  • The potential impact of incidents on their services

  • The costs of implementing the measures

  • The proportionality between the measures and the risks

The directive also refers to existing standards, guidelines, and best practices that can help entities to choose suitable controls.
For example, it mentions:

  • The NIST Cybersecurity Framework

  • The ENISA Good Practices for Security of Internet of Things

  • The ETSI Technical Specification on Critical Security Controls for Effective Cyber Defense

 

Read here our collection of articles about the NIS2 directive.

Overview of ISO 27001:2022

ISO 27001:2022 establishes requirements for an Information Security Management System (ISMS), providing a systematic approach to managing sensitive company information so that it remains secure.

It includes people, processes, and IT systems by applying a risk management process and clearly defines information security control requirements in its Annex A .

 

Similarities

Despite the differences in scope, objectives, requirements and controls, there are some similarities between the NIS2 Directive and the ISO 27001:2022 standard.

Here are the most evident similarities :

  • Risk management: Both frameworks are based on the concept of risk management, which involves identifying, analyzing, evaluating, and treating the information security risks that affect the organization or the service.

  • Involvement and commitment of top management: Both frameworks require the involvement and commitment of top management, who are responsible for ensuring that the appropriate resources, roles and responsibilities are allocated to support the implementation and maintenance of the measures.

  • Importance of continuous improvement: Both frameworks emphasize the importance of continuous improvement, which involves monitoring, measuring, reviewing, and updating the measures to ensure they remain effective and relevant in a changing environment.

  • Cooperation and information sharing: Both frameworks encourage cooperation and information sharing among relevant stakeholders, such as authorities, regulators, customers, suppliers, and peers, to enhance the overall level of cybersecurity.

Mapping NIS2 to ISO27001:2022 requirements

The mapping begins with identifying the specific NIS2 requirements that are applicable to the organization.

Step 1: Identify NIS2 requirements

1. Scope of Application

  • Expansion of Affected Entities: NIS2 extends its requirements beyond the sectors covered by the original NIS Directive, including essential and important entities across various sectors such as energy, transport, health, and digital services.

2. Risk Management Measures

  • Comprehensive Security Requirements: Entities are required to implement appropriate technical and organizational measures to manage the risks posed to the security of network and information systems, including measures for incident handling, business continuity, and supply chain security.

3. Incident Response and Reporting

  • Incident Reporting Obligations: NIS2 mandates strict incident reporting requirements, where entities must notify relevant national authorities about significant cybersecurity incidents with potentially severe operational impacts, within a short timeframe.

4. Supply Chain Security

  • Security of Supply Chains and Supplier Relationships: Entities need to address cybersecurity risks not only within their own operations but also across their supply chains, ensuring that suppliers meet security requirements to protect against potential vulnerabilities and threats.

5. Interoperability and Cooperation

  • Enhanced Cooperation Among States: NIS2 emphasizes improved information sharing and coordinated response among EU member states, with mechanisms for cross-border collaboration in cybersecurity threat detection, response, and recovery.

6. Security and Network Systems

  • Strengthening of Security Practices: Detailed requirements on securing network and information systems, ensuring the integrity, availability, and confidentiality of services, particularly in critical infrastructure sectors.

7. Regulatory Oversight and Compliance

  • Increased Enforcement Powers: Regulatory authorities are granted more significant powers to enforce the Directive, including the ability to conduct audits, review compliance, and impose sanctions on entities failing to meet the cybersecurity requirements.

8. Financial Penalties

  • Penalties for Non-Compliance: NIS2 introduces substantial financial penalties for non-compliance, aimed at ensuring that entities take their cybersecurity obligations seriously.

9. Cybersecurity Measures Specificity

  • Detailed Guidelines and Standards: The Directive encourages the use of established standards and specifications to fulfill the required security measures, promoting best practices in cybersecurity management.

 

This step involves a detailed review of NIS2, focusing on the obligations that directly impact the organizational processes and security measures.

Step 2: Map requirements to the ISO 27001:2022 chapters

The next step is to map relevant chapters and controls in ISO 27001:2022 to these NIS2 requirements:

  • Chapter 4 (Context of the Organization) -> NIS2 1,4,5
    • Understand external and internal issues that affect the ISMS, aligning with NIS2’s broader security requirements.
    • Identify if the company is falling into the two entity categories: Important and Essential.
    • An important step is also to identify and assess all external suppliers.
  • Chapter 5 (Leadership) -> NIS2 1,5,8
    • Ensures management’s commitment to the ISMS, mirroring NIS2’s emphasis on leadership and governance in cybersecurity.
  • Chapter 6 (Planning) -> NIS2 2,3,4,6 
    • Address the assessment and treatment of information security risks, a core component of proactive compliance under NIS2.
    • Conduct a risk assessment to identify threats, vulnerabilities, and impacts on information assets.
    • Develop a risk treatment plans to address identified risks, including mitigation, transfer, or acceptance.
  • Chapter 7 (Support) -> 5,7,9
    • Provide the framework for managing resources and operational planning,
    • Establish communication channels for reporting security incidents and seeking guidance on information security matters.
  • Chapter 8 (Operation) -> NIS2 2,3,4,6
    • Provide the framework for managing resources and operational planning, establishes incident response and business continuity plans to mitigate the impact of security incidents and disruptions, crucial for implementing the technical and organizational measures required by NIS2.
  • Chapter 9 (Performance Evaluation) -> NIS2 8,9
    • Assess the performance of the ISMS, helping to ensure continuous improvement in line with NIS2’s dynamic compliance landscape.

Disclaimer:
This mapping is author’s own interpretation based on his personal opinion and understanding of the requirements. It is not the only possible interpretation and it is most probably not the best one available.

 

Conclusion

By mapping NIS2 requirements to the structured framework provided by ISO 27001:2022, organizations can not only ensure compliance but also strengthen their overall security posture.

It is important to understand that this alignment is not a one-time effort but a continuous process of adaptation and improvement, reflecting the dynamic nature of cybersecurity threats and regulatory requirements.

As such, organizations should focus on regular reviews and updates to their ISMS, ensuring that it remains robust, responsive, and compliant.

The post Maping NIS2 requirements to the ISO 27001:2022 framework first appeared on Sorin Mustaca on Cybersecurity.

NIS-2: 10 common misconceptions about the regulation

/in

We wrote here about NIS2 and we will continue to add more content about it.

Because we are getting closer to October 17th, many people are getting more and more nervous about NIS2.

Despite its significance, there are numerous misconceptions and misinterpretations circulating about the scope and implications of this regulation.

This article aims to clarify some of the misconceptions,  which I collected mostly from LinkedIn and articles about NIS-2.

 

Note:

“NIS2” and “NIS-2” are exactly the same thing. I am using both in this article only because of SEO.

 

 

1. NIS2 starts being applied in the EU starting 17.10.2024

Truth is that the regulation is already applicable in the EU since it was approved. This deadline applies to the individual countries of the EU to convert and apply the NIS2 requirements in local laws.

If national authorities fail to properly implement EU laws, the Commission may launch a formal infringement procedure against the country in question. If the issue is still not settled, the Commission may eventually refer the case to the Court of Justice of the European Union.

 

2. Limited scope of application

Contrary to the belief that NIS-2 only applies to large tech companies, the directive significantly broadens its scope compared to its predecessor, NIS.

NIS-2 extends beyond just critical infrastructure sectors like energy and transport, encompassing a wide array of sectors such as digital services, public administration, and healthcare.

It mandates a security and incident reporting framework that applies to both Essential and Important Entities, significantly expanding the list of sectors and services affected.

3. NIS-2 Is Just About Cybersecurity

While cybersecurity is a core component, NIS-2 is not merely about preventing cyberattacks. The directive emphasizes a comprehensive approach to security, which includes resilience against a wide range of threats.

This includes but it is not limited to:

  • supply chain security,
  • incident response, and
  • crisis management.

It establishes a baseline for security measures and incident notifications that entities must adhere to, ensuring a uniform level of security across member states.

4. NIS-2 compliance is the same across all EU countries

Although NIS-2 sets a framework for cybersecurity across the EU, member states have some flexibility in implementation. This means that there can be variations in how directives are enforced from one country to another, depending on local laws and regulations.

Companies operating across multiple jurisdictions need to be aware of and comply with local variations to ensure full compliance.

5. Heavy penalties are the main compliance driver

While it is true that NIS-2 can impose hefty fines for non-compliance, focusing solely on penalties misses the broader objective of the directive.

NIS-2 is designed to cultivate a culture of security and resilience. It encourages entities to proactively manage their cybersecurity risks and to collaborate with national authorities.

This cooperative approach is fundamental to enhancing the overall cybersecurity posture of the EU.

6. NIS-2 does not affect third-party suppliers

NIS-2 places explicit requirements on the security practices of third-party suppliers. Entities covered under the directive are required to ensure that their supply chains are secure.

This includes mandatory risk assessments and incident reporting requirements that extend to service providers, reflecting an understanding that security is only as strong as the weakest link in the supply chain.

 

7. NIS-2 contains rules for AI, IoT, Industry 4.0.

NIS-2 sets a framework for cybersecurity and it does not address anything in particular. However, the rules described can be very well applied to companies in the fields like those mentioned that fall under the regulation applicability.

The companies active in Digital Infrastructure Services (Internet Nodes, DNS Service Providers, TLD Registries, Cloud Providers, Data Centers, Content Delivery Networks, Trust Services, Communication Networks, Communication Services ) and in

ICT Service Management (B2B only) (Managed Services (IT, Networks/Infrastructure, Applications), Managed Security Services (Risk and Cyber Security) ) are potentially directly affected by the regulation. However, there are clear criteria about which companies are affected.

 

8. Any company with activity in the domains marked as Important and Essential is affected by NIS-2

Although the domains are under the NIS-2 regulation, a company is affected if it meets the criteria:

  • Essential Entities (EE):
    • at least 250 employees and
    • 50 Mil € revenue
  • Important Entities (IE):
    • at least 50 employees and
    • 10 Mil € revenue

If a company doesn’t have these characteristics, then, in general, it is not affected by the regulation directly. It is highly recommended that even in such cases the companies follow the regulation’s requirements, since it will increase their resilience against cyber attacks.

However, an entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

 

9. All affected companies must certify for NIS-2

A the time of writing this post there is no certification for NIS-2. This might change in the future, especially when because we don’t know at this time how the regulation will be implemented in each of the EU member states.

There are consulting companies that sell consulting services and guarantee that a company will get the “NIS-2  certification” if they bus their services. While buying consulting is in general a good thing, the only thing that can be obtained is help in meeting the requirements of the regulation.

I recommend to stay away from offers that promise things that don’t exist.

 

10. Companies can buy software/hardware products to become conform with NIS-2

Although conformity is sometimes made easier by using specialized software and hardware products, there is no requirement or recommendation to purchase anything.

Some security providers and consulting companies are offering On The Shelf  (OTS) products that promise immediate conformity with NIS-2 (or guarantee obtaining a “certification” – see point 9 above).

If you look at the series of articles in the NIS2 area of this website, you will see that actually quite a lot of  steps involve an ISMS, a cybersecurity framework, cybersecurity products and so on.

These can be implemented with commercial or open source products, but there is still need to know where and how to install them in order to become conform.

I can very well imagine that there will be soon commercial offerings with sets of templates for implementing the NIS-2 requirements, just like there are with ISO 27001, TISAX and other certifications.

The post NIS-2: 10 common misconceptions about the regulation first appeared on Sorin Mustaca on Cybersecurity.