In this blog, we provide important practical guidance for implementing the NIS2 directive. This directive introduces strengthened cybersecurity requirements for a wide range of industries and businesses within the EU. This requires a critical assessment and adjustment of current security practices and management policies of organizations. Although the Dutch elaboration of the NIS2 is not there yet, nor is the effective date known, you can already make preparations.
Impact on management
A crucial element of NIS2 is its impact at the management level of organizations. It requires executives to be actively involved in cybersecurity and take responsibility for the security of their information systems. This includes ensuring adequate resources and implementing an information security management system (ISMS).
Understanding the chain
The NIS2 emphasizes the importance of understanding the supply chain, holding organizations accountable for the security of their entire chain, including suppliers and partners. Hackers who target large companies often first attack small companies that are in connection with those large companies. This undermines the chain and affects both large and small companies.
Duty of Care, Duty to Report and Supervision
The duty of care under NIS2 requires organizations to take appropriate technical and organizational measures to manage the risks to their network and information systems. This requires continuous risk analysis and taking preventive measures. The reporting obligation requires organizations to report serious incidents to the relevant national authorities within 24 hours. Compliance monitoring under NIS2 is strengthened, with the possibility of audits and inspections by regulators.
Become demonstrably compliant
To become demonstrably compliant with NIS2, we recommend that organizations implement an ISMS based on recognized standards such as ISO 27001 or NEN 7510 Part 1. Implementing an ISMS provides a structured and cyclical framework for managing these risks and demonstrating compliance. An effective ISMS includes policies, procedures and proper organizational embedding of measures and controls.
This system should be audited regularly to ensure compliance. Performing a gap analysis to determine where the organization stands in relation to NIS2 requirements is an essential first step. Plans should then be developed and implemented to address any deficiencies in the control measures.
Requirements for management measures
The control measures required under NIS2 should be based on a risk assessment and should protect the availability, integrity, and confidentiality (BIV) of data. To work effectively and efficiently, we recommend primarily using standards with control measures such as ISO 27002, NEN 7510 part 2, or the Baseline Information Security Government (BIO), among others. Organizations should reconsider and adapt their existing cybersecurity practices to meet the new requirements. This includes, for example, conducting risk assessments, updating incident response plans and ensuring continuity of critical services.
The Perium platform offers organizations a jump-start, starting with a gap analysis to assess the current state of cybersecurity measures and identify where improvements are needed.
The importance of understanding the overlap between NIS2 and other standards
Organizations that already comply with ISO 27001/2, NEN 7510, or the BIO will find that there is significant overlap with the requirements of NIS2. It is important to understand and leverage this overlap to avoid duplication of effort. In the Perium platform, this overlap has already been identified for a flying start.
Key measures explained
The NIS2 lists the following issues for which organizations must implement appropriate measures:
- Risk management
Map your digital risks and assess them regularly. With risk assessments, you can make informed decisions on which control measures to deploy. - Business continuity
Based on your risk assessment and requirements for continuity, create a continuity plan and test it regularly. - Supply chain security
Assess the security of your supply chain partners to identify potential risks from external suppliers and service providers. Take appropriate measures to ensure your business continuity. - Securing Network and Information Systems
Engage in a comprehensive approach to securing network and information systems, where systems are properly set up and effective policies are in place to identify and deal with vulnerabilities. - Cybersecurity policy
Ensure that there is a clear information security policy and that employees are aware of it and it is followed. - Effectiveness cybersecurity measures
Regularly assess the effectiveness of your management measures that will allow you to make appropriate improvements. - Cryptography and encryption implementation
Ensure properly secured and correctly encrypted connections. - Physical Security
Implement physical security measures, including policies related to personnel, access control and asset management. - Multifactor authentication
Deploy multifactor authentication (MFA) for relevant accounts, including those that can be accessed from the Internet and have management rights to critical systems. This will help you best protect your organization from cybercriminals.
Above all, use the management measures already available in the standards mentioned above.
Proactive penalty policy
NIS2 is going to have quite an impact. Not complying with it means a risk of a substantial fine because it will be strictly enforced through proactive and regular checks. Not after reports or incidents but beforehand. After all, the importance is great. Among other things, our nuclear power plants, water supply and hospitals must remain safe. Everyone who supplies them must cooperate - and so must all companies in that chain.
Conclusion
For organizations, the NIS2 means expanding their approach to information security, with a strong focus on management accountability, risk management, supply chain insight, and demonstrable work with proven standards.
With the Perium platform, you can quickly make the right preparations because the NIS2 and proven standards, including insight into overlap, are already available. In addition, Perium provides you with a reliable ISMS, including risk management, with templates and a robust automated direction function (PDCA). This way, you ensure that the right actions are taken by the right people at the right time.