Organizations must always be aware of the constantly changing compliance landscape to protect their sensitive assets and avoid paying millions in fines. The rapid development of cyber threats fueled by the global pandemic and cyberwarfare have forced the European Union (EU) to update its NIS Directive.
We understand the pain of having to read hundreds of requirements and legislation documents, so we’ve done it for you. This article will help you structure your journey to NIS2 compliance and provide you with an actionable list of best practices to prepare your organization ahead of time.
Download our ebook for a more detailed guide to NIS2 compliance, with steps for meeting each cybersecurity requirement.
Overview of the NIS2 Directive
NIS2, or Directive (EU) 2022/2555, aims to enhance the overall level of cybersecurity within the EU and ensure the resilience of networks and information systems of critical entities operating in the region. NIS2 is essentially a set of cybersecurity requirements for organizations across many industries vital for the EU economy.
NIS2 came into force in January 2023, encompassing a broad scope and introducing security requirements, reporting obligations, and sanctions as a response to the increased frequency and impact of cyberattacks on critical EU infrastructure in recent times. Member States have to transpose the required measures into national law by October 17, 2024.
The importance of the NIS2 Directive for businesses
Europe’s critical sectors and businesses have been the target of an increasing number of malicious attacks in recent years. According to the ENISA 2023 Threat Landscape Report, the cybersecurity landscape in the EU Member States “witnessed a significant increase in both the variety and quantity of cyberattacks and their consequences”.
By taking cybersecurity measures required by the NIS2 Directive, organizations can counteract this negative trend and protect themselves from social engineering, supply chain attacks, and other threats outlined in the ENISA report. Among other things, adhering to NIS2 can benefit your organization as follows:
Benefits of complying with NIS2
Avoid fines and lawsuits
Enhance cyber resilience
Improve risk management
Increase trust of partners and customers
Secure sensitive data
Ensure prompt incident response
Even though achieving NIS2 compliance might not be easy, its long-term benefits for businesses are significant. By adopting a proactive approach to cybersecurity and implementing the NIS2 cybersecurity requirements, organizations can protect their business operations, maintain their reputation, and contribute to a more resilient and secure digital ecosystem in the EU.
Now let’s find out whether your organization is in the scope of the Directive.
Who does NIS2 apply to?
NIS2 applies to entities operating in the EU, regardless of the entity’s geographical presence. Organizations in the following sectors are subject to the Directive:
Sectors subject to NIS2
Essential entities, or entities operating in sectors of high criticality (NIS2 Annex I)
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
Important entities, or entities operating in other critical sectors (NIS2 Annex II)
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing
- Digital providers
- Research
Note: Please refer to Article 2 of the NIS2 Directive and Annexes I and II to the Directive for more details on affected sectors and organizations.
Read on for practical steps to ensure compliance with NIS2 requirements.
5 tips and best practices for NIS2 compliance
In this section, we review useful tips and best practices for getting ready for NIS2 compliance:
5 steps to getting ready for NIS2 compliance
1
Understand the scope
2
Study the NIS2 security requirements
3
Conduct gap analysis
4
Allocate the necessary resources
5
Involve your top management
1. Understand the scope
Figuring out the scope of NIS2, your OT/IT systems that fall under this scope, and challenges in achieving compliance are the first steps to achieving NIS2 compliance. Consider the following questions:
- What essential services does your organization provide?
- Can your organization be considered an essential or important entity in your country?
- What new security measures might your organization need to implement to ensure compliance?
- Do you have any suppliers, partners, or customers subject to the Directive?
- Should you include any new obligations in contract agreements with your suppliers and partners regarding NIS2 compliance?
If your organization belongs to the critical sectors defined by NIS2, it’s also important to consider your organization’s size, as only medium and large organizations are subject to NIS2.
Organizations with fewer than 50 employees or an annual turnover of less than €10 million are not affected by NIS2 unless they are deemed of critical importance to society. Article 2 of the Directive also provides a list of other exceptions regardless of the entity’s size.
2. Study the NIS2 security requirements
Article 21 of the Directive outlines the main NIS2 requirements, most of which focus on organizational security:
Security measures required by NIS2
1
Policies on risk analysis and information system security
2
Incident handling
3
Business continuity, such as backup management and disaster recovery, and crisis management
4
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
5
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
6
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7
Basic cyber hygiene practices and cybersecurity training
8
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
9
Human resources security, access control policies and asset management
10
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate
While specific laws and regulations transposed from NIS2 may differ among Member States, they will all codify the same cybersecurity requirements, so you can start preparing for the NIS2 Directive now.
3. Conduct gap analysis
Once you’ve identified the scope and requirements of NIS2, you’re ready to compare them to the existing security measures implemented in your organization. Gap analysis bridges any existing gaps between the current state of compliance and the desired one.
For a proper gap analysis, take the following key steps:
- Define the requirements and scope of gap analysis. Compose a scope statement outlining the processes, systems, policies, and people you’ll be assessing.
- Determine the desired benchmarks. Define the ideal state of compliance your organization wants to achieve.
- Assess your current state of cybersecurity. Evaluate and document your existing cybersecurity policies, procedures, and controls.
- Compare existing controls with the required ones. Cross-reference your current cybersecurity measures and policies with the NIS2 Directive requirements.
- Identify compliance gaps. Pinpoint areas that your current state of cybersecurity lacks in order to comply.
- Prioritize the gaps. Determine the level of severity and impact of the identified compliance gaps.
- Develop an action plan. Based on the identified gaps and set benchmarks, create a detailed roadmap to cover all compliance gaps, with clear goals and deadlines.
Consider conducting a gap analysis regularly to keep up with constantly changing cybersecurity requirements and identify potential flaws in your compliance program.
4. Allocate the necessary resources
Successful implementation of the NIS2 Directive requirements involves allocating the resources needed, including money, people, and technology:
Estimate the budget for compliance activities. Planning will allow you to get executive approval for your compliance decisions and avoid unexpected expenses.
There’s no one-size-fits-all scenario for planning the budget increase, as it varies depending on the cybersecurity measures already existing within your organization. However, the Impact Assessment Report 1/3 estimates that average ICT security spending will increase by about 12% to 22%.
Assign responsible employees. This step involves assembling a team responsible for achieving compliance. Such a team may include security analysts, compliance officers, and IT professionals. Clearly define the responsibilities of each team member, ensuring that everyone understands their role.
Invest in security technology. Research which technological solutions can help you close the gaps that were identified during your gap analysis. You may also want to consider automation tools that can streamline compliance processes and reduce the manual workload.
Insider tip:
To reduce the financial strain of technology implementation, you can apply for financial aid from organizations such as the Digital Europe Program, which funds various digital initiatives.
5. Involve your top management
The success of any compliance initiative relies on the backing of your organization’s leaders. The executive board must be aware of your organization’s top-tier security needs, as it plays a crucial role in ensuring NIS2 compliance.
First and foremost, inform your board of the penalties described in the NIS2 Directive. In addition to extensive fines, NIS2 details the liability of the “management bodies” regarding infringements of cybersecurity requirements and reporting obligations of the Directive.
Consequences of non-compliance with NIS2
Sanctions against top managers
Fines and penalties up to €10 million, or 2% of the annual turnover
Suspension of certifications
Educate senior executives about cybersecurity risk management. Conduct educational sessions with the executive board to enhance their understanding of cybersecurity issues, NIS2 cybersecurity requirements, and the organization’s current cybersecurity posture.
Article 20 of the NIS2 Directive requires the organizations’ top management to:
- Approve cybersecurity risk management measures and oversee their implementation
- Follow training and regularly offer employees similar training for the purpose of “[gaining] sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices”
Seek executive sponsorship. Find an executive to support your cybersecurity initiatives, promote your NIS2 compliance efforts, and advocate for the necessary resources. Collaborating with such an executive allows you to align your actions with the board’s expectations and speed up compliance-related processes.
Download our ebook containing detailed guidance and best practices to ensure compliance with the NIS2 Directive and meet all of its cybersecurity requirements:
Complying with NIS2 requires the implementation of cybersecurity software solutions. See how Syteca can help you meet your needs in the section below.
Achieving NIS2 compliance with Syteca
Syteca is a full-cycle insider risk management platform designed to deter, detect, and disrupt insider threats. Equipped with a feature-rich toolset, Syteca can help your organization enhance cyber resilience and implement the majority of NIS2 requirements with one single solution.
Here are just some of the ways you can use Syteca to enhance your organization’s cyber protection and manage insider risks:
- Monitor and record the activity of your employees and third parties to see how they interact with your sensitive assets
- Manage access permissions and verify user identities with 2FA to prevent unauthorized access to your critical endpoints
- Implement the just-in-time approach and secure sensitive data by granting temporary access to your partners, third-party vendors, and suppliers
- Receive real-time notifications about suspicious user behavior to keep your security team ahead of threats
- Configure automated incident response options to promptly kill suspicious processes and block users violating security policies
- Send warning messages to users who break security policies to remind them of corporate rules
- Generate custom reports to get more details on employee activity and perform security audits
But the list goes on. To see how Syteca can help you comply with NIS2 requirements, read the full mapping in our ebook on achieving NIS2 compliance.
Conclusion
NIS2 requires critical EU entities to implement a wide range of requirements, outlined in Article 21 of the Directive. If your organization is an essential or important entity, consider covering any gaps between your organization’s current state and the NIS2 requirements to enhance your cybersecurity and avoid fines. Focus on access management, activity monitoring, supply chain security, incident response, and other cybersecurity measures described in the Directive and explained in our ebook on NIS2 compliance.
As a comprehensive insider risk management platform, Syteca offers multiple cybersecurity capabilities in a single platform, helping you implement the majority of measures required by NIS2.
Explore the power of Syteca now!