Despite the prevalence and growing complexity of cyber threats, many organisations have still not adopted an adaptive culture to embrace new security solutions.
In answer to this, the EU has launched the NIS2 Directive which introduces new requirements for organisations to bolster their resilience against cyber threats.
What Is NIS2?
NIS2 is an updated directive that expands upon its predecessor, the NIS (Network and Information Systems) Directive. It introduces stringent requirements and obligations for organisations across Europe, focusing on four key areas: risk management, corporate accountability, reporting obligations, and business continuity.
The Directive is set to be introduced into national law by October 17, 2024, making it imperative for relevant organisations to prepare for compliance.
While frameworks such as ISO 27001 and Cyber Essentials exist, it remains at the discretion of organisations they choose to adopt them. NIs2 effectively changes this for organisations working in or with Europe.
Below we explain what new obligations have been introduced and how implementing them will affect organisations.
The Core Requirements of NIS2
Risk Management: Organisations are to implement measures with the purpose of minimising cyber risks. This refers to a wide range of strategies, including incident management, supply chain security, network security, access control, and encryption.
Corporate Accountability: The directive requires management to have a large part in actively overseeing and approving cyber security measures, whilst also undergoing training on their organisation’s cyber security measures. It emphasises management’s responsibility in addressing cyber risks, with potential penalties for breaches, including liability and temporary bans from management roles.
Reporting Obligations: Organisations that are considered essential or important must establish processes for rapidly reporting security incidents that significantly impact their service provision. NIS2 specifies notification deadlines, such as a 24-hour “early warning” system.
Business Continuity: Organisations must develop plans to ensure business continuity in the event of major cyber incidents. This includes system recovery, emergency procedures, and setting up crisis response teams.
The 10 Minimum Measures
Beyond the overarching requirements, NIS2 also mandates the implementation of baseline security measures to combat specific cyber threats. These measures include:
Risk Assessments and Security Policies for Information Systems: Conduct regular risk assessments and develop security policies tailored to specific information systems.
Effectiveness Evaluation of Security Measures: Beyond implementation, there must be policies and procedures in place to regularly evaluate the effectiveness of all security measures.
Cryptography and Encryption Policies: The use of cryptography and, where relevant, encryption, is mandated to protect data integrity and confidentiality.
Incident Handling Plans: Detection, reporting, response, and recovery procedures to minimise the potential impact of a security breach.
System Procurement and Development Security: Policies for handling and reporting vulnerabilities, ensuring that all new and existing systems are secure by design.
Cyber security Training and Awareness: Regular cyber security training and promoting basic computer hygiene practices among all employees.
Access Control Policies: Policies for data access and security procedures for employees with access to sensitive or important data are crucial.
Business Continuity Management: A comprehensive plan for managing business operations during and after a security incident. This includes maintaining up-to-date backups and ensuring access to IT systems and their operating functions.
Multi-Factor Authentication: The deployment of MFA, continuous authentication solutions, and, when appropriate, encryption for voice, video, and text communications significantly enhances security.
Supply Chain Security: Organisations must assess and secure their supply chains, choosing appropriate security measures based on the vulnerabilities of each direct supplier.
Who Does NIS2 Impact?
The aim of NIS2 to not only benefit just the individual organisation but Europe as a whole, since malicious content tends to gain traction after its first initial breach.
While primarily targeted at European organisations providing ‘essential services’ (energy, transportation, banking and financial services, health etc), by the nature of globalised operations organisations within the UK will find themselves impacted as well.
As such, UK organisations that find themselves regularly transacting with organisations within the EEC are advised to assess their security standards in line with NIS2.
Steps To Prepare For NIS2 Compliance
Preparing for NIS2 compliance starts with a thorough scope and impact analysis to understand whether your organisation falls under the directive’s jurisdiction and to identify what areas will be affected. This sets the foundation for the next phase, where current security measures and policies will be evaluated. It’s crucial to assess existing protocols to pinpoint areas that require attention to meet the NIS2 standards. Once identified, the focus shifts to integrating new security measures and updating incident reporting obligations in the supply chain.
Strategic Benefits of NIS2 Compliance
Adhering to NIS2 can also serve as a strategic advantage. It demonstrates to customers and partners that your organisation is committed to maintaining the highest standards of cyber security. It also prepares your organisation to face future cyber challenges that arise whilst increasing security awareness across your user base.
How To Prepare
As the deadline for NIS2 compliance approaches, relevant organisations must take proactive steps to understand and integrate the directive’s requirements. By doing so, they not only comply with European law but also strengthen their cyber security framework, protecting their operations and improving their reputation.
Akita is a professional cyber security partner to a range of organisations across industries. To discuss preparing your organisation for NIS2 requirements, please get in touch:
Contact Us