NIS2 Framework: Your Key To Achieving Cybersecurity Excellence

With the introduction of NIS2, the European Union has moved beyond the GDPR’s focus on data protection measures to strengthen the entirety of the digital infrastructure that underpins critical sectors. 

The emergence of NIS2 alongside GDPR stems from the acknowledgment that while data protection is vital, it represents just one aspect of cybersecurity. As a global trailblazer in information security and data protection regulation, the EU continues to lead the way in comprehensive cybersecurity standards.

Key Dates for NIS2 Directive

In a landmark moment on November 10, 2022, the European Parliament adopted the NIS2 directive, marking the conclusion of an extensive legislative process. Following approval by the Council of Ministers, NIS2 was officially published in the EU Official Journal on December 27, 2022, and came into force on January 16, 2023.

National Implementation Deadline: Member states are mandated to incorporate the provisions of the NIS2 directive into their national laws by October 17, 2024. 

Entity Classification List Deadline: Member states must establish a comprehensive list of essential entities, including those providing domain name registration services, by April 17, 2025. This list will undergo regular review, with updates occurring at least every two years after that.

Mark these dates on your compliance calendar to navigate the NIS2 landscape effectively and uphold the cybersecurity resilience of your organization.

The Evolving Cyber Threat Landscape

The contemporary threat and regulatory landscape have pressed organizations to fortify their cyber-crisis management capabilities. In recent years, a surge in cyber-attacks targeting critical infrastructure has been observed globally. The transition to remote work during the pandemic has also exposed new vulnerabilities, increasing susceptibility to phishing attacks. Moreover, the geopolitical climate has further heightened the cyber-attack threat, particularly for entities offering essential services that could be sought-after targets.

NIS2 Directive: Strengthening Cybersecurity Posture

The primary goal of the NIS2 cybersecurity framework is to enhance organizations’ security posture to address emerging cyber threats. The directive introduces changes that can significantly impact the way organizations operate. To navigate this landscape, consider the following focus areas:

Assessment of Scope and Compliance:

• Determine if your organization falls within the scope of NIS2.
• Conduct a gap assessment to evaluate current compliance with NIS2 requirements.

Cybersecurity Funding:

• Secure adequate funding for cybersecurity initiatives to meet NIS2 compliance. 

Risk Assessment:

• Perform a comprehensive risk assessment related to network and information systems.

Incident Management:

• Streamline incident reporting procedures and enhance incident management protocols.

Supply Chain Security:

• Assess the security of your supply chain and establish third-party risk management procedures.

Business Continuity and Disaster Recovery:

• Develop or enhance incident response, business continuity, and disaster recovery plans.

Considerations for Covered Entities

If your organization provides services essential for critical societal and economic activities, NIS2 classifies you as an “essential entity” or “important entity.” 

The NIS2 framework exerts influence over a broad spectrum, encompassing EU entities with a workforce of at least 50 individuals or revenue surpassing €10 million, particularly those crucial to societal functions. 

“Essential entities” span sectors such as energy, healthcare, transport, and water. “Important entities” include manufacturing, food, waste management, and postal services. Entities within these categories must adopt a comprehensive set of 10 measures to fortify network and information systems and the physical environment surrounding these systems.

Specified Measures for Covered Entities

1. Formulating policies addressing risk analysis and information system security

2. Managing incidents comprehensively, covering prevention, detection, and response

3. Establishing crisis management and business continuity plans, including backup management and disaster recovery

4. Ensuring supply chain security, encompassing security-related aspects of interactions with suppliers or service providers

5. Safeguarding security in network and information systems acquisition, development, and maintenance, with a particular emphasis on vulnerability handling and disclosure

6. Instituting policies and procedures (including testing and auditing) to evaluate the efficacy of cybersecurity risk management measures

7. Implementing basic cyber hygiene practices and providing cybersecurity training

8. Adhering to policies and procedures regarding the use of cryptography and, where applicable, encryption

9. Managing human resources security, defining access control policies, and overseeing asset management

10. Implementing multi-factor authentication or continuous authentication solutions, securing voice, video, and text communications, and securing emergency communication systems within the entity, as deemed suitable.

Consequences of Non-Compliance

Non-compliance with NIS2 can have severe consequences, including fines and management liability. Essential entities may face fines of up to €10 million or 2% of global annual turnover. In comparison, important entities could incur fines of up to €7 million or 1.4% of the global annual turnover. Management liability, temporary bans against senior management, and temporary suspension of services are potential repercussions.

NIS1 to NIS2: Changes

NIS2 introduces several important changes compared to its predecessor, NIS1. Notable additions include:

• Policies on risk analysis and information system security.
• Enhanced incident handling and business continuity measures.
• Strengthened supply chain security requirements.
• Improved joint situational awareness through increased information sharing.

NIS2 Directive: Building On the Foundations of the NIS Directive

1. Implementation of Cybersecurity Measures Across the 7 Initial Sectors

The NIS2 directive builds upon the initial NIS Directive by reinforcing the implementation of robust cybersecurity measures across the seven critical sectors: energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure. These sectors play a pivotal role in the functioning of society and the economy, making them primary targets for cyber threats. NIS2 mandates that entities within these sectors enhance their cybersecurity posture by adopting advanced measures to protect their network and information systems.

2. High Level of Preparedness for Member States

A cornerstone of the NIS2 directive is ensuring a high level of preparedness among Member States to respond to cyber threats effectively. This involves developing and implementing a National Cyber Strategy, a comprehensive plan outlining the country’s approach to cybersecurity. Member States must also establish a Computer Security Incident Response Team (CSIRT) to promptly detect, respond to, and recover from cybersecurity incidents. These measures contribute to a coordinated and efficient national response to cyber threats, ultimately bolstering the overall cybersecurity resilience of the European Union.

3. NIS Cooperation Group for Strategic Cooperation and Information Exchange

Establishing the NIS Cooperation Group is a critical aspect of the NIS2 directive. This group serves as a collaborative platform, fostering strategic cooperation and facilitating the exchange of vital cybersecurity information among Member States. The European Union Agency for Cybersecurity (ENISA) facilitates NIS2 implementation by actively contributing technical expertise to various working streams of the Cooperation Group.

Points of Interplay with the Other EU Regulations

1. Cooperation rules have been established between NIS2 competent authorities and data protection authorities to address pain points between regulations.
2. Legitimate interest is recognized as a legal basis for personal data processing within the context of ensuring the security of networks and information systems under NIS2. 
3. Notably, the two regulations differ in breach notification timelines and processes. 

As organizations navigate the interplay between NIS2, GDPR, DORA, and the EU CER directive, they are encouraged to adopt holistic strategies that address the multifaceted challenges of cyber threats, data protection, and critical infrastructure resilience.

Guide to NIS2 Compliance: A Strategic Roadmap for Cybersecurity Excellence

1. Assess Your Terrain: Understand the IT and OT Landscape

Begin your NIS2 compliance journey by clearly understanding your existing IT and OT landscape. Conduct assessments to improve visibility into control effectiveness and cyber maturity levels within your organization.

Action Steps:

• Initiate a comprehensive assessment of your current IT and OT systems.
• Identify areas with insufficient visibility and potential cyber risks.
• Evaluate control effectiveness and cyber maturity levels.

2. Lay the Foundation: Establish a Baseline for Cybersecurity Measures

Build a solid foundation by establishing a baseline for cybersecurity measures. Utilize recognized frameworks like the CRA to conduct standardized assessments, allowing you to identify key risks and prioritize improvements.

Action Steps:

• Implement assessments using IEC 62443, C2M2, or the CRA frameworks.
• Identify cybersecurity risks across organizational and technical aspects.
• Prioritize improvements based on the level of risk.

3. Craft Your Strategy: Develop a Strategic Plan for Remediation

Translate assessment insights into actionable strategies. Develop short-term and long-term action plans to address identified risks and vulnerabilities effectively.

Action Steps:

• Utilize assessment insights to craft short-term and long-term action plans.
• Focus on quick wins for immediate risk reduction.
• Consider comprehensive security measures for long-term resilience.

4. Accelerate Your Fixes: Implement Accelerated Fix-it Initiatives

Operationalize key initiatives identified in your strategic plan to fix vulnerabilities promptly. From secure reference architecture implementation to supporting organizational changes, execute fix-it programs efficiently.

Action Steps:

• Implement key initiatives identified in the strategic plan.
• Focus on immediate fixes to enhance cybersecurity levels.
• Leverage fix-it programs for efficient and effective action.

5. Own Your Risks: Ensure Ownership and Foster Responsibility

Ensure clear governance and accountability over risk ownership. Assign risk owners for both IT and OT security to meet tightened reporting requirements under NIS2. Implement IRM/GRC solutions for embedding ownership within your organization.

Action Steps:

• Assign risk owners for IT and OT security.
• Implement an IRM/GRC solution to streamline risk management.
• Ensure timely reporting and response to identified risks.

6. Educate and Raise Awareness: Board Education and Employee Engagement

Make cybersecurity a priority on the management board agenda. Equip management with the necessary knowledge and skills to identify risks and assess cybersecurity risk management. Implement awareness programs for employees.

Action Steps:

• Provide cybersecurity education to the management board.
• Implement awareness programs for employees.
• Demonstrate an adequate and tested cybersecurity program within your organization.

Regulatory Fatigue? 

Managing multiple control frameworks across business lines is increasingly challenging for European businesses. With the release of NIS2, organizations must streamline their control frameworks with the GDPR and other standards.

The key to staying afloat lies in “smart mapping” controls between standards to ensure compliance across diverse business lines. Centraleyes provides a powerful solution for this challenge, enabling organizations to leverage “smart mapping” for testing once and complying with many standards. 

In the face of an increasingly complex EU regulatory environment, leverage Centraleyes to simplify and centralize your compliance efforts, ensuring your organization’s secure and resilient future. 

Book a demo today!