Organizations must always be aware of the constantly changing compliance landscape to protect their sensitive assets and avoid paying millions in fines. The rapid development of cyber threats fueled by the global pandemic and cyberwarfare have forced the European Union (EU) to update its NIS Directive.

We understand the pain of having to read hundreds of requirements and legislation documents, so we’ve done it for you. This article will help you structure your journey to NIS2 compliance and provide you with an actionable list of best practices to prepare your organization ahead of time.

Overview of the NIS2 Directive

NIS2, or Directive (EU) 2022/2555, aims to enhance the overall level of cybersecurity within the EU and ensure the resilience of networks and information systems of critical entities operating in the region. NIS2 is essentially a set of cybersecurity requirements for organizations across many industries vital for the EU economy.

NIS2 came into force in January 2023, encompassing a broad scope and introducing security requirements, reporting obligations, and sanctions as a response to the increased frequency and impact of cyberattacks on critical EU infrastructure in recent times. Member States have to transpose the required measures into national law by October 17, 2024.

The importance of the NIS2 Directive for businesses

Europe’s critical sectors and businesses have been the target of an increasing number of malicious attacks in recent years. According to the ENISA 2023 Threat Landscape Report, the cybersecurity landscape in the EU Member States “witnessed a significant increase in both the variety and quantity of cyberattacks and their consequences”.

By taking cybersecurity measures required by the NIS2 Directive, organizations can counteract this negative trend and protect themselves from social engineering, supply chain attacks, and other threats outlined in the ENISA report. Among other things, adhering to NIS2 can benefit your organization in as follows:

Benefits of complying with NIS2

Avoid fines and lawsuits

Enhance cyber resilience

Improve risk management

Increase trust of partners and customers

Secure sensitive data

Ensure prompt incident response

Even though achieving NIS2 compliance might not be easy, its long-term benefits for businesses are significant. By adopting a proactive approach to cybersecurity and implementing the NIS2 cybersecurity requirements, organizations can protect their business operations, maintain their reputation, and contribute to a more resilient and secure digital ecosystem in the EU.

Now let’s find out whether your organization is in the scope of the Directive.

Who does NIS2 apply to?

NIS2 applies to entities operating in the EU, regardless of the entity’s geographical presence. Organizations in the following sectors are subject to the Directive:

Note: Please refer to Article 2 of the NIS2 Directive and Annexes I and II to the Directive for more details on affected sectors and organizations.

Read on for practical steps to ensure compliance with NIS2 requirements.

5 tips and best practices for NIS2 compliance

In this section, we review useful tips and best practices for getting ready for NIS2 compliance:

1. Understand the scope

Figuring out the scope of NIS2, your OT/IT systems that fall under this scope, and challenges in achieving compliance are the first steps to achieving NIS2 compliance. Consider the following questions:

• What essential services does your organization provide?
• Can your organization be considered an essential or important entity in your country?
• What new security measures might your organization need to implement to ensure compliance?
• Do you have any suppliers, partners, or customers subject to the Directive?
• Should you include any new obligations in contract agreements with your suppliers and partners regarding NIS2 compliance?

If your organization belongs to the critical sectors defined by NIS2, it’s also important to consider your organization’s size, as only medium and large organizations are subject to NIS2.

Organizations with fewer than 50 employees or an annual turnover of less than €10 million are not affected by NIS2 unless they are deemed of critical importance to society. Article 2 of the Directive also provides a list of other exceptions regardless of the entity’s size.

2. Study the NIS2 security requirements

Article 21 of the Directive outlines the main NIS2 requirements, most of which focus on organizational security:

While specific laws and regulations transposed from NIS2 may differ among Member States, they will all codify the same cybersecurity requirements, so you can start preparing for the NIS2 Directive now.

3. Conduct gap analysis

Once you’ve identified the scope and requirements of NIS2, you’re ready to compare them to the existing security measures implemented in your organization. Gap analysis bridges any existing gaps between the current state of compliance and the desired one.

For a proper gap analysis, take the following key steps:

1. Define the requirements and scope of gap analysis. Compose a scope statement outlining the processes, systems, policies, and people you’ll be assessing.
2. Determine the desired benchmarks. Define the ideal state of compliance your organization wants to achieve.
3. Assess your current state of cybersecurity. Evaluate and document your existing cybersecurity policies, procedures, and controls.
4. Compare existing controls with the required ones. Cross-reference your current cybersecurity measures and policies with the NIS2 Directive requirements.
5. Identify compliance gaps. Pinpoint areas that your current state of cybersecurity lacks in order to comply.
6. Prioritize the gaps. Determine the level of severity and impact of the identified compliance gaps.
7. Develop an action plan. Based on the identified gaps and set benchmarks, create a detailed roadmap to cover all compliance gaps, with clear goals and deadlines.

Consider conducting a gap analysis regularly to keep up with constantly changing cybersecurity requirements and identify potential flaws in your compliance program.

4. Allocate the necessary resources

Successful implementation of the NIS2 Directive requirements involves allocating the resources needed, including money, people, and technology:

Estimate the budget for compliance activities. Planning will allow you to get executive approval for your compliance decisions and avoid unexpected expenses.

There’s no one-size-fits-all scenario for planning the budget increase, as it varies depending on the cybersecurity measures already existing within your organization. However, the Impact Assessment Report 1/3 estimates that average ICT security spending will increase by about 12% to 22%.

Assign responsible employees. This step involves assembling a team responsible for achieving compliance. Such a team may include security analysts, compliance officers, and IT professionals. Clearly define the responsibilities of each team member, ensuring that everyone understands their role.

Invest in security technology. Research which technological solutions can help you close the gaps that were identified during your gap analysis. You may also want to consider automation tools that can streamline compliance processes and reduce the manual workload.

5. Involve your top management

The success of any compliance initiative relies on the backing of your organization’s leaders. The executive board must be aware of your organization’s top-tier security needs, as it plays a crucial role in ensuring NIS2 compliance.

First and foremost, inform your board of the penalties described in the NIS2 Directive. In addition to extensive fines, NIS2 details the liability of the “management bodies” regarding infringements of cybersecurity requirements and reporting obligations of the Directive.

Educate senior executives about cybersecurity risk management. Conduct educational sessions with the executive board to enhance their understanding of cybersecurity issues, NIS2 cybersecurity requirements, and the organization’s current cybersecurity posture.

Article 20 of the NIS2 Directive requires the organizations’ top management to:

• Approve cybersecurity risk management measures and oversee their implementation
• Follow training and regularly offer employees similar training for the purpose of “[gaining] sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices”

Seek executive sponsorship. Find an executive to support your cybersecurity initiatives, promote your NIS2 compliance efforts, and advocate for the necessary resources. Collaborating with such an executive allows you to align your actions with the board’s expectations and speed up compliance-related processes.

Complying with NIS2 requires the implementation of cybersecurity software solutions. See how Ekran System can help you meet your needs in the section below.

Achieving NIS2 compliance with Ekran System

Ekran System is a full-cycle insider risk management platform designed to deter, detect, and disrupt insider threats. Equipped with a feature-rich toolset, Ekran System can help your organization enhance cyber resilience and implement the majority of NIS2 requirements with one single solution.

Here are just some of the ways you can use Ekran System to enhance your organization’s cyber protection and manage insider risks:

• Monitor and record the activity of your employees and third parties to see how they interact with your sensitive assets
• Manage access permissions and verify user identities with 2FA to prevent unauthorized access to your critical endpoints
• Implement the just-in-time approach and secure sensitive data by granting temporary access to your partners, third-party vendors, and suppliers
• Receive real-time notifications about suspicious user behavior to keep your security team ahead of threats
• Configure automated incident response options to promptly kill suspicious processes and block users violating security policies
• Send warning messages to users who break security policies to remind them of corporate rules
• Generate custom reports to get more details on employee activity and perform security audits

But the list goes on. To see how Ekran System can help you comply with NIS2 requirements, read the full mapping on our page on NIS2 compliance.

Case study

European Healthcare Provider AGEL Protects Sensitive Data From Insider Threats Using Ekran System

Conclusion

NIS2 requires critical EU entities to implement a wide range of requirements, outlined in Article 21 of the Directive. If your organization is an essential or important entity, consider covering any gaps between your organization’s current state and the NIS2 requirements to enhance your cybersecurity and avoid fines. Focus on access management, activity monitoring, supply chain security, incident response, and other cybersecurity measures described in the Directive.

As a comprehensive insider risk management platform, Ekran System offers multiple cybersecurity capabilities in a single platform, helping you implement the majority of measures required by NIS2.

*** This is a Security Bloggers Network syndicated blog from Ekran System authored by [email protected]. Read the original post at: https://www.ekransystem.com/en/blog/best-practices-for-nis2-compliance