NIS2 Compliance: 6 Best Practices You Need To Know
The race to NIS2 compliance is heating up, and we are here to help guide you through it. When a major legislative change like NIS2 comes around, organizations often scramble to ensure compliance. Part of the challenge is understanding the scope and what you need to do; this is not necessarily easy with 73 pages of legal speak and ambiguities to cut through. Then, you have to see where any current processes and standards fall short, before strengthening cybersecurity in line with what NIS2 asks for. Bearing these difficulties in mind, the following blog offers several best practices to help ensure your business complies with NIS2 by that all-important October 18th, 2024 effective date.
1. Conduct a clear risk analysis to decide on adequate cybersecurity measures
Despite the clear aim of this Directive in achieving more robust cyber resilience across the EU, one key point to bear in mind is that you don’t need to impose excessive financial and administrative burdens to achieve compliance. Central to compliance is achieving a level of cybersecurity that aligns with the specific risks your organization encounters.
To determine the appropriate level of cybersecurity, conduct a risk analysis that aims to at least answer the following questions:
- How crucial is your organization to broader societal functions and what could happen if a cybersecurity incident compromised your operations?
- How dependent are you on digital supply chains (compromises of which can have far-reaching consequences)?
- Have there been past incidents, or is there an increased likelihood of future attacks on your company and in your sector?
- What exactly could threat actors access if they manage to compromise your IT environment?
This is crucial to get right because misunderstanding your risk profile could lead to either excessive measures (and wasted budget) or under-investment (and increased risk of violations). An external consultant can perhaps provide the most subjective analysis of your risk profile to help decide on the necessary security measures.
2. Tackle risks using an all-hazards approach
While the directive does try to ensure you take a risk-based approach to decide on the proportionality of security measures, it is quite specific that you need to view risk management from an all-hazards perspective. This means preparing for a wide range of potential threats—not just cyber attacks but also physical and environmental risks that could impact your network and information systems.
Some measures to think about beyond classic threats like ransomware or malware are:
- Natural disasters (like floods or fires), power or telecommunication failures, and unauthorized physical access.
- Securing your physical facilities against unauthorized access and ensuring your systems are resilient against natural events and human error.
- Implement strong access control policies and train your staff on security best practices to prevent unauthorized access and reduce human error risks.
These measures all go back to the importance of the CIA triad. You need to preserve confidentiality, integrity, and availability of data and services.
3. Improve supply chain security
The words “supply chain” appear in the EU’s NIS2 document 20 times. This exemplifies legislators’ increased awareness and emphasis on the risks of today’s increasingly interconnected IT systems. Whether you use third-party vendors or IT service providers, the security of these external partners becomes central to your overall cybersecurity posture.
Before onboarding any new vendor or partner, conduct a comprehensive risk assessment to understand the potential security risks they might introduce. Focus on prospective and current suppliers’ cybersecurity policies, practices, and history of breaches. This could include reviewing their certifications (e.g., ISO 27001) and their compliance with any other relevant security standards.
Also, map out your entire supply chain to identify all third parties that have access to your critical systems and data. This visibility is essential in understanding where potential vulnerabilities might exist. It’s also needed so that you can then ensure suppliers have only the minimum access permissions needed to supply their services in line with the least privilege principle.
4. Plan and practice incident response
NIS2 is strict on incident reporting. You get a 24-hour deadline in which to send an early warning report after detecting an incident. This short timeframe means you really need to have your incident reporting and wide incident response plan streamlined, practiced, and polished. In particular, you need to be able to answer who’s in charge when a critical incident happens, how you report it, what are the communication channels, when your legal team gets involved, etc.
Obviously, a big part of this is having a clear plan where everyone knows their roles. But you need to really go beyond that and conduct regular simulated exercises that put the plan into practice. The last thing you want is to end up with a plan that looks good on paper but results in chaos and confusion in real-world incidents that need to be properly documented and reported for NIS2 compliance.
5. Recognize that cybersecurity has board-level accountability
The board of directors must take an active role in overseeing NIS2 compliance. Cybersecurity is no longer just an IT issue; it’s a critical business risk that impacts entire organizations. Under NIS2, a company’s board (or “management body”) is ultimately accountable for ensuring that adequate cybersecurity measures are in place. And failures by senior executives that result in cybersecurity incidents from gross negligence can lead to individual fines or temporary bans from similar positions.
Your board members should integrate cybersecurity into the organization’s overall strategy, regularly discuss it in meetings, and set clear cybersecurity objectives. Moreover, proper training in identifying cyber risks and best practices is essential to achieve this accountability by the management body.
6. Use certifications to benefit your NIS2 compliance
Existing information security certifications that you might have, such as ISO 27001, can streamline the path to NIS2 compliance. Organizations with an ISO 27001 or similar certification are already well-positioned because they have established processes for managing information security risks.
Conduct a gap analysis to identify how your existing ISO 27001 controls align with NIS 2 requirements. This will help you understand what’s already in place and where you might need extra measures. Many of the controls required by ISO 27001, such as risk assessment procedures, incident response plans, and access control measures, are also key components of NIS2 compliance. By building on these existing controls, you can reduce the effort and time needed to achieve full compliance.
Closing thoughts
As with any sweeping regulation, especially one that covers such a technical field as cybersecurity, there are always some obstacles to navigate for compliance. Some of NIS2 is quite vague, but hopefully, any ambiguities will be clarified as time goes on. Despite the challenges, the regulation appears to be welcome. A SANS survey found that 60 percent of respondents were very positive about NIS2 and regarded it as a much-needed directive to improve EU-wide cybersecurity.
The value of external cybersecurity consulting becomes evident in complicated areas like NIS 2 compliance. At DIESEC, our NIS2 consulting services can help implement best practices for compliance. We’ll carry out an objective risk assessment on your digital infrastructure to help gauge what cybersecurity measures you need. We’ll also help develop an incident response plan to comply with those all-important reporting obligations, and we’ll put mechanisms in place to help you easily document everything needed.