Cybersecurity

NIS2 Requirements: 3 areas you should focus your compliance efforts on

April 2024

Initiating activities to achieve compliance with the NIS2 Directive sounds like quite a lot of homework to impacted organizations. And not having national legislation and sector guidelines is frustrating, considering that the clock is ticking.

Organizations falling within the scope of the NIS2 legislation need to familiarize themselves with its requirements to ensure full compliance by the deadline (October 2024).

However, many companies would feel more confident in launching their compliance programs on the basis of local legislation implemented in their country to ensure they take the precise steps needed to comply with their national law.

For the same reason, some organizations would prefer to wait for sector-specific cybersecurity guidelines released by industry authorities outlining concrete rules and requirements that distinctly address their unique characteristics.

Nevertheless, we’d still encourage you to acknowledge that the NIS2 Directive has already laid down the minimum requirements you need to comply with, so it represents a good outset for your initial activities.

By the time you have implemented those minimum requirements, national legislation will likely have been adopted in your country, and sector-specific guidelines will have been published.

At that point, you will simply have to perform a gap analysis to verify whether additional actions are needed from your side to address the specifications provided at a national level and from industry authorities.

To help you kick off your NIS2 compliance program, we have gathered all the information you need about the requirements set by the NIS2 Directive in this blog post.

 

What are the requirements you need to comply with?

The requirements imposed on companies by the NIS2 Directive can be grouped into three areas:

  1. Management buy-in, responsibility, training, and liability
  2. Preventative measures to mitigate the risk of cyber incidents
  3. Reporting obligations in the event that cyber incidents occur

Let’s analyze each of them in detail.

 

1. Management’s responsibility for NIS2 compliance

Leadership matters: Board-level action plan to build and practice strong cyber hygiene
It can be challenging for businesses to keep up with the latest developments in the cyber landscape. To make matters worse, companies don’t always have the skills and resources to prepare themselves properly.

Moreover, key decision-makers often don’t see security implementations as expenses that bring in returns, and that is probably the main reason why security measures are often underfunded.

Although the subject’s complexity cannot be denied, cybersecurity should be considered everyone’s responsibility in an organization. It is essential that key stakeholders in the C-suite and other executives recognize their roles in promoting and spreading a strong security culture within the business.

IT and OT security governance should be seen as an integral part of enterprise leadership as it sustains and extends the company’s strategies and objectives.

Cybersecurity needs to be part of the conversation and be kept front of mind to establish a plan of action and investment for the long-term health of the business.

Management is now liable for NIS2 compliance
The EU Commission anticipated that the implementation of cybersecurity measures required by the NIS2 Directive will entail quite extensive expenses for obliged organizations. Therefore, it’s even more crucial that management is educated in cybersecurity, aware of the risks, and convinced of the need to prioritize it – in this way, the right funding will follow.

The Directive addressed the risk that the C-suite would not devote the appropriate resources to ensure NIS2 compliance by placing on a company’s management the responsibility to approve the cybersecurity risk-management measures taken in their company to comply with the NIS2 requirements. Additionally, management is responsible for overseeing the implementation of these measures and can be held personally liable for compliance failures.

In particular, competent authorities can temporarily remove the CEO or other legal representative from exercising managerial functions in case they find compliance infringements.

Moreover, management is required to follow cybersecurity training and is encouraged to offer similar training to employees on a regular basis so that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

To sum up, management involvement, training, buy-in, and approval of cybersecurity measures are not only recommended ways to proceed—they are now a legal requirement, and non-compliance is punished with suspension.

 

2. Cybersecurity risk-management measures listed in Article 21

While the NIS2 Directive comprises a total of 46 articles, the one to which companies should devote most of their attention when working toward achieving compliance is Article 21.

Article 21 requires companies to take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to their NIS (network and information system) security and prevent or minimize the impact of incidents on service recipients.

Such a statement is meant to broadly include all measures necessary to mitigate cyber risks. But what does it really mean?

What are these measures, and how can you make sure they are adequate for your company?

Let’s clarify what’s intended.

NIS2 requires you to implement:

  • Technical measures: those that can be implemented physically, such as alarm systems, firewalls, cryptography, and encryption. For example, implementing a secure remote access solution like Secomea’s to manage and control access to your OT devices and authenticate users via MFA would fall into the category of technical measures implemented under this article.
  • Operational measures: those related to the processes to follow to proactively ensure cybersecurity and reactively respond in case of an incident. They include how to manage risks, analyze them, and mitigate them, as well as the steps to take for crisis management or to recover from an incident.
  • Organizational measures: those implemented through instructions, policies, and procedures, such as regular cybersecurity training for staff and, more generally, the focus on building a cyber-secure company culture based on cyber-hygiene practices.

The measures should be:

  • Appropriate: These measures should ensure a level of security of your network and information systems that is adequate to prevent and mitigate the risks posed by potential incidents affecting your NIS security and, in turn, your services – as well as the recipients-users of your services.
    In ensuring this appropriate level of security, you should consider the state-of-the-art and relevant international standards, as well as the cost of implementation.
  • Proportionate: These measures should be risk-based: they should take into account your company’s exposure to risks, size, and the likelihood of occurrence of incidents and their severity.
    Your risk analysis should be built on an all-hazards approach – meaning that you should consider all of the thinkable threats that could affect your NIS security.

What exactly should these measures be about? What elements should they cover?
Your cybersecurity measures should cover, at the minimum, the 10 elements listed in Article 21.

If you receive a visit from the competent authorities coming to audit your organization’s compliance with the NIS2 legislation, you need to ensure that you can demonstrate you have implemented measures including all of the elements listed below.

  1. Policies on risk analysis and information system security
  2. A plan for handling potential incidents
  3. Business continuity, such as backup management, disaster recovery, and crisis management
  4. Supply chain security, taking into account the vulnerabilities specific to each direct supplier and service provider and the overall quality, development procedures, and cybersecurity practices of the products and services provided by their suppliers and service providers.
  5. Security in network and information systems acquisition, development, and maintenance – including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  9. Human resources security, access control policies, and asset management
  10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate.

Companies violating these requirements will be mandated to take, without undue delay, all necessary, appropriate, and proportionate corrective measures to avoid being issued fines.

How can you prove to competent authorities that your measures are appropriate and proportionate?
In case of a compliance inspection from the authorities, you must be able to demonstrate that the measures you implemented are appropriate and proportionate.

To this end, you will need to be able to prove that:

  • The risks and threats you have identified have been handled, the vulnerabilities you encountered in your risk assessment have even been mitigated, and you have been periodically reassessing such risks as well as the effectiveness and adequacy of your measures.
  • All 10 minimum requirements listed in Article 21 have been addressed, your incident response plan has been tested, and your company’s management has taken an active part in the process and approved it.
  • The budget approved by management for cybersecurity is adequate for your company’s risk level and size, taking into account the other expenses you have allocated to safety management, for example.
  • All of the above is documented, periodically reviewed, and updated as needed.

 

3. Reporting obligations

Even if you’ve done everything in your power to prevent a cybersecurity incident from occurring, it can still happen.

Implementing the cybersecurity measures required by the NIS2 Directive will go a long way toward protecting your NIS security and preventing incidents. However, in the event that an incident does happen, you need to be prepared for it and know how to act.

In particular, some reporting obligations need to be attended to. Companies must notify their national CSIRT or, where applicable, other competent authorities without undue delay of any incident that has a significant impact on the provision of their services.

Let’s discover what these reporting obligations entail.

Which incidents should be notified?
Companies must notify of any incident that significantly impacts the provision of their services.

An incident is to be considered significant if

  • it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
  • it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Who should be notified?
Companies must notify their national CSIRT (Computer Security Incident Response Teams) or, where applicable, other competent authorities.

Moreover, if the incident is likely to adversely affect the provision of a company’s services, the company should also notify its customers (the recipients of the services affected) and, if appropriate, provide information on the cyber threat and the measures or remedies that the recipients can take to respond to it.

Nobody likes to give bad news, but it’s your responsibility to reassure the people using your services affected by cyber incidents that you have a best practice plan, that you are working hard to limit the damage, and that competent authorities have been notified promptly.

Despite the crisis, businesses need to be transparent in letting people know when things go wrong: to begin rebuilding trust with your customers, those affected should see you take ownership of the issue and act responsibly in the aftermath.

When should the notification be made?
The notification should be made without undue delay, meaning as soon as possible and, in any case, within 24 hours of becoming aware of the significant incident. In particular, companies must notify authorities:

  • within 24 hours, through an early warning indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
  • within 72 hours, through an incident notification updating the information shared via the early warning and indicating the initial assessment of the incident, including its severity and impact;
  • upon the request, via an intermediate report on relevant status updates;
  • within a month after the incident notification, via a final report, including
    • a detailed description of the incident, including its severity and impact;
    • the type of threat or root cause that is likely to have triggered the incident;
    • applied and ongoing mitigation measures;
    • where applicable, the cross-border impact of the incident.

What will happen after a company notifies the authorities of a significant incident?
Upon receiving notification of the incident, the CSIRT will respond to the notifying company within 24 hours, including initial feedback on the significant incident. Companies can also request guidance, operational advice on implementing possible mitigation measures, and even technical support. If the incident is suspected to be of a criminal nature, the CSIRT will also guide the company in reporting it to the competent law enforcement authorities.

Once a company has fulfilled its notification duty, the CSIRT will inform other Member States and ENISA if the cyber incident concerns two or more Member States. If necessary, the incident will also be disclosed to the general public.

These new rules are intended to improve how the EU prevents, handles, and responds to large-scale cybersecurity incidents and crises. They do so by introducing clear responsibilities, appropriate planning, and more EU cooperation to ensure that Member States can mutually assist each other in the case of cross-border malpractices, have a more structured dialogue with the private sector, and coordinate the disclosure of vulnerabilities found in software and hardware sold across the internal market.

 

How Secomea can help you

The implementation of Secomea’s secure remote access solution on your factory floors can be qualified as one of the technical measures that you are required to take under Article 21 of the NIS2 Directive to manage the risks posed to the security of network and information systems and prevent or minimize the impact of incidents.

Besides, using Secomea will address other elements mandated by the legislation.

Moreover, we have outlined a 10-step implementation roadmap that you can follow to ensure compliance with NIS2 requirements.

Finally, to help you navigate the NIS2 legislation and get ready for NIS2 inspections, we have prepared this comprehensive whitepaper.


 

All you need to know to ensure NIS2 compliance.
Download it now for free!

NEWSLETTER SIGN-UP

Get the latest Secomea news sent straight to your inbox.

Subscribe

CONTACT

Secomea Headquarters
Copenhagen, Denmark
+45 88 70 86 50
info@secomea.com

Contact Secomea
Contact a distributor

Find addresses here

Privacy & Cookie Policy  © Secomea 2024, All rights reserved

NIS2 Compliance Roadmap. Stay secure, stay compliant.

X