10 steps to ensure NIS2 compliance

April 2024

If your organization falls within the scope of the NIS2 legislation, you need to implement the required cybersecurity measures by October 2024 and be prepared for compliance inspections.

In this blog post, we will share with you a step-by-step implementation roadmap with practical recommendations to embark on your NIS2 compliance journey.


How to successfully meet NIS2 standards

When the competent authority comes to audit your organization under NIS2 compliance, they will be expecting you to fulfill a few main objectives:

  • Risk management, which includes your processes to properly identify the risks your business runs and demonstrate that management complied with its obligation to be in control and take ownership of this risk assessment.
  • Protection against cyberattacks, which consists of the measures you have implemented to limit your exposure to the risks identified and safeguard the cybersecurity of your IT and OT assets and networks.
  • Detection of cybersecurity events, which concerns the measures you have implemented to monitor access to your systems—such as user authentication, access management, users’ privileges, audit logs, and so on—and discover potential incidents.
  • Minimization of cybersecurity events, which refers to your processes for responding to cybersecurity events, notifying the authorities, and recovering from cyber incidents.

Below is a 10-step process to set yourself up for success in your NIS2 compliance program.

1. Scope assessment

Evaluate whether you fall within the scope of the NIS2 Directive and whether you qualify as an essential or important entity.

2. Asset audit and Threat Modeling

Get a good overview of your IT and OT environments and the assets relevant to providing critical services to society. An assets audit will give you a better idea of what systems you have, where they are located, who has access to them, and how they are protected. This inventory will give you the knowledge needed to examine the current state of your business’s cybersecurity and adequately assess the risks to such assets while considering the threats unique to your business.

Only then you can proceed with threat modeling that best suits your situation. Threat modeling is the process of figuring out what your potential cyber-attacks are likely to be and which operations hackers would be after if they decide to attack you. Where could cybercriminals infiltrate? What would they steal? And finally, how can you prevent it?

Ensure that all the other resources and devices connected to your network whose potential infiltration could spread to the assets that provide critical services are also identified.

3. Risk Assessment

Evaluate your risk level. Your asset inventory will give an initial picture of your cybersecurity status, based on which you can investigate where there is room for improvement and how best to start filling gaps in your defenses.

The identification of your company’s specific risks will be your baseline to plan your cybersecurity journey.

When assessing your risks, consider your tolerance level for downtime and map out your priorities for maintaining operations and systems. These considerations will be the foundation for your business continuity, crisis management, and disaster recovery plans (detailed in step 5).

The Directive does not specify who should be responsible for performing the risk assessment in your company. It is up to you to identify the person/s best suited for the job—your cybersecurity team, compliance department, system owners, or similar. What matters (and what the Directive explicitly requires) is that the risk assessment is signed off by management – as management needs to take ownership of the company’s risk analysis and risk appetite.

3.1 Supply chain due diligence

Include your supply chain in your risk assessment. For each of your suppliers and service providers, you should collect information on their security, taking into account the vulnerabilities specific to each of them related to their products and services. This is especially important if you rely on critical ICT services, systems, or products, for which it’s recommended to use suppliers certified under European cybersecurity certification schemes.

In general, the NIS2 Directive requires you to get to know your supplier by performing some due diligence activities. These activities can help you identify the critical assets your essential services depend on, the cybersecurity processes and practices they have in place, and how they manage vulnerabilities.

Based on these insights, you can assess whether your suppliers can be qualified as NIS2-compliant vendors and classify them based on the quality and resilience of the products they provide.

All this third-party information should then be fed into your risk assessment so that you can assess and describe how to handle the risks entailed and involve management, as they are the ones who need to approve such risk scenarios.

4. Cybersecurity measures implementation

Implement the required cybersecurity measures to prevent identified risks, protect your IT and OT assets from cybersecurity threats, and detect incidents if they occur.

When implementing cybersecurity measures, document the reasons behind your choices.

The Directive requires you to implement cryptography (and, where appropriate, encryption), HR security, access control policies, asset management, multi-factor authentication, etc. However, if you receive a visit from the authorities to inspect your organization, they won’t ask you if you configured firewalls and how; they won’t look for specific tools and features you have set up in your organization.

They will be looking for indicators of good practice, and they’ll be expecting you to let them in on your line of thinking, to be transparent, and to have reasonable explanations for each decision you have made in setting up your defense mechanisms. So, you should be able to demonstrate your reasoning regarding the controls and measures you have or have not implemented.

5. Response plans creation

Establish responding modalities to face attacks and minimize the impact of cybersecurity incidents. Also, implement processes to keep potential damage to a minimum and recover the affected operations to ensure business continuity.

To this end, you should start with an impact analysis: determine which operations are mission-critical or time-sensitive and identify the impact a potential disaster could have on them. This will enable you to properly prioritize the risks and define the order in which the operations should be re-established. Restoration priorities should be based on criticality: business processes and vital functions with the highest financial and operational impact likely need to be recovered first.

Moreover, you should identify the resources — including both technology and people — that support those mission-critical areas, as well as the resources and stakeholders whose support you’ll need to recover operations. During a cyber incident, you should know what assets you need to keep operations running smoothly (people, technology, records, utilities, products), how long it will likely take to restore operations, and who will take charge.

Your crisis plan should involve a coordinated response and avail of the skills of multiple relevant stakeholders across the business (not only your IT and OT teams but also legal, customer service, operations, and anybody who will have to play a role in responding to the incident). Establish a chain of command with clearly assigned processes and responsibilities to minimize the time from when a disaster hits until the recovery process begins.

6. Reporting modalities setup

Set up procedures to fulfill your reporting obligations promptly so that, should a cyber incident occur, you can notify the authorities within 24 hours. Additionally, if needed, inform your customers (the recipients of the services affected) and, if appropriate, provide information on the cyber threat and the measures or remedies they can take to respond to it.

7. Staff training

Train your employees to identify risks, detect threats, protect assets, and respond to incidents. Ensure that all relevant stakeholders are on board and aware of their responsibilities, the actions to perform at each stage, and where to find the answers needed.

8. Testing

Test the effectiveness of your responding modalities.

A plan cannot be considered complete and in place until there is proof that it will work as expected.

Roles and priorities need to be tested so that you know you can count on the plan when the time comes. You should ensure that your employees know what they are supposed to do and that the measures you implemented work as intended.

To this end, it’s recommended to conduct simulated disaster exercises to ensure the effectiveness of the plan and the employees’ readiness.

9. Periodic review

Ensure your response plans and your overall cybersecurity strategy are up to date. Running tests periodically, at least once a year, will let you validate your recovery strategies and use lessons learned to make changes or updates if needed.

Additionally, you should ensure that you have taken into account multiple possible incident scenarios, as well as how potential changes in your resources (both technology and people) will affect the effectiveness of your crisis management plan.

10. Documentation and safe storage

Document all of your security measures, controls, and processes within policies on risk analysis and network and information systems security (in acquisition, development, and maintenance), as well as plans for incident response, business continuity, backup management, crisis management, and disaster recovery.

Also, ensure their appropriate storage so that they are accessible in time of need.

For instance, consider the risk that the storage location of your recovery plans gets infected. How will you access them, then? Did you do a backup in an alternative cloud?

You could also consider printing them out, which would give you physical safeguards if your whole IT infrastructure were affected.


Tips and easy wins

Regardless of whether you are new to the scope of the Directive, as a manufacturing organization, there might be some low-hanging fruits you can pick.

You will likely already have some of the required policies, processes, and measures in place. So, a good starting point could be to review your existing setup with your compliance, QA, and security teams – i.e., analyze your current security program, incident response plan, safety measures, quality assurance program – and, more in general, the existing controls you have been using so far – to identify the potential gaps and assess how to move forward.

Besides, you might have been audited before to get an official certification of compliance with international standards such as the ISO 9000 family on quality management and assurance, the ISO 27000 series for your Information security management system (ISMS), or IEC 62443 for OT cybersecurity in automation and ICS. Nothing stops you from reusing those existing attestations as a basis for your NIS2 compliance work. Many of the controls and measures included in the mentioned standards can be adapted into the context of the new requirements and be used to demonstrate how you ensure cybersecurity in your IT, OT, and IIoT systems and networks.

Again, as stated earlier, there is no right or wrong framework to use, nor will the authorities ask you about a specific one. What they will want to know why you have picked a certain control framework over another one, and you should be able to explain the reason behind your choices.

Besides, if you use Secomea for your secure remote access needs, you are already off to a great start when it comes to implementing technical cybersecurity measures. If the authorities ask you how you protect your OT environments, for instance, you can mention that you chose to implement Secomea precisely because it is purpose-built for OT networks and devices.

To help you navigate the NIS2 legislation and prepare for NIS2 inspections, we have compiled this comprehensive whitepaper.


All you need to know to ensure NIS2 compliance
Download it now for free!

Datenschutz & Cookie-Richtlinie // Kontakt: +45 88 70 86 50 //
© Secomea 2021, Alle Rechte vorbehalten

NIS2 Compliance Roadmap. Stay secure, stay compliant.