Understanding NIS2: Enhancing Cybersecurity in Critical Sectors

The revised Network and Information Systems (NIS2) Directive is a pivotal milestone.  

This directive signifies a significant stride towards establishing a unified cybersecurity foundation and underscores the imperative for mobile IT or SaaS companies to grasp its nuances. With the overarching goal of reinforcing the resilience of essential services and digital service providers against the ever-evolving landscape of cyber threats, NIS2 introduces a consistent set of cybersecurity standards and practices that must not be overlooked.

This ISMS Connect guide is crafted to assist these enterprises in navigating the intricacies of NIS2, offering a comprehensive understanding of the directive's principles and practical applications. By embracing the insights within this guide, MobileIT or SaaS companies can proactively equip themselves to operate within the bounds of NIS2, foster a culture of cybersecurity, and secure their operations and the trust of their user base.

What Is NIS2?

The NIS2 Directive, which follows the original NIS Directive, is a critical cybersecurity law in the European Union. 

It builds on the groundwork laid by its predecessor and aims to tackle the ever-changing cyber threats that our society faces today. The NIS2 Directive broadens its scope to include a broader range of sectors and entities, going beyond its initial focus areas. This expansion encompasses crucial sectors like energy, transport, banking, healthcare, and others.

This directive requires businesses in critical sectors to improve their network security measures, incident management protocols, and business continuity planning to mitigate cybersecurity incidents. Compliance with the NIS2 Directive is mandatory, placing legal obligations on covered entities to meet the prescribed cybersecurity standards.

NIS vs. NIS2

The NIS Directive marked a significant milestone in EU cybersecurity legislation as it aimed to establish a consistent and robust level of cybersecurity across all Member States. It successfully enhanced the preparedness of Member States against cyber threats. However, certain limitations were to be addressed, including the need for better harmonization among Member States and critical sectors and the absence of a unified crisis-response mechanism.

The revised NIS2 Directive represents a significant step toward establishing a common level of cybersecurity across the European Union. As a comprehensive cybersecurity directive, NIS2 aims to bolster the resilience of essential services and digital service providers against cyber threats by introducing consistent cybersecurity standards and practices.

Why Is NIS2 Important?

More Robust Risk and Incident Management and Cooperation

NIS2 bolsters network security, incident management, business continuity, and compliance for companies operating in essential sectors like: 

• Energy

• Transport

• Banking

• Financial services

• Healthcare

• Drinking water supply

• Digital infrastructure

• Public administration

• Chemicals

• Food supply and distribution

The framework standardizes and modernizes the way essential services organizations manage security across all 28 EU member states, making coordinating responses to incidents or cyber threats easier.

Widening of the Scope of the Rules

In contrast to NIS, NIS2 provides a defined set of sectors within its scope. It states that entities operating in these sectors will be automatically classified as “essential” or “important” if they meet specific criteria.  This means that more entities are obliged to take measures to increase their level of cybersecurity.

The NIS2 Directive applies to Operators of Essential Services (OES) and certain Digital Service Providers (DSPs) that meet specific size criteria. OES are required to comply regardless of their size, while DSPs need to meet employee and turnover thresholds. The directive covers 11 essential sectors and seven critical sectors.

Improves Resilience to Cyber Threats

By introducing consistent cybersecurity standards and practices across the EU, NIS2 aims to improve the resilience of essential services and digital service providers against cyber threats. 

This will help organizations better protect themselves against cyberattacks and minimize the impact of any incidents that do occur.

How to Prepare for the NIS2 Directive

1. Find Out if Your Organization is Covered by NIS2

Firstly, it's crucial to ascertain whether your organization falls under the purview of the NIS2 Directive. 

a) Find Out Whether You Qualify as an Essential Entity (EE) or an Important Entity (IE)

Essential Entities (EE) encompass organizations operating in specific sectors that meet the following criteria: employing approximately 250 individuals, generating an annual turnover of €50 million, and possessing a balance sheet totaling approximately €43 million. 

These sectors include:

• Energy

• Transport

• Finance 

• Public Administration

• Health

• Space

• Water Supply 

• Digital Infrastructure

On the other hand, essential entities encompass organizations that maintain a workforce of approximately 50 individuals, generate an annual turnover of €10 million, possess a balance sheet totaling €10 million, and operate within one of the subsequent sectors:

• Postal Services

• Waste Management 

• Chemicals

• Research 

• Foods 

• Manufacturing 

• Digital Providers

b) Assess Whether Your Organization’s Size Subjects You to Regulation Under NIS2

Even smaller entities can have an impact on cybersecurity. Evaluate your organization's size and significance within your sector to understand if exceptions to compliance apply.

c) Verify If Your Business Is Subject to Any Additional Regulations That Are Specific to Your Industry

Check if your sector already has its own cybersecurity regulations. If so, they could intersect with NIS2, making compliance even more critical. By assessing these factors, you can gain clarity on whether your organization is affected by NIS2 and take proactive steps toward compliance.

2. Seek Appropriate Guidance from a Reputable Agency

Getting the proper guidance is paramount when navigating the intricacies of NIS2 compliance. Reputable agencies can offer expertise and solutions to streamline the compliance process. 

Tools like ISMS Connect provide a tailored approach for small- and medium-sized companies to achieve certification without extensive technical experience or large budgets.

Frederik Hüser, CEO of Wilsmann, recently shared his positive experience with ISMS Connect’s toolkit, which has proven practical and helpful in their operations. Hüser expressed how the toolkit significantly reduced their workload, particularly in developing their information security management system (ISMS). By using this toolkit, they were able to make significant progress in a shorter period.

Hüser also highlighted the excellent support they received via email. The support team was helpful and demonstrated a high level of expertise and efficiency. Their comprehensive, fast, friendly, and competent assistance played a crucial role in the successful outcome of an audit.

3. Conduct a Risk Assessment

Organizations can conduct a risk assessment by identifying potential risks and vulnerabilities in their systems. This can include identifying the systems and processes essential for the organization’s operations. For example, a risk assessment could identify that a company’s financial systems are critical to its operations and require additional security measures.

4. Identify Your Organization’s Critical Processes

Organizations can identify critical processes by determining which systems and processes are essential for their operations. For example, a hospital may identify that its electronic health records system is critical to its operations.

5. Examine the Set of Ten Cybersecurity Risk Management Actions Stipulated by the NIS2

The NIS2 Directive mandates ten cybersecurity risk management measures, encompassing incident management, risk assessment, and penetration testing. To illustrate, an organization may adopt an incident management plan to guarantee an effective response capability.

As stipulated by Article 21 of the legislation, it is required for both EEs and IEs to implement a minimum of the subsequent ten actions:

• Policies on risk analysis and information system security

• Incident handling (prevention, detection, and response to incidents)

• Crisis management and business continuity, such as backup management and disaster recovery

• Supply chain security, including security-related aspects concerning the relationships between each entity and its suppliers or service providers

• Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure

• Policies and procedures (testing and auditing) to assess the effectiveness of cybersecurity risk management measures

• Basic cyber hygiene practices and cybersecurity training

• Policies and procedures regarding the use of cryptography and, where appropriate, encryption

• Human resources security, access control policies, and asset management

• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate

6. Establish a System for Managing Risk and Information Security

Organizations can implement a risk and information security management system to ensure compliance with the NIS2 Directive. This can include implementing policies and procedures to manage risks and ensure compliance.

• Risk Assessment and Management

• Access Control

• Incident Response Plan

• Security Awareness Training

• Regular Security Audits and Assessments

• Data Encryption

• Network Security

• Vendor and Third-Party Management

• Backup and Disaster Recovery

• Security Governance and Compliance

ISMS Connect provides tools and resources to streamline the process of identifying and assessing risks and implementing effective risk management strategies.  It facilitates the establishment of a robust risk and information security management system, providing the necessary documents, guidance, and access to experts.

7. Commence the Process of Managing Your IT Supply Chain Security

Organizations can initiate their IT supply chain security management process by ensuring suppliers comply with the NIS2 Directive. This can include conducting audits of suppliers’ security practices.

8. Implement Regular Employee Awareness Training

Organizations can implement regular employee awareness training to ensure their employees know the risks associated with cyber threats. This can include training employees on identifying phishing emails or other types of cyber attacks.

9. Conduct Regular Security Tests and Audits

Organizations can conduct regular security tests and audits to ensure their systems comply with the NIS2 Directive. This can include conducting penetration testing or vulnerability assessments.

The NIS2 Directive formally requires Electronic Entities (EEs) and Important Entities (IEs) to undertake the following actions:

• Identify and assess security risks

• Implement risk management measures

• Adopt security measures for resilience

• Notify significant incidents

• Cooperate with authorities and entities

• Establish security policies and procedures

• Appoint a security officer

• Ensure supplier security

• Conduct regular audits and assessments

• Report incidents to national authorities

• Demonstrate compliance

Best Practices in Complying with NIS2 Directive

Establish a Secure System Architecture

The foundation of NIS2 compliance begins with a secure system architecture. Design your digital infrastructure with security in mind from the outset. This includes implementing robust access controls, segmenting networks to limit the spread of cyber threats, and employing encryption where necessary. By weaving security into the fabric of your architecture, you're already on the path to compliance.

When you partner with ISMS Connect, you can leverage their expertise to design your digital infrastructure with security at the forefront. This collaboration empowers you to implement robust access controls, intelligently segment networks to mitigate the spread of cyber threats, and apply encryption where needed. 

ISMS Connect's comprehensive toolkit provides the necessary resources and guidance to weave security into your architecture seamlessly. By utilizing their expertise and resources, you fortify your defenses and expedite your journey toward NIS2 compliance.

Use of Multi-Factor Authentication

Multi-factor authentication (MFA) is a simple yet powerful tool in your cybersecurity arsenal. It adds an extra layer of protection by requiring users to provide two or more forms of identification before granting access. Implementing MFA across your organization can significantly reduce the risk of unauthorized access and enhance overall security, an essential requirement of NIS2.

Regularly Update and Patch Your Infrastructure and Applications

Cyber threats evolve continuously, making it imperative to avoid potential vulnerabilities.

Regularly update and patch your infrastructure and applications to safeguard against known exploits. Automated patch management tools can streamline this process, ensuring your systems are fortified against emerging threats and aligning with NIS2's security expectations.

Always Monitor the System

Proactive monitoring is at the heart of effective cybersecurity. Implement real-time monitoring tools to detect and respond swiftly to anomalies or suspicious activities. Regularly reviewing logs and conducting security audits can help identify potential weaknesses in your system, allowing you to address them before they become significant issues.

Conclusion

By establishing a secure system architecture, implementing multi-factor authentication, maintaining regular updates, and monitoring, organizations can align their operations with the NIS2 standards, bolster their cybersecurity stance, and safeguard sensitive data.

As we've discovered, NIS2 compliance is not just a legal obligation but a strategic imperative that enhances digital resilience. ISMS Connect is a valuable information security resource for SMBs, offering access to resources, templates, and expert guidance. 

Sign up today and simplify compliance.