Dutch
English
nis2
compliance
nis2 directive
nis2 pentest

How to Prepare for the EU NIS2 Directive

Gray Oshin
17 July, 2024

nis2_banner.png


Cyberattacks are growing at an alarming rate. Because of this, companies of all sizes are suffering from embarrassing reputational damages and huge financial losses. The NIS2 (Network and Information Systems Directive 2) is the European Union’s (EU) latest response to this disturbing trend. 

If you’re unsure how to prepare for the NIS2 directive, we’ll cover the specific steps to achieve compliance. We’ll also discuss the sectors included and possible penalties for non-compliance so you can rest assured you're not breaking any laws or being exposed to attacks.

What is the NIS2 Directive?

The Network and Information Systems Directive 2 (NIS2) is a legislation issued by the European Union (EU) to improve the cybersecurity of network and information systems in the region. The directive was issued on January 16 2023, and countries in the EU must transpose it into national law by October 17, 2024.

Why is NIS2 Important?

According to PwC’s 2024 Global Digital Trust Insights survey, the percentage of businesses that have experienced data breaches costing over $1M has increased from 27% to 36% YoY. This indicates that despite existing measures (case in point, the NIS1), progress in improving security isn’t encouraging. Hence, the need for better and more stringent directives.

Although NIS1, the first piece of EU cybersecurity legislation, increased the ability of member states to fight cybersecurity, its implementation was still difficult. There were quite a few shortcomings that made it complex and confusing for targeted organizations to comply. This caused fragmentation at different levels, and NIS2 had to be drafted. 

Therefore, the goal of the NIS2 directive is to: 

  • Strengthen existing security requirements.

  • Enhance supply chain security.

  • Streamline reporting procedures and

  • Introduce more rigorous supervisory measures and penalties, including standardized sanctions across the EU.

Ultimately, this expansion of the NIS scope through the second directive will cover more sectors and entities, ensuring they take the proper measures to increase cybersecurity in Europe in the long run.

Differences Between NIS1 and NIS2

Based on the goals above, here are the fundamental changes from NIS1 to NIS2:

  1. Broader Scope

NIS2 covers a broader range of entities or sectors than its predecessor, NIS1. This includes both essential and important entities. Essential entities provide critical services to the public, while important entities play a key role in the economy or society. In total, this broadened scope is estimated to cover over 160,000 organizations across the EU. 

It's important to mention that NIS2 will apply to any organization previously covered in the NIS1 directive, plus any organization with over 50 employees and an annual revenue that exceeds €10 million.

  1. Thorough Security Obligations

The confusion in NIS1 usually came down to vague requirements and inconsistencies. Thankfully, NIS2 will address that with more specific security obligations that will cover critical areas like risk management, incident detection and response, and cybersecurity training and awareness.

  1. Incident Reporting

NIS2 requires organizations to report cybersecurity incidents to the authorities, which increases accountability. This enhanced reporting will help authorities better monitor cyber threats and coordinate responses to major attacks. 

Under new guidelines, there will be two phases to incident reporting in NIS2. Affected companies must report the incident within 24 hours after awareness. Then, another final report not more than one month later.

  1. Enforcement through Penalties

The EU is pulling no punches when it comes to NIS2 enforcement, with severe penalties for those who fall short. For example, Essential Entities face maximum fines of €10 million or 2% of their global annual revenue (whichever is higher). Important Entities aren’t so far behind and could be fined up to €7 million or 1.4% of global annual turnover.

Interestingly, these penalties are in addition to any fines levied under GDPR for related incidents! Moreover, the EU has established a European Cybersecurity Competence Centre to coordinate efforts.

How to Prepare for NIS2 and Achieve Compliance

Now that you understand what’s at stake and the importance of this new directive, let’s discuss how to prepare for NIS2. 

Here are the key measures to prepare as stated in the NIS2 Directive:

  1. Secure system acquisition and development: The security of your organization’s systems, applications, and infrastructure is crucial throughout their lifecycle. You must adopt rigorous security measures from development through deployment and disposal, such as having guidelines in place for secure coding and change management practices.

  2. Risk management and information system security: To comply with NIS2, ensure you create thorough risk management practices. This includes developing and regularly updating policies to identify, assess, and mitigate IT system vulnerabilities. To stay ahead of evolving threats and technological changes, remember to conduct ongoing policy reviews and adjustments. 

  3. Incident Handling and Disclosure policies: You need a foolproof incident response and disclosure plan to help minimize damages from security incidents and speed up recovery. These plans should outline organization-wide procedures for detecting, reporting, analyzing, and mitigating incidents to ensure swift recovery and compliance with regulatory requirements.

  4. Business continuity policies: As you draft your incident handling policies, make sure to have plans for backups, disaster recovery, and managing crises. This ensures that even during disruptions, business continues to run as usual. 

  5. Supply chain security and monitoring: Did you know that about 98% of organizations are affiliated with a third party that has previously experienced a breach? To add salt to injury, third-party attacks make up nearly 30% of breaches. That's why, to prepare for NIS2, you must ensure you have secure relationships with service providers and suppliers. Always audit your suppliers’ security practices periodically to ensure they’re keeping things safe on their end.

  6. Asset management: That is, you must know all your organization’s crucial assets and keep them secure. Always maintain a comprehensive inventory of critical assets, including their classification and ownership. 

  7. Cyber hygiene policies and cybersecurity training: Your employees are the first line of defence against cyber threats. We cannot overemphasize just how important it is to teach good cybersecurity habits to protect the organization’s assets. Conduct ongoing security awareness training to foster a security-conscious culture and keep everyone updated on the latest threats.

  8. Cryptography and encryption: This means developing and enforcing policies for using encryption to safeguard sensitive data and communications. Also, ensure these policies outline encryption standards, encryption key management practices, and procedures for keeping data secure.

  9. Human resources (HR) security: For your HR security, develop and implement access control policies. This means that only authorized people can access critical systems and information. In addition, conduct regular background checks and screen employees.

  10. Multi-factor Authentication: Use multi-factor authentication (MFA) to enhance security by requiring multiple forms of verification to confirm user identities and prevent unauthorized access. 

When you read through the NIS2 directive, one thing is clear: top management can and will be held responsible for non-compliance. Their roles have gone beyond just being informed about cybersecurity to taking action and being held accountable. 

Therefore, executives must ensure their organizations adhere to all themes, monitor the implementation of these security measures, and oversee supply chain and incident reporting.

Action Plans for Achieving NIS2 Compliance

Let’s go over specific actions that will help you achieve NIS2 compliance.

  1. Benchmark Security Best Practices

An excellent foundational starting point is benchmarking existing security frameworks. Remember that NIS2 builds on NIS1. So, while the new directive makes cybersecurity stronger, it doesn’t essentially throw everything in the previous legislation away. This also means that existing best practice standards like the ISO 27001 and NIST CSF remain relevant. That’s why you should look at them for detailed controls and how to build on them. 

By aligning your security efforts with these frameworks, you can capitalize on existing controls and processes, accelerating your journey to NIS2 compliance. 

  1. Conduct Thorough Risk Assessment

Every cybersecurity strategy needs a deep risk assessment, and achieving NIS2 compliance is no different. This process should involve:

  • Identifying critical assets

  • Evaluating potential threats

  • Assessing the potential impact of incidents

Don’t forget to always monitor your risk posture to address evolving threats and vulnerabilities. 

  1. Build an Information Security Management System (ISMS) Using Best Practices

Putting an ISMS in place provides a structured approach to cybersecurity by gathering security-related elements into a single source of truth. This helps you understand your current security posture and also monitor your security actions.

  1. Develop and Enforce an Incident Response Plan

Incident handling is a key part of NIS2 compliance. The core parts of your incident response plan should include incident detection, response procedures, communication plan, and post-incident analysis and review.

  1. Strengthen Supply Chain Security

You could do everything right in your security approach and still be undone by external factors like vendors. Here's how to really strengthen your supply chain security:

  • Continuously assess vendor risk and require that they adhere to your security standards.

  • Always include cybersecurity requirements in all Service Level Agreements (SLAs) with suppliers and partners. This ensures everyone knows their security obligation and is accountable for it.

  • Always monitor and audit supply chain security best practices to identify and quickly address potential weaknesses.

  1. Conduct Cybersecurity Training

In its latest 2024 report, Verizon found that the human element was a component in 68% of breaches. It’s simple; if you don’t train your workforce on cybersecurity best practices, they will be your undoing. 

So, create a culture of cybersecurity awareness within your organization. You can do this by:

  • Conducting regular cybersecurity training and awareness programs.

  • Outlining policies and procedures for all employees to follow.

  • Ensuring that senior management is involved in cybersecurity governance.

  1. Comply with Reporting Requirements

Reporting requirements are stricter and clearer in NIS2 than those of its predecessor. To comply, ensure you do the following:

  • Timely reporting by notifying relevant authorities within the timeframe.

  • Thorough documentation with detailed records of all incidents and remediation efforts.

  • Collaboration with authorities during and after incidents.

  1. Certify ISMS

By certifying your ISMS against ISO 27001 and other relevant standards, you show that an independent auditor has verified your ISMS's compliance with industry best practices.

This provides concrete evidence of your organization’s strong security posture, which is not only useful for NIS2 supervision but also for broader business operations.

What Sectors are in the NIS2 Directive?

As we mentioned earlier, the industries required to comply with the EU's NIS2 directive are called Essential and Important entities.

Here’s how they’re defined:

Essential Entities

These are organizations that provide services that are considered crucial for society to run smoothly. This means any disruptions to their services could cause big problems and consequences. They are:

  • Energy

  • Healthcare

  • Banking

  • Transport

  • Drinking water

  • Digital infrastructure

  • Digital service providers

  • Financial market infrastructure.

Important Entities

Although important entities are also crucial, their criticality isn’t quite as severe as essential entities. They are:

  • Food

  • Manufacturing 

  • Postal and courier services

  • Waste-water

  • Waste management

  • Public admin

  • Public electronic communications service providers

  • Space

  • ICE service management

  • Chemicals

  • Research

How WebSec Can Help with NIS2 Compliance

As you prepare to comply with the EU's NIS2 directive, it's essential to maintain a thorough and proactive approach. WebSec can make compliance easier through specialized NIS2 penetration testing that is aligned with the requirements of the new directive. Our NIS2 pentest identifies and mitigates vulnerabilities for essential and important entities, helping you to strengthen your security posture and reduce legal and financial losses.

In the event of a breach, our 24/7 incident response services provide immediate support, ensuring timely and effective incident handling, regardless of the time of day. To help foster a culture of cybersecurity awareness in your organization, we provide comprehensive cybersecurity training sessions that equip your employees with the necessary skills and knowledge to detect, prevent, and respond to security threats without jeopardizing the organization's security.

Be proactive today! Want to learn more? Reach out now, and one of our team members will be happy to help you.

Authored By
Gray Oshin

A Team Member at Websec

Share with the world!

Need Security?

Are you really sure your organization is secure?

At WebSec we help you answer this question by performing advanced security assessments.

Want to know more? Schedule a call with one of our experts.

Schedule a call
Authored By
Gray Oshin

A Team Member at Websec