Steps for NIS 2 compliance
Following our previous articles on the NIS 2 Directive (hereafter: directive), in the next part of article series we will give you some practical advice on how to prepare for compliance. As you know, the deadline for transposition of the Directive into national law is October 2024, but there is no news yet on which legislation will incorporate the Directive's requirements. The creation of completely new legislation is questionable, as this was not done for the NIS Directive in Hungary.
Waiting for transposition into national law is not recommended, as an organization with a low level of cybersecurity maturity has a long way to go to achieve full compliance.
Based on our experience with GRC projects, we recommend the following steps for preparation:
- Examination of the scope and the applicability of the directive:at first organizations must check whether they fall within the scope of the Directive. This is easy to determine, as Annex I of the directive lists the sectors of high criticality. Any sector listed here is considered to be an essential organization covered by the Directive. Annex II to the Directive lists the other critical sectors, of which the important entities will be the actors.at first organizations must check whether they fall within the scope of the Directive. This is easy to determine, as Annex I of the directive lists the sectors of high criticality. Any sector listed here is considered to be an essential organization covered by the Directive. Annex II to the Directive lists the other critical sectors, of which the important entities will be the actors.
- Conducting a gap assessment: the purpose of the gap assessment is to identify the gap(s) from the defined baseline, requirements and to discover the current situation. For NIS 2 compliance, however, it is not easy to define the baseline, as there is no national legislation yet setting out precise requirements. The Directive lists in a taxative way the cybersecurity risk management measures, but these are only topics and not specific requirements. How can this be resolved? In short, by standardisation and knowledge of current legislation. Our recommendations are split between essential and important entities.
a) The range of essential entities effectively cover the critical infrastructure category, which implies that they must assess their compliance with the national legislation that applicable for them and under which they should operate anyway. This group is unlikely to see much new in the new rules.
b) The Directive encourages the use of relevant European and international standards and technical specifications to achieve convergent implementation of the cybersecurity risk management measures it requires. On this basis, it is proposed that ISO 27001:2022 be used as a baseline for gap assessment by the relevant organisations during the preparation. It is easy to argue in favour of it: in addition to being the most internationally recognized standard in the topic, it covers the requirements of the Directive. You can see for yourself by reading the Operational Capabilities and Annex A of the standard.
- Performing a risk analysis and defining a baseline: in addition to this step is required by the Directive, we also recommend performing a risk analysis. The risk analysis - in the control assessment step - can use the results of the gap assessment and identify the factors that threaten the organization’s operations. Of course, risk management measures should also be defined, and an action plan should be established. It is strongly recommended that the measures already consider the baseline requirement as a target to be achieved. Of course, it should be proportionate to the risks, considering the size, capabilities and other factors of the organization.
- Launch projects to reach the baseline: to protect the organization and meet requirements, identified risks must be eliminated. It is recommended to collect the related risks and address them together in projects.
- Establishing sustainable processes, defining roles: preparation is a long process and once the organization has achieved its goals, it cannot sit back, as it is necessary to maintain the status quo and continuously improve operations and keep track of changes. This requires the establishment of sustainable cybersecurity processes and the assignment of roles, both for the operation of controls and the monitoring of risks and overall cybersecurity governance.
NIS 2 cybersecurity risk management measures
Policies on risk analysis and information system security
Business continuity, such as backup management and disaster recovery, and crisis management
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Basic cyber hygiene practices and cybersecurity training
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Human resources security, access control policies and asset management
Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate
ISO 27001:2022 Operational Capabilities
Human resource security
System and network security
Identity and access management
Threat and vulnerability management
Supplier relationships security
Legal and compliance