by Gorik Van den Bergh and Frederik Vervoort
In a previous article, we discussed what exactly the new NIS2 Directive adopted by the European Parliament entails. In this second part, we take a closer look at some of the measures and procedures that the European NIS2 Directive requires as a minimum to reduce your organisation's vulnerability and increase its resilience to cyber-attacks (and avoid penalties).
Essential and key organisations falling within the scope of the NIS2 Directive must take appropriate and proportionate measures to manage the security risks associated with their network and information systems and to prevent incidents or mitigate the impact of incidents on the recipients of their services.
These measures shall include at least
Risk analysis and information systems security policy;
Business continuity, such as backup management and contingency plans, crisis management;
Supply chain security, including the relationship between each entity and its direct suppliers or service providers;
Security in the acquisition, development and maintenance of network and information systems, including response to and disclosure of vulnerabilities;
Policies and procedures for assessing the effectiveness of cybersecurity risk management activities;
Basic cyber hygiene practices and cyber security training;
Policies and procedures for the use of cryptography and, where appropriate, encryption;
Security aspects related to personnel, access policies and asset management;
Where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems within the entity.
It is recommended to approach the NIS2 compliance project as an (ICT) project:
Ensure that you have top management support, budget and resources, as well as the necessary stakeholder involvement;
Establish a concrete schedule and work on a project basis with fixed deadlines;
Identify the critical services, processes and assets that support the essential services described in NIS2 (e.g. through an organisation-wide business impact analysis).
If an Information Security Management System has not yet been established, this is the next step. The establishment of such an Information Security Management System (ISMS), including the identification and assessment of information security risks, is critical.
If an ISMS is already in place, you can start immediately with the gap analysis. Assess the extent to which the NIS2 requirements are already being met; what are the quick wins and what are the focus areas that will require more effort and time?
Based on the knowledge gained from the above steps, concrete actions can be formulated to close the 'compliance gap' towards NIS2. Implementing NIS2 measures is a holistic approach that integrates human, technical and organisational aspects. Only by bringing these three pillars together can organisations effectively protect their digital infrastructure and meet the requirements of NIS2.
On the human side, organisations must first invest in cyber security awareness and training for their staff. Human measures also include establishing clear incident reporting procedures and training staff to respond quickly to security incidents.
On the technical side, advanced security technologies are needed. This includes installing firewalls, intrusion detection systems, encryption, anti-virus software and other technical solutions to protect networks and systems from cyber attacks. Patching and keeping software and systems up to date is also critical.
Organisational measures include developing sound security policies and establishing procedures for managing security incidents. These policies should include clear lines of responsibility and mechanisms for risk assessment and security auditing. Organisations should also apply the principle of 'least privilege' to ensure that employees only have access to the information and systems they need to do their jobs.
Monitoring involves organisations continuously monitoring their network and information systems. This includes the early detection of potential security incidents, such as cyber-attacks and data breaches.
In addition, continuous improvement is essential to meet the requirements of the NIS2 Directive. This can be achieved by reviewing and improving security policies, updating technical measures and training staff in cyber security awareness.
You are not sure if and to what extent you need to be NIS2 compliant?
Do you want to gain more insight into which concrete measures you still need to take to be NIS2 compliant?
Are you unsure of the right approach?
Our experts can advise and, if necessary, assist you in implementing the necessary security measures to become NIS2 compliant.
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
Read our latest insights and news releases to stay abreast of changes in your industry.