NIS2 - Countdown To Compliance

Uploaded on 2024-09-11 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Law

The NIS directive has been a topic on the agenda for businesses in critical sectors for some time now. Many companies have been exploring its implications, understanding that it sets new standards for cybersecurity across the European Union. This directive aims to enhance the overall level of cybersecurity within the EU by imposing stricter requirements on both security measures and incident reporting.  

However, with the compliance deadline rapidly approaching, organisations must urgently determine their next steps. They need to navigate the complexities of NIS2 to ensure they meet these stringent regulations and protect their operational integrity against evolving cyber threats. 

We sat down with Andrew Lintell, General Manager for EMEA at Claroty, to discuss the immediate actions CISOs must take to ensure their organisations fully comply with NIS2. 
 
How successful has NIS2 been in making companies rethink their security posture so far? 

I think the CISOs operating in European markets have been looking forward to an update on CNI security through NIS2. This directive should ideally represent a 'dream come true' for security leaders, as it provides a strong external mandate to prioritise cybersecurity at the corporate level. In theory, it’s meant to offer a clear framework for implementing robust security measures, enhancing incident response protocols, and ensuring continuous compliance, thereby embedding cybersecurity deeply into the organisational agenda.  But in practice, it has become an impenetrable mess of contradictions for many. 

With the compliance deadline looming, there's little time left to implement necessary measures. While NIS2 has admirable goals, the real issue lies in effectively communicating these needs to the board. Many CISOs find it difficult to convey the urgency and specifics of what must be done, hindering the successful adoption of NIS2 and preventing it from fully improving cybersecurity resilience.  

The above becomes even more problematic when considering the sheer efforts needed to secure CPS (Cyber-Physical) environments like factories, water facilities, electrical grids, and others like hospitals and clinics. The networks are more sensitive, asset discovery is more complex. It requires various technologies and capabilities, deployments of devices like firewalls can be done every second day, and more. Hence, time is of the essence and very little time is left. 

How should CISOs identify and prioritise the specific provisions important for their organisation? 

CISOs must confront the complexities of the NIS2 directive with urgency, but also precision. They need to understand that not all aspects of NIS2 will be relevant to their organisation, so it's crucial to sift through the directive and pinpoint the requirements that directly impact their specific risks and operational needs. This laser focus on what truly matters is vital. 

For example, manufacturing companies must secure their supply chains to ensure uninterrupted production and distribution. In contrast, financial institutions need to prioritise the strong security of financial transactions to protect sensitive data from cyber threats. 

By zeroing in on these critical areas, CISOs can target their efforts, addressing the most urgent vulnerabilities and dramatically enhancing their cybersecurity posture. While covering all of the compliance demands would be ideal, this strategic focus streamlines compliance efforts and strengthens the organisation's resilience. 
 
What are some best practices for maintaining continuous compliance with NIS2? 

CISOs need to approach NIS2 compliance as an ongoing process rather than a one-and-done task. It’s important that once the regulation comes into force, security leaders keep the momentum going within their organisations and stay alert to how they must amend their security policies to combat cyber risk.  

A combination of regular audits and risk assessments, ongoing employee training, constant monitoring of their security systems, and adopting cyber risk reduction methodologies like exposure management and vulnerability prioritizations,  will help them to stay ahead. Stemming from this, it's also crucial to foster a culture of cybersecurity awareness through the rest of the business, not just the top. This involves continuous training, focusing on real-world threats, ensuring employees are well-prepared to recognise and respond to potential issues.  

NIS2 gives authorities new powers to regularly check up on important and essential entities, meaning that security maturity should always be front of mind. Adopting advanced monitoring technologies is key, as these tools provide real-time oversight of user activities, enhancing audit accuracy and managing incidents effectively.  

Staying updated with the latest trends in cybersecurity is another essential component. Organisations should actively engage in industry discussions and dialogues to remain informed about new threats and innovations in security practices. This proactive approach goes beyond meeting regulatory requirements, aiming to establish strong security measures that strengthen the organisation's resilience against future challenges. 

By focusing on these best practices, organisations can ensure they are not just reactive but are well-positioned to anticipate and mitigate potential cyber threats. This will create a more secure and resilient operational environment. 
 
How can CISOs communicate the importance of NIS2 compliance to the board to secure the necessary budget and resources?  

To start achieving these far-reaching security goals throughout the company, CISOs must present a compelling narrative that proves the situation's urgency while communicating with the board. They need to articulate the strategic importance of the proposed investments, making it clear that these are essential not only for compliance but also for strengthening the organisation's overall cybersecurity posture. 

A comprehensive assessment of the organisation's cybersecurity risks and the imperative to protect its assets should be the cornerstone of this communication. CISOs should spotlight the most pressing risks and demonstrate how targeted investments can mitigate these threats, showing that prioritising these areas is crucial for safeguarding the organisation's operational integrity and reputation. 

It's vital to emphasise the potential return on investment and risk mitigation benefits. Investing in compliance measures doesn't just prevent potential penalties and disruptions but fortifies the organisation's security framework, preventing costly breaches and data losses. 

Lastly, presenting a well-defined, actionable plan that details specific funding needs, timelines, and expected outcomes is crucial. By framing the conversation around these critical points, CISOs can compellingly communicate the necessity of the proposed investments, securing essential support from senior management. 
 
How can organisations foster a culture of collaboration and how does this align with NIS2 goals? 

NIS2 aims to get companies working together as well as improving their own security. As part of this, information sharing is key to enhance their cybersecurity posture, especially given the need for prioritised compliance. This involves creating an environment where open dialogue and collaboration are the norm, both internally and with external partners. 

Internally, it's about breaking down silos and encouraging departments to share insights and data related to cybersecurity.For example, in manufacturing, IT security should regularly meet with line management to address operational risks, while in healthcare, clinical engineering must work closely with IT to protect patient data and ensure device security. This collaborative approach ensures that all parts of the organisation are aligned and can quickly respond to threats. Regular cross-departmental meetings and establishing a unified cybersecurity terminology are key strategies. This includes creating a shared understanding of cybersecurity concepts, risks, and practices across all departments, ensuring everyone is on the same page when it comes to protecting the organisation's digital assets. It helps with consistency and the rapid dissemination of vital information. 

Externally, organisations should build strong partnerships with other companies and industry bodies. Sharing information about threats, vulnerabilities, and best practices helps create a united front against cyber threats. It also allows organisations to benchmark their security measures against industry standards and make necessary adjustments. 

By promoting an open exchange of information, organisations can identify gaps in their defences and develop tailored strategies to address them.

This culture of transparency and collaboration aligns perfectly with the goals of NIS2, which emphasises the importance of collective resilience and information sharing to strengthen overall cybersecurity. 
 
 Andrew Lintell is General Manager EMEA at Claroty 

Image: Ideogram

You Might Also Read: 

What Will The NIS2 Directive Mean For Smaller Organisations?:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Quantum-Safe Encryption Comes Closer
Donald Trump Trolls Taylor Swift »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Bulb Security

Bulb Security

Whether your internal red team or penetration testing team needs training, or you lack internal resources and need an outsourced penetration test, Bulb Security can help.

Asavie

Asavie

Asavie provide solutions for Enterprise Mobility Management and secure IoT Connectivity.

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

Telecom Information Sharing and Analysis Center Japan (T-ISAC Japan)

T-ISAC Japan coordinates information sharing and activities related to ISP/telecommunications network security in Japan.

Exatel

Exatel

Exatel is Poland’s leading provider of ICT security services.

TechVets

TechVets

TechVets is a non-for-profit helping UK veterans and service leavers retrain into Cyber Security and Technology jobs.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

ThreatGen

ThreatGen

ThreatGEN™ works with your team to improve your resiliency and industrial cybersecurity capabilities through an innovative and modernized approach to training and services.

Aristi Labs

Aristi Labs

Aristi Labs provides comprehensive security solutions to help businesses protect data and intellectual property, minimizing downtime and maximizing productivity.

Otorio

Otorio

OTORIO delivers industrial cybersecurity and digital risk-management solutions and services. We help our customers to keep their revenue-generating operations resilient, efficient, and safe.

Anterix

Anterix

Anterix is focused on empowering the modernization of critical infrastructure and enterprise businesses by enabling private broadband connectivity.

Analygence

Analygence

ANALYGENCE is your trusted partner for mission support, cyber solutions, and management services.

NASK

NASK

NASK is a National Research Institute under the supervision of the Chancellery of the Prime Minister of Poland. Our key activities involve ensuring security online.

Oleria Security

Oleria Security

Oleria is the only adaptive and autonomous security solution that helps organizations accelerate at the pace of change, trusting that data is protected.

Reco AI

Reco AI

Reco is an identity-centric SaaS security solution that empowers organizations with full visibility into every app, identity, and their actions to control risk in their SaaS ecosystem.

Dark Entry

Dark Entry

Dark Entry provide solutions to safeguard businesses, leveraging advanced technologies and intelligence-driven approaches to detect and mitigate risks associated with compromised data.