Six Steps On The Road To NIS2 Compliance

NIS 2 is the EU’s most stringent cybersecurity Directive to date, and member states have until 17th October to ratify it into national law. Every organisation striving for NIS 2 compliance will have its own journey based on its current cybersecurity maturity level, risk management, and what constitutes “appropriate and proportionate,”.

However, there are six common steps that can be applied across the board to help make the journey as smooth as possible, explains Martin Davies, Audit Alliance Manager at Drata.

Why The Revised Directive?

Before diving into our key steps, it’s worth asking how we got here and what has changed. The original NIS Directive has its flaws concerning a lack of specificity about who was affected and a lack of consistency in application across EU member states. NIS 2 is designed to clarify these issues and make the Directive more enforceable.

In more detailed terms, NIS 2 delivers more clearly defined governance and oversight, expanded scope, more stringent cybersecurity and risk management requirements, mandatory reporting requirements, tougher enforcement and penalties, cross-border information sharing, and vulnerability disclosure. As such, organisations will have their hands full trying to comply ahead of the 17th October date. We can make that process easier by laying out six steps to help prepare for NIS 2.

1.    Understand The Scope
As with any new compliance plan, the first step is to wrap your head around its scope. This involves a comprehensive look at its sectoral coverage, the critical industries in-scope, and the obligations it imposes. It is worth noting that NIS 2 expands the sectors that fall under its regulations. The original NIS Directive focused on specific critical sectors like energy, transport, and finance. NIS 2 extends to a wider range of sectors, including healthcare, public administration, food, digital infrastructure, space, and postal services. It is also important to make the distinction between "essential" and "important" entities, as stricter supervisory activity will apply to essential entities, reflecting their critical role in maintaining societal functions.

2.    Reach Out To Your Competent Authority
The extent of the impact of NIS 2 on your organisation will be decided by your Competent Authority, a designated body or organisation within an EU member state responsible for overseeing the implementation, enforcement, and compliance of the NIS 2 Directive. Member states may choose to have a single national authority or multiple sector-specific ones. As the primary interface between the government and affected entities, it is vital to establish communication lines early on to confirm your classification type, discover how to report incidents, and find out how to ask for clarification. Demonstrating early engagement is a quick win in terms of showing your commitment.

3.    Complete A Gap Analysis
Now that you understand the requirements, it is time to explore where the gaps in your business lie:

  • Assess your current cybersecurity posture: review existing policies, evaluate technical controls and check compliance.
  • Map NIS 2 requirements to current frameworks and controls: create a requirements matrix and assess maturity levels.
  • Identify and categorise gaps: classify as high, medium or low priority based on factors like regulatory risk, business impact, and the potential for fines.
  • Develop a remediation plan: prioritise remediation activities, define specific actions and assign responsibilities.

4.    Establish New & Updated Policies
This is one of the most important steps in making compliance a reality. Knowing where your gaps are and where your organisation stands is a great start, but it could still take many months to reach a point where you enjoy functional and compliant controls and governance. Deploy controls based on best practices, such as the ISO 27001 standard; document every aspect of the process so you show evidence of compliance to regulators and Competent Authorities; and seek clarification whenever necessary to keep on the right track.

5.    Train Relevant Staff
NIS 2 will pull more and more personnel into its orbit, who may not have been previously involved with cybersecurity or compliance issues. Begin by customising training by role, setting learning objectives and developing the right content. Training can often feel like an extra burden for busy employees so try to incentivise the process to make it worthwhile. Training is also an ongoing process, so regular updates and refreshers are key to maintaining compliance and resilience.

6.    Track Your Progress & Demonstrate Compliance
Organisations with an established cybersecurity and compliance programme probably already have an in-house system for tracking and auditing. However, if NIS 2 is your first major initiative, it is worth considering implementing a continuous compliance platform to design, implement, maintain, and evidence a fully NIS 2-compliant cybersecurity and risk management programme. It is not strictly necessary, but it will make tracking controls, policies and procedures much easier.

The advent of NIS 2 is daunting for companies of all sizes; however, following these simple steps will help reduce the stress and make your journey to compliance seamless.

Martin Davies is  Audit Alliance Manager at Drata 

You Might Also Read:

Resilience As Regulation: Preparing For The Impact Of CER:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Try These Virtual Private Network Alternatives Yourself Now 
Remote Pager Attack Begins A New Era Of Warfare »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Subex

Subex

Subex leverages its award-winning telecom analytics solutions in areas such as Revenue Assurance, Fraud Management, Asset Assurance and Partner Management, and IoT Security.

Secarma

Secarma

Secarma provides penetration testing, security assessments, consultancy, and training services to ensure your digital infrastructure is secure from cybersecurity threats.

CTM360

CTM360

CTM360 is a unified external security platform offering 24x7x365 Cyber Threat Management for detecting and responding to cyber threats.

CyberQ Group

CyberQ Group

CyberQ is an award winning cyber security consultancy and services provider and an innovator in Artificial Intelligence and Automated Cyber Security.

Camel Secure - ZeroRisk

Camel Secure - ZeroRisk

Camel Secure is a company specialized in the development of products for information security and technology risk management.

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

Cybersecurity Maturity Model Certification Center of Excellence (CMMC COE)

CMMC COE is an IT-AAC sponsored public–private partnership that will be the focal point for entities seeking to achieve Cybersecurity Maturity Model Certification.

Police CyberAlarm

Police CyberAlarm

Police CyberAlarm is a free tool to help members understand and monitor malicious cyber activity. This service is made up of two parts; monitoring and vulnerability scanning.

Sunartek Labs

Sunartek Labs

Sunartek are equipped with expert resources and advanced technology to identify cyber threats and prevent any breach, bypassing the security network of your organization.

Nexon Asia Pacific

Nexon Asia Pacific

Nexon solutions include cloud infrastructure and services, unified communications, managed security services, business continuity, secured high-performance network and business applications.

Global Cybersecurity Association (GCA)

Global Cybersecurity Association (GCA)

GCA’s Symposium and conferences featuring global thought leaders and CISOs provide a global best practice perspective on cybersecurity.

Venari Security

Venari Security

Venari is an award-winning cybersecurity SaaS provider that has developed an ETA (Encrypted Traffic Analysis) platform which fundamentally changes the way encrypted traffic is analysed.

Purism

Purism

Purism works with hardware component manufactures and the free software community to build high quality hardware that respects your digital life.

MailChannels

MailChannels

MailChannels protects companies against malicious email threats. Used by 750+ hosting providers around the world.

Telarus

Telarus

Telarus is a Technology Services Brokerage that holds contracts with the world's leading cloud voice, contact center, cybersecurity, mobility and IoT providers.

Securitum

Securitum

Securitum is a leading penetration testing company in central and eastern Europe.