Six Steps On The Road To NIS2 Compliance

NIS 2 is the EU’s most stringent cybersecurity Directive to date, and member states have until 17th October to ratify it into national law. Every organisation striving for NIS 2 compliance will have its own journey based on its current cybersecurity maturity level, risk management, and what constitutes “appropriate and proportionate,”.

However, there are six common steps that can be applied across the board to help make the journey as smooth as possible, explains Martin Davies, Audit Alliance Manager at Drata.

Why The Revised Directive?

Before diving into our key steps, it’s worth asking how we got here and what has changed. The original NIS Directive has its flaws concerning a lack of specificity about who was affected and a lack of consistency in application across EU member states. NIS 2 is designed to clarify these issues and make the Directive more enforceable.

In more detailed terms, NIS 2 delivers more clearly defined governance and oversight, expanded scope, more stringent cybersecurity and risk management requirements, mandatory reporting requirements, tougher enforcement and penalties, cross-border information sharing, and vulnerability disclosure. As such, organisations will have their hands full trying to comply ahead of the 17th October date. We can make that process easier by laying out six steps to help prepare for NIS 2.

1.    Understand The Scope
As with any new compliance plan, the first step is to wrap your head around its scope. This involves a comprehensive look at its sectoral coverage, the critical industries in-scope, and the obligations it imposes. It is worth noting that NIS 2 expands the sectors that fall under its regulations. The original NIS Directive focused on specific critical sectors like energy, transport, and finance. NIS 2 extends to a wider range of sectors, including healthcare, public administration, food, digital infrastructure, space, and postal services. It is also important to make the distinction between "essential" and "important" entities, as stricter supervisory activity will apply to essential entities, reflecting their critical role in maintaining societal functions.

2.    Reach Out To Your Competent Authority
The extent of the impact of NIS 2 on your organisation will be decided by your Competent Authority, a designated body or organisation within an EU member state responsible for overseeing the implementation, enforcement, and compliance of the NIS 2 Directive. Member states may choose to have a single national authority or multiple sector-specific ones. As the primary interface between the government and affected entities, it is vital to establish communication lines early on to confirm your classification type, discover how to report incidents, and find out how to ask for clarification. Demonstrating early engagement is a quick win in terms of showing your commitment.

3.    Complete A Gap Analysis
Now that you understand the requirements, it is time to explore where the gaps in your business lie:

  • Assess your current cybersecurity posture: review existing policies, evaluate technical controls and check compliance.
  • Map NIS 2 requirements to current frameworks and controls: create a requirements matrix and assess maturity levels.
  • Identify and categorise gaps: classify as high, medium or low priority based on factors like regulatory risk, business impact, and the potential for fines.
  • Develop a remediation plan: prioritise remediation activities, define specific actions and assign responsibilities.

4.    Establish New & Updated Policies
This is one of the most important steps in making compliance a reality. Knowing where your gaps are and where your organisation stands is a great start, but it could still take many months to reach a point where you enjoy functional and compliant controls and governance. Deploy controls based on best practices, such as the ISO 27001 standard; document every aspect of the process so you show evidence of compliance to regulators and Competent Authorities; and seek clarification whenever necessary to keep on the right track.

5.    Train Relevant Staff
NIS 2 will pull more and more personnel into its orbit, who may not have been previously involved with cybersecurity or compliance issues. Begin by customising training by role, setting learning objectives and developing the right content. Training can often feel like an extra burden for busy employees so try to incentivise the process to make it worthwhile. Training is also an ongoing process, so regular updates and refreshers are key to maintaining compliance and resilience.

6.    Track Your Progress & Demonstrate Compliance
Organisations with an established cybersecurity and compliance programme probably already have an in-house system for tracking and auditing. However, if NIS 2 is your first major initiative, it is worth considering implementing a continuous compliance platform to design, implement, maintain, and evidence a fully NIS 2-compliant cybersecurity and risk management programme. It is not strictly necessary, but it will make tracking controls, policies and procedures much easier.

The advent of NIS 2 is daunting for companies of all sizes; however, following these simple steps will help reduce the stress and make your journey to compliance seamless.

Martin Davies is  Audit Alliance Manager at Drata 

You Might Also Read:

Resilience As Regulation: Preparing For The Impact Of CER:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Try These Virtual Private Network Alternatives Yourself Now 
Remote Pager Attack Begins A New Era Of Warfare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ForgeRock

ForgeRock

ForgeRock, the leader in digital identity, delivers comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.

Silicom Denmark

Silicom Denmark

Silicom Denmark is a premier developer and supplier of FPGA-based interface cards for cyber-security, telecommss, financial trading and other sectors.

Ikerlan

Ikerlan

Ikerlan is an R&D technology centre specialising in areas including embedded systems, industrial automation and industrial cybersecurity.

Security University

Security University

Security University is a leading provider of Qualified Hands-On Cybersecurity Education, Information Assurance Training and Certifications for IT and Security Professionals.

AVL Mobile Security

AVL Mobile Security

AVL Mobile Security is a market-leading mobile security company for anti-virus and threat intelligence in the mobile Internet.

Mvine

Mvine

Mvine's primary business is authoring and selling Cyber-Secure Platforms for Collaboration Portals and for Identity Management as well as delivering cloud support services.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

Aura

Aura

Aura is a mission driven technology company dedicated to creating a safer internet for everyone. We’re making comprehensive digital security that's simple to understand and easy to use.

Capital Network Solutions

Capital Network Solutions

Capital Network Solutions are a highly accredited managed IT services and consultancy provider, specialising in cyber security, infrastructure and communications.

Pacific Global Security Group

Pacific Global Security Group

Pacific Global Security Group offers an intelligence-driven focus on all aspects of cybersecurity for IT/ICS/OT.

Cyberwatch Finland

Cyberwatch Finland

Cyberwatch Finland's services improve decision-makers’ strategic situational picture and enable successful holistic cyber risk management.

Fullstack Academy

Fullstack Academy

A trailblazer in bootcamp education, Fullstack Academy prepares students for fulfilling careers in tech through our NYC campus, online learning, and university partnerships.

Cerby

Cerby

Your team uses unmanageable applications that put you, your company, and your data at risk. Protect, secure, and accelerate your business automatically with Cerby.

Ontinue

Ontinue

Ontinue ION is an MXDR service that provides Nonstop SecOps through five key capabilities that enable your organization to respond to attacks and continuously reduce risk.