NIS2 - Countdown To Compliance

The NIS directive has been a topic on the agenda for businesses in critical sectors for some time now. Many companies have been exploring its implications, understanding that it sets new standards for cybersecurity across the European Union. This directive aims to enhance the overall level of cybersecurity within the EU by imposing stricter requirements on both security measures and incident reporting.  

However, with the compliance deadline rapidly approaching, organisations must urgently determine their next steps. They need to navigate the complexities of NIS2 to ensure they meet these stringent regulations and protect their operational integrity against evolving cyber threats. 

We sat down with Andrew Lintell, General Manager for EMEA at Claroty, to discuss the immediate actions CISOs must take to ensure their organisations fully comply with NIS2. 
 
How successful has NIS2 been in making companies rethink their security posture so far? 

I think the CISOs operating in European markets have been looking forward to an update on CNI security through NIS2. This directive should ideally represent a 'dream come true' for security leaders, as it provides a strong external mandate to prioritise cybersecurity at the corporate level. In theory, it’s meant to offer a clear framework for implementing robust security measures, enhancing incident response protocols, and ensuring continuous compliance, thereby embedding cybersecurity deeply into the organisational agenda.  But in practice, it has become an impenetrable mess of contradictions for many. 

With the compliance deadline looming, there's little time left to implement necessary measures. While NIS2 has admirable goals, the real issue lies in effectively communicating these needs to the board. Many CISOs find it difficult to convey the urgency and specifics of what must be done, hindering the successful adoption of NIS2 and preventing it from fully improving cybersecurity resilience.  

The above becomes even more problematic when considering the sheer efforts needed to secure CPS (Cyber-Physical) environments like factories, water facilities, electrical grids, and others like hospitals and clinics. The networks are more sensitive, asset discovery is more complex. It requires various technologies and capabilities, deployments of devices like firewalls can be done every second day, and more. Hence, time is of the essence and very little time is left. 

How should CISOs identify and prioritise the specific provisions important for their organisation? 

CISOs must confront the complexities of the NIS2 directive with urgency, but also precision. They need to understand that not all aspects of NIS2 will be relevant to their organisation, so it's crucial to sift through the directive and pinpoint the requirements that directly impact their specific risks and operational needs. This laser focus on what truly matters is vital. 

For example, manufacturing companies must secure their supply chains to ensure uninterrupted production and distribution. In contrast, financial institutions need to prioritise the strong security of financial transactions to protect sensitive data from cyber threats. 

By zeroing in on these critical areas, CISOs can target their efforts, addressing the most urgent vulnerabilities and dramatically enhancing their cybersecurity posture. While covering all of the compliance demands would be ideal, this strategic focus streamlines compliance efforts and strengthens the organisation's resilience. 
 
What are some best practices for maintaining continuous compliance with NIS2? 

CISOs need to approach NIS2 compliance as an ongoing process rather than a one-and-done task. It’s important that once the regulation comes into force, security leaders keep the momentum going within their organisations and stay alert to how they must amend their security policies to combat cyber risk.  

A combination of regular audits and risk assessments, ongoing employee training, constant monitoring of their security systems, and adopting cyber risk reduction methodologies like exposure management and vulnerability prioritizations,  will help them to stay ahead. Stemming from this, it's also crucial to foster a culture of cybersecurity awareness through the rest of the business, not just the top. This involves continuous training, focusing on real-world threats, ensuring employees are well-prepared to recognise and respond to potential issues.  

NIS2 gives authorities new powers to regularly check up on important and essential entities, meaning that security maturity should always be front of mind. Adopting advanced monitoring technologies is key, as these tools provide real-time oversight of user activities, enhancing audit accuracy and managing incidents effectively.  

Staying updated with the latest trends in cybersecurity is another essential component. Organisations should actively engage in industry discussions and dialogues to remain informed about new threats and innovations in security practices. This proactive approach goes beyond meeting regulatory requirements, aiming to establish strong security measures that strengthen the organisation's resilience against future challenges. 

By focusing on these best practices, organisations can ensure they are not just reactive but are well-positioned to anticipate and mitigate potential cyber threats. This will create a more secure and resilient operational environment. 
 
How can CISOs communicate the importance of NIS2 compliance to the board to secure the necessary budget and resources?  

To start achieving these far-reaching security goals throughout the company, CISOs must present a compelling narrative that proves the situation's urgency while communicating with the board. They need to articulate the strategic importance of the proposed investments, making it clear that these are essential not only for compliance but also for strengthening the organisation's overall cybersecurity posture. 

A comprehensive assessment of the organisation's cybersecurity risks and the imperative to protect its assets should be the cornerstone of this communication. CISOs should spotlight the most pressing risks and demonstrate how targeted investments can mitigate these threats, showing that prioritising these areas is crucial for safeguarding the organisation's operational integrity and reputation. 

It's vital to emphasise the potential return on investment and risk mitigation benefits. Investing in compliance measures doesn't just prevent potential penalties and disruptions but fortifies the organisation's security framework, preventing costly breaches and data losses. 

Lastly, presenting a well-defined, actionable plan that details specific funding needs, timelines, and expected outcomes is crucial. By framing the conversation around these critical points, CISOs can compellingly communicate the necessity of the proposed investments, securing essential support from senior management. 
 
How can organisations foster a culture of collaboration and how does this align with NIS2 goals? 

NIS2 aims to get companies working together as well as improving their own security. As part of this, information sharing is key to enhance their cybersecurity posture, especially given the need for prioritised compliance. This involves creating an environment where open dialogue and collaboration are the norm, both internally and with external partners. 

Internally, it's about breaking down silos and encouraging departments to share insights and data related to cybersecurity.For example, in manufacturing, IT security should regularly meet with line management to address operational risks, while in healthcare, clinical engineering must work closely with IT to protect patient data and ensure device security. This collaborative approach ensures that all parts of the organisation are aligned and can quickly respond to threats. Regular cross-departmental meetings and establishing a unified cybersecurity terminology are key strategies. This includes creating a shared understanding of cybersecurity concepts, risks, and practices across all departments, ensuring everyone is on the same page when it comes to protecting the organisation's digital assets. It helps with consistency and the rapid dissemination of vital information. 

Externally, organisations should build strong partnerships with other companies and industry bodies. Sharing information about threats, vulnerabilities, and best practices helps create a united front against cyber threats. It also allows organisations to benchmark their security measures against industry standards and make necessary adjustments. 

By promoting an open exchange of information, organisations can identify gaps in their defences and develop tailored strategies to address them.

This culture of transparency and collaboration aligns perfectly with the goals of NIS2, which emphasises the importance of collective resilience and information sharing to strengthen overall cybersecurity. 
 
 Andrew Lintell is General Manager EMEA at Claroty 

Image: Ideogram

You Might Also Read: 

What Will The NIS2 Directive Mean For Smaller Organisations?:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Quantum-Safe Encryption Comes Closer
Donald Trump Trolls Taylor Swift »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Quotium

Quotium

Quotium provides automated testing technologies to make business software applications secure and robust.

Barracuda

Barracuda

Barracuda provides a comprehensive cybersecurity platform to protect organizations from all major attack vectors that are present in today’s complex threats.

Information Security Research Group - University of South Wales

Information Security Research Group - University of South Wales

The Information Security Research Group has an international reputation in the areas of network security, computer forensics and threat analysis.

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

Infowhiz solutions

Infowhiz solutions

Infowhiz provides solutions for backup/disaster recovery and network security.

Ogasec

Ogasec

Ogasec is a cybersecurity company formed by the merger between Aker and N-Stalker in 2017. Solutions include Security & Connectivity Networking, Application Security, and Managed Security Services.

IBA Security

IBA Security

IBA Security is a center of competence consolidating the cybersecurity expertise of the IBA Group.

Rhino Security Labs

Rhino Security Labs

Rhino Security Labs is a top penetration testing and security assessment firm, with a focus on cloud pentesting, network pentesting, web application pentesting, and phishing.

Velta Technology

Velta Technology

Velta Technology provide digital safety and cybersecurity solutions for the industrial space.

Datenschutz Schmidt

Datenschutz Schmidt

Datenschutz Schmidt is a service provider with many years of experience, we support you in complying with numerous data protection guidelines, requirements and laws.

CyberArmor

CyberArmor

Cyber Armor defend everyday IT and OT systems, from government agencies to critical infrastructure, from system integrators to small industries.

Oregon Systems

Oregon Systems

Oregon Systems is a Regional Leader & Distributor with value added services for OT, IoT, IIoT & IT Cybersecurity products, Solutions & professional services throughout the middle-east region.

Aptum

Aptum

Aptum is a global hybrid multi-cloud managed service provider delivering complex and high-performance cloud solutions with an integrated secure network.

NETAND

NETAND

NETAND privileged access and identity management solutions will secure your business from cyber threats.

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision Cybertechnologies & Digital Solutions (Precision-Cyber)

Precision-Cyber was founded on the philosophy of state-of-the-art cybersecurity and digital solutions. Our guiding principle is simply that we will provide and secure all your digital needs.

Chorology

Chorology

Chorology is a leading provider of intelligently automated, data compliance and posture enforcement solutions.