Six Steps On The Road To NIS2 Compliance

NIS 2 is the EU’s most stringent cybersecurity Directive to date, and member states have until 17th October to ratify it into national law. Every organisation striving for NIS 2 compliance will have its own journey based on its current cybersecurity maturity level, risk management, and what constitutes “appropriate and proportionate,”.

However, there are six common steps that can be applied across the board to help make the journey as smooth as possible, explains Martin Davies, Audit Alliance Manager at Drata.

Why The Revised Directive?

Before diving into our key steps, it’s worth asking how we got here and what has changed. The original NIS Directive has its flaws concerning a lack of specificity about who was affected and a lack of consistency in application across EU member states. NIS 2 is designed to clarify these issues and make the Directive more enforceable.

In more detailed terms, NIS 2 delivers more clearly defined governance and oversight, expanded scope, more stringent cybersecurity and risk management requirements, mandatory reporting requirements, tougher enforcement and penalties, cross-border information sharing, and vulnerability disclosure. As such, organisations will have their hands full trying to comply ahead of the 17th October date. We can make that process easier by laying out six steps to help prepare for NIS 2.

1.    Understand The Scope
As with any new compliance plan, the first step is to wrap your head around its scope. This involves a comprehensive look at its sectoral coverage, the critical industries in-scope, and the obligations it imposes. It is worth noting that NIS 2 expands the sectors that fall under its regulations. The original NIS Directive focused on specific critical sectors like energy, transport, and finance. NIS 2 extends to a wider range of sectors, including healthcare, public administration, food, digital infrastructure, space, and postal services. It is also important to make the distinction between "essential" and "important" entities, as stricter supervisory activity will apply to essential entities, reflecting their critical role in maintaining societal functions.

2.    Reach Out To Your Competent Authority
The extent of the impact of NIS 2 on your organisation will be decided by your Competent Authority, a designated body or organisation within an EU member state responsible for overseeing the implementation, enforcement, and compliance of the NIS 2 Directive. Member states may choose to have a single national authority or multiple sector-specific ones. As the primary interface between the government and affected entities, it is vital to establish communication lines early on to confirm your classification type, discover how to report incidents, and find out how to ask for clarification. Demonstrating early engagement is a quick win in terms of showing your commitment.

3.    Complete A Gap Analysis
Now that you understand the requirements, it is time to explore where the gaps in your business lie:

  • Assess your current cybersecurity posture: review existing policies, evaluate technical controls and check compliance.
  • Map NIS 2 requirements to current frameworks and controls: create a requirements matrix and assess maturity levels.
  • Identify and categorise gaps: classify as high, medium or low priority based on factors like regulatory risk, business impact, and the potential for fines.
  • Develop a remediation plan: prioritise remediation activities, define specific actions and assign responsibilities.

4.    Establish New & Updated Policies
This is one of the most important steps in making compliance a reality. Knowing where your gaps are and where your organisation stands is a great start, but it could still take many months to reach a point where you enjoy functional and compliant controls and governance. Deploy controls based on best practices, such as the ISO 27001 standard; document every aspect of the process so you show evidence of compliance to regulators and Competent Authorities; and seek clarification whenever necessary to keep on the right track.

5.    Train Relevant Staff
NIS 2 will pull more and more personnel into its orbit, who may not have been previously involved with cybersecurity or compliance issues. Begin by customising training by role, setting learning objectives and developing the right content. Training can often feel like an extra burden for busy employees so try to incentivise the process to make it worthwhile. Training is also an ongoing process, so regular updates and refreshers are key to maintaining compliance and resilience.

6.    Track Your Progress & Demonstrate Compliance
Organisations with an established cybersecurity and compliance programme probably already have an in-house system for tracking and auditing. However, if NIS 2 is your first major initiative, it is worth considering implementing a continuous compliance platform to design, implement, maintain, and evidence a fully NIS 2-compliant cybersecurity and risk management programme. It is not strictly necessary, but it will make tracking controls, policies and procedures much easier.

The advent of NIS 2 is daunting for companies of all sizes; however, following these simple steps will help reduce the stress and make your journey to compliance seamless.

Martin Davies is  Audit Alliance Manager at Drata 

You Might Also Read:

Resilience As Regulation: Preparing For The Impact Of CER:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Try These Virtual Private Network Alternatives Yourself Now 
Remote Pager Attack Begins A New Era Of Warfare »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

achelos

achelos

achelos is an independent software development company providing innovative technical solutions for micro-processor chips / security chips and embedded systems in security-critical application fields.

RedShield Security

RedShield Security

RedShield is the world's first web application shielding-with-a-service company.

CSIRT GOV - Poland

CSIRT GOV - Poland

Computer Security Incident Response Team CSIRT GOV, run by the Head of the Internal Security Agency, acts as the national CSIRT responsible for coordinating the response to computer incidents.

Relution

Relution

Relution is the Unified Endpoint Management platform for innovative companies and educational institutions. It enables you to manage your mobile apps and devices easily and securely.

CRI4DATA

CRI4DATA

CRI4DATA's mission is to help organizations build their resilience to cyber risk.

Penningtons Manches Cooper

Penningtons Manches Cooper

Penningtons Manches Cooper is a leading UK law firm providing high quality legal advice in areas including Data Protection, Cyber Security and Cyber Crime.

VIPRE Security Group

VIPRE Security Group

VIPRE Security Group is an award-winning global cybersecurity, privacy and data protection company.

Bigbee Technology

Bigbee Technology

Bigbee Technology are an IT solutions company based in Dar es Salaam founded by a group of professionals from around the globe.

In Fidem

In Fidem

In Fidem specializes in information security management, with a bold approach that views cybersecurity as a springboard to organizational transformation rather than a barrier to innovation.

Dataprise

Dataprise

Dataprise is a leading IT managed services provider offering IT Management and Help Desk Support Services, Cloud Services, Information Security Solution, IT Strategy and Consulting.

Xceptional

Xceptional

Xceptional is a multi-award-winning technology services firm that celebrates the unique strengths of people with autism.

Space Hellas

Space Hellas

Space Hellas is a dynamic, established System Integrator and Value Added Solutions Provider, holding a leading position in the high technology arena.

FastPassCorp

FastPassCorp

In the world of IT, identity theft is a growing concern. FastPass offers an innovative solution as a cloud or on-premises offering.

WBM Technologies

WBM Technologies

WBM Technologies is a Western Canadian leader in the provision of outcomes-driven information technology solutions.

Dotsquares

Dotsquares

Dotsquares leverage the latest web and mobile technologies to build, grow and support your business.

ELK Analytics

ELK Analytics

ELK Analytics is a specialized Managed Security Services Provider (MSSP) that focuses on endpoint security and monitoring & alerting for any type of structured or unstructured data.