Six Steps On The Road To NIS2 Compliance

NIS 2 is the EU’s most stringent cybersecurity Directive to date, and member states have until 17th October to ratify it into national law. Every organisation striving for NIS 2 compliance will have its own journey based on its current cybersecurity maturity level, risk management, and what constitutes “appropriate and proportionate,”.

However, there are six common steps that can be applied across the board to help make the journey as smooth as possible, explains Martin Davies, Audit Alliance Manager at Drata.

Why The Revised Directive?

Before diving into our key steps, it’s worth asking how we got here and what has changed. The original NIS Directive has its flaws concerning a lack of specificity about who was affected and a lack of consistency in application across EU member states. NIS 2 is designed to clarify these issues and make the Directive more enforceable.

In more detailed terms, NIS 2 delivers more clearly defined governance and oversight, expanded scope, more stringent cybersecurity and risk management requirements, mandatory reporting requirements, tougher enforcement and penalties, cross-border information sharing, and vulnerability disclosure. As such, organisations will have their hands full trying to comply ahead of the 17th October date. We can make that process easier by laying out six steps to help prepare for NIS 2.

1.    Understand The Scope
As with any new compliance plan, the first step is to wrap your head around its scope. This involves a comprehensive look at its sectoral coverage, the critical industries in-scope, and the obligations it imposes. It is worth noting that NIS 2 expands the sectors that fall under its regulations. The original NIS Directive focused on specific critical sectors like energy, transport, and finance. NIS 2 extends to a wider range of sectors, including healthcare, public administration, food, digital infrastructure, space, and postal services. It is also important to make the distinction between "essential" and "important" entities, as stricter supervisory activity will apply to essential entities, reflecting their critical role in maintaining societal functions.

2.    Reach Out To Your Competent Authority
The extent of the impact of NIS 2 on your organisation will be decided by your Competent Authority, a designated body or organisation within an EU member state responsible for overseeing the implementation, enforcement, and compliance of the NIS 2 Directive. Member states may choose to have a single national authority or multiple sector-specific ones. As the primary interface between the government and affected entities, it is vital to establish communication lines early on to confirm your classification type, discover how to report incidents, and find out how to ask for clarification. Demonstrating early engagement is a quick win in terms of showing your commitment.

3.    Complete A Gap Analysis
Now that you understand the requirements, it is time to explore where the gaps in your business lie:

  • Assess your current cybersecurity posture: review existing policies, evaluate technical controls and check compliance.
  • Map NIS 2 requirements to current frameworks and controls: create a requirements matrix and assess maturity levels.
  • Identify and categorise gaps: classify as high, medium or low priority based on factors like regulatory risk, business impact, and the potential for fines.
  • Develop a remediation plan: prioritise remediation activities, define specific actions and assign responsibilities.

4.    Establish New & Updated Policies
This is one of the most important steps in making compliance a reality. Knowing where your gaps are and where your organisation stands is a great start, but it could still take many months to reach a point where you enjoy functional and compliant controls and governance. Deploy controls based on best practices, such as the ISO 27001 standard; document every aspect of the process so you show evidence of compliance to regulators and Competent Authorities; and seek clarification whenever necessary to keep on the right track.

5.    Train Relevant Staff
NIS 2 will pull more and more personnel into its orbit, who may not have been previously involved with cybersecurity or compliance issues. Begin by customising training by role, setting learning objectives and developing the right content. Training can often feel like an extra burden for busy employees so try to incentivise the process to make it worthwhile. Training is also an ongoing process, so regular updates and refreshers are key to maintaining compliance and resilience.

6.    Track Your Progress & Demonstrate Compliance
Organisations with an established cybersecurity and compliance programme probably already have an in-house system for tracking and auditing. However, if NIS 2 is your first major initiative, it is worth considering implementing a continuous compliance platform to design, implement, maintain, and evidence a fully NIS 2-compliant cybersecurity and risk management programme. It is not strictly necessary, but it will make tracking controls, policies and procedures much easier.

The advent of NIS 2 is daunting for companies of all sizes; however, following these simple steps will help reduce the stress and make your journey to compliance seamless.

Martin Davies is  Audit Alliance Manager at Drata 

You Might Also Read:

Resilience As Regulation: Preparing For The Impact Of CER:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Try These Virtual Private Network Alternatives Yourself Now 
Remote Pager Attack Begins A New Era Of Warfare »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Apicrypt

Apicrypt

Apicrypt enables secure communications between health professionals by using strong encryption technologies.

RIPS Technologies

RIPS Technologies

RIPS Technologies delivers automated security analysis for PHP applications as platform independent software or highly scalable cloud service.

Netsafe

Netsafe

Netsafe is an independent, non-profit New Zealand organisation focused on online safety. We help people stay safe online by providing online safety education, advice and support.

Rigado

Rigado

Rigado's mission is to enable commercial IoT success by providing high-performance secure and scalable wireless edge connectivity and network infrastructure.

Soffid

Soffid

Soffid provides full Single-Sign-On experience and full Identity and Access Management features by policy-based centralised orchestration of user identities.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

Illuma Labs

Illuma Labs

Illuma Labs delivers real-time voice authentication and fraud prevention solutions.

Cognyte

Cognyte

Cognyte is a global leader in investigative analytics software that empowers a variety of government and other organizations with Actionable Intelligence for a Safer World.

JFrog

JFrog

JFrog is on a mission to enable continuous updates through Liquid Software, empowering developers to code high-quality applications that securely flow to end-users with zero downtime.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

NXM Labs

NXM Labs

NXM is a leader in a leader in advanced cybersecurity software for connected devices.

Obsidian Security

Obsidian Security

Protect your business-critical applications by mitigating threats and reducing risk with Obsidian, the first truly comprehensive security solution for SaaS.

Varutra Consulting

Varutra Consulting

Varutra Consulting is an Cyber Security Consulting, Solutions and Training services firm, providing specialized security services for software, mobile and network.

The Purple Guys

The Purple Guys

The Purple Guys offer Trouble-Free IT Support to businesses across the Central and Southern US. Safe and Secure, Rapid Response, Friendly Support that’s our Purple Promise.

Advanced IT

Advanced IT

Reliable managed IT Security & support services that will help you take your business operations to the next level without breaking the bank!

Nexio

Nexio

We are Nexio. We help organisations take every NEXT step toward their accelerated digital transformation.