Six Steps On The Road To NIS2 Compliance

NIS 2 is the EU’s most stringent cybersecurity Directive to date, and member states have until 17th October to ratify it into national law. Every organisation striving for NIS 2 compliance will have its own journey based on its current cybersecurity maturity level, risk management, and what constitutes “appropriate and proportionate,”.

However, there are six common steps that can be applied across the board to help make the journey as smooth as possible, explains Martin Davies, Audit Alliance Manager at Drata.

Why The Revised Directive?

Before diving into our key steps, it’s worth asking how we got here and what has changed. The original NIS Directive has its flaws concerning a lack of specificity about who was affected and a lack of consistency in application across EU member states. NIS 2 is designed to clarify these issues and make the Directive more enforceable.

In more detailed terms, NIS 2 delivers more clearly defined governance and oversight, expanded scope, more stringent cybersecurity and risk management requirements, mandatory reporting requirements, tougher enforcement and penalties, cross-border information sharing, and vulnerability disclosure. As such, organisations will have their hands full trying to comply ahead of the 17th October date. We can make that process easier by laying out six steps to help prepare for NIS 2.

1.    Understand The Scope
As with any new compliance plan, the first step is to wrap your head around its scope. This involves a comprehensive look at its sectoral coverage, the critical industries in-scope, and the obligations it imposes. It is worth noting that NIS 2 expands the sectors that fall under its regulations. The original NIS Directive focused on specific critical sectors like energy, transport, and finance. NIS 2 extends to a wider range of sectors, including healthcare, public administration, food, digital infrastructure, space, and postal services. It is also important to make the distinction between "essential" and "important" entities, as stricter supervisory activity will apply to essential entities, reflecting their critical role in maintaining societal functions.

2.    Reach Out To Your Competent Authority
The extent of the impact of NIS 2 on your organisation will be decided by your Competent Authority, a designated body or organisation within an EU member state responsible for overseeing the implementation, enforcement, and compliance of the NIS 2 Directive. Member states may choose to have a single national authority or multiple sector-specific ones. As the primary interface between the government and affected entities, it is vital to establish communication lines early on to confirm your classification type, discover how to report incidents, and find out how to ask for clarification. Demonstrating early engagement is a quick win in terms of showing your commitment.

3.    Complete A Gap Analysis
Now that you understand the requirements, it is time to explore where the gaps in your business lie:

  • Assess your current cybersecurity posture: review existing policies, evaluate technical controls and check compliance.
  • Map NIS 2 requirements to current frameworks and controls: create a requirements matrix and assess maturity levels.
  • Identify and categorise gaps: classify as high, medium or low priority based on factors like regulatory risk, business impact, and the potential for fines.
  • Develop a remediation plan: prioritise remediation activities, define specific actions and assign responsibilities.

4.    Establish New & Updated Policies
This is one of the most important steps in making compliance a reality. Knowing where your gaps are and where your organisation stands is a great start, but it could still take many months to reach a point where you enjoy functional and compliant controls and governance. Deploy controls based on best practices, such as the ISO 27001 standard; document every aspect of the process so you show evidence of compliance to regulators and Competent Authorities; and seek clarification whenever necessary to keep on the right track.

5.    Train Relevant Staff
NIS 2 will pull more and more personnel into its orbit, who may not have been previously involved with cybersecurity or compliance issues. Begin by customising training by role, setting learning objectives and developing the right content. Training can often feel like an extra burden for busy employees so try to incentivise the process to make it worthwhile. Training is also an ongoing process, so regular updates and refreshers are key to maintaining compliance and resilience.

6.    Track Your Progress & Demonstrate Compliance
Organisations with an established cybersecurity and compliance programme probably already have an in-house system for tracking and auditing. However, if NIS 2 is your first major initiative, it is worth considering implementing a continuous compliance platform to design, implement, maintain, and evidence a fully NIS 2-compliant cybersecurity and risk management programme. It is not strictly necessary, but it will make tracking controls, policies and procedures much easier.

The advent of NIS 2 is daunting for companies of all sizes; however, following these simple steps will help reduce the stress and make your journey to compliance seamless.

Martin Davies is  Audit Alliance Manager at Drata 

You Might Also Read:

Resilience As Regulation: Preparing For The Impact Of CER:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

« Try These Virtual Private Network Alternatives Yourself Now 
Remote Pager Attack Begins A New Era Of Warfare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

idappcom

idappcom

idappcom provides unique industry approved software solutions for auditing and enhancing the threat recognition and response capabilities of your corporate security defences.

IBLISS Digital Security

IBLISS Digital Security

How cyber-resilient is your business now? We help companies to continuously answer this never-ending C-level question.

SIS Certifications (SIS CERT)

SIS Certifications (SIS CERT)

SIS Certifications is an ISO certification body serving more than 10,000 clients in over 15 countries worldwide.

Enso Security

Enso Security

Enso is the first Application Security Posture Management (ASPM) solution, helping security teams everywhere eliminate their AppSec chaos with application discovery, classification and management.

Predatech

Predatech

A cyber security consultancy offering a range of services, including CREST accredited penetration testing, vulnerability assessments and certifications incl. Cyber Essentials & Cyber Essentials Plus.

Arcturus Security

Arcturus Security

Arcturus is a CREST-approved cyber security consultancy created by experts in the field.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

Red Goat Cyber Security

Red Goat Cyber Security

Red Goat Cyber Security have created excellent, informative and interactive Social Engineering Awareness training which is suitable for all levels of staff.

Cryptr

Cryptr

Cryptr provides plug and play authentication to manage all your authentication strategies in one place with just a few lines of code.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Beaming

Beaming

Beaming is an established Internet Service Provider for businesses across the UK. We deliver reliable voice, data and managed services, including cybersecurity.

Guardian Angel Cyber

Guardian Angel Cyber

Guardian Angel Cyber, is your trusted ally in safeguarding your digital assets and online presence.

Dial A Geek

Dial A Geek

Dial A Geek are a Bristol-based B Corp that provides Managed IT Services to companies of 20+ users. We help businesses with a smart use of tech, including compliance and cybersecurity solutions.

Softcell Technologies Global

Softcell Technologies Global

Softcell is one of India's leading System Integrators. We serve enterprise customers in the areas of IT Security, Mobility, Optimised IT Infrastructure, Cloud and Engineering Services.