The NIS2 (Network and Information Security) Directive is the successor of NIS1. It's meant to achieve a high common level of cybersecurity across member states. NIS1 was found hard to implement, resulting in fragmentation at different levels while threats kept growing. NIS2 has a broader scope resulting in more sectors and organizations that must comply. The updated version includes the necessary security requirements, supply chain security, and reporting obligations streamlining.
Evaluate your suppliers and customers
NIS2 focus on a high common level of cybersecurity. It's essential to ensure the whole supply chain takes cybersecurity seriously. As an organization, you have multiple dependencies determining your success. These dependencies can be suppliers, customers, and even their suppliers and customers. The impact of Cyber Security incidents in their organizations interrupting their processes is likely to affect your processes. Take some time to look at your dependencies and how an incident on their side may affect your organization.
Changes compared to NIS1
We've established that the NIS2 is an updated version of NIS1, but what has changed? The main change is the scope of NIS2. It will apply to many more essential sectors of the economy and society. The sectors that must comply are energy, transport, banks, financial, health, drink water, wastewater, digital infrastructure, (local) government, space, post and courier services, waste management, chemical, food, industry, and digital providers.
The proposed NIS2 directive brings about more precise provisions regarding the incident reporting procedure, content of reports, and deadlines. Entities must inform each other and the European Agency for Network and Information Security (ENISA) of significant cyber incidents and threats. Additionally, the Commission suggests addressing the security of supply chains and relationships with suppliers.
How to prepare
To help organizations prepare for these changes, here are five essential tips to help ensure compliance with the new regulations.
Assess and identify essential services: Review your organization's services and determine which ones are essential. Ensure that these services are resilient and have the required cybersecurity measures in place.
Update incident response plans: Review and update your organization's incident response plans to align with the new NIS2 requirements. This includes the process for reporting cyber incidents and defining roles and responsibilities for responding to security threats.
Conduct regular risk assessments: Regularly assess and identify cybersecurity risks within your organization and take appropriate actions to address them. This includes updating security protocols, software, and hardware systems.
Implement a security-by-design approach: Ensure that security is built into your organization's systems and processes from the beginning. This involves applying security-by-design principles to new and existing systems, which can help prevent security vulnerabilities from being introduced in the first place.
Conduct regular security assessments and penetration testing: It's important to periodically assess your organization's security posture and identify any vulnerabilities or weaknesses that need to be addressed. Engage the services of a reputable security firm to conduct regular penetration testing to identify and validate vulnerabilities. Use the results to develop and implement appropriate remediation measures to strengthen your security defenses.