To increase cyber resilience, the EU is launching a new directive NIS2 (Network and Information System Security). In addition to setting tighter sanctions and stricter requirements, the directive will require company-wide attention and awareness on cybersecurity, as well as a systematic way to meet all the requirements.
Here we will give you some advice on how to start getting NIS2 ready with the help of an ISMS.
The NIS2 directive in a nutshell
The NIS2 directive is a European Union legislation on cybersecurity, replacing the first NIS directive, adopted in 2016. The implementation is expected in January 2023 and the member states will then have two years to convert the directive into national law.
What will change? Quite a lot. The NIS2 directive strengthens cybersecurity requirements in the EU by:
- expanding its scope to new sectors and supply chains
- introducing monitoring measures and incident reporting obligations
- setting stricter implementation requirements
- adding top management accountability
- harmonizing and tightening sanctions
For many CISOs NIS2 is an opportunity to strengthen their position from an advisor to an ambassador and leader on the decisions and actions to be taken, both on technical and business issues.
Key steps to getting started with NIS2
The enforcement of NIS2 is not scheduled for tomorrow. But as the saying goes, it’s better to be safe than sorry. We advise you to start working on compliance now, as the work will take some time. Here are the three key steps to take:
- Determine if you are affected by NIS2.
- Make a gap analysis.
- Start implementing an Information Security Management System (ISMS).
Before anything else, it is essential to know if you are affected by NIS2. Are you a large company and an Essential Entity (EE) or an Important Entity (IE)? Even if you’re not, you might be subject to NIS2, nonetheless. And even if you’re a small or medium size company, you might want to start acting now, as the next round with a wider scope will be there. You also might be – or might want to become – a subcontractor to a company that is affected, and most likely will require readiness from you, too.
The next step is to make a cybersecurity gap analysis to help you determine the difference in the current state of your information security and identify how far away you are from standards, such as ISO 27001. Conducting a gap analysis will not only give you a tool to communicate your budget needs but also guide you on actions and priorities, and support you in creating a roadmap for improving compliance. Performing a periodical follow-up assessment will allow you to monitor your maturity progress.
Having an Information Security Management System (ISMS) helps you to maintain compliance and reduce cybersecurity risks by structuring your cybersecurity management with a systemic approach.
Many different approaches exist for implementing an ISMS with some popular security frameworks like ISO27001, NIST, and SOC2. Regardless of the cybersecurity framework you choose, building an ISMS takes time. With a few exceptions the realistic time frame is at least eight to ten months, so you should undertake the process as soon as possible.
An ISMS helps you to comply with the NIS2
It’s worth noting that an ISMS is not a digital system nor a policy document. Another point to make is that many companies have, or at least think they have, developed some kind of management system. But a common problem is these systems remain once-off projects that are not actively maintained.
Does this mean you need to be certified by standards such as ISO27001? Not necessarily. But you should at a minimum implement the key elements these frameworks have in common to show a continuous effort and improvement of your cybersecurity posture. However, certification by nature forces you to stay on the top of your game as otherwise you’ll lose it.
A good ISMS creates company-wide awareness about the implications of cybersecurity risks. It’s about management processes, risk management, and crisis management. It includes all legal, physical, and technical controls involved in an organization’s information risk management processes. It helps you to put a monetary value to all identified risks. A good ISMS helps you to communicate cybersecurity issues and funding with top management as you get access to data that speaks for itself.
A good ISMS enables you to learn and adapt. This is necessary as crocks keep changing their modus operandi constantly. If you can’t keep up with that, you will be attacked and you will be breached, sooner or later. You need an ISMS to learn both from attacks and dealing with consequences.
A good ISMS makes sure everything is proactively in place should your business face a situation where all digital systems go down. What do you do during the recovery time that might be days or even weeks? How do you make sure all key stakeholders know the actions, roles, and responsibilities?
An ISMS will not be a wild card to NIS2 compliance, but it will be an advantage. Not only for the NIS2 but for your risk management and business continuity.
A NIS2-compliant ISMS sets requirements also for your cybersecurity partners. They need to understand all aspects of cybersecurity, laws and regulations concerning you, and your business. In addition to technical expertise, they need to have experience in risk management, business continuity, and crisis management. They need to be able to help you build an organization with the necessary internal capabilities.