Important Update: Archer Community Scheduled Maintenance on November 23–24 - New Community Launching Soon! Learn More..

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Prepare for NIS 2: Key Focus Areas

PatrickPotter1
Archer Employee
Archer Employee
‎2024-06-03 04:17 PM

The European Union (EU) is driving its sectors that make up essential and important infrastructure to a higher level of cyber security and resilience through the upcoming Network and Information Systems Directive 2 (NIS 2). 

In Gartner’s September 11, 2023, paper, Quick Answer: How to Effectively Prepare for NIS 2, they state the purpose of NIS 2 is to expand scope and requirements to achieve a higher level of cybersecurity controls for critical infrastructure across various sectors in the EU. The deadline for organizations to comply with NIS 2 is October 17th, 2024, and many organizations are in full preparation mode.  

Who Needs to Comply with NIS 2 

NIS 2 applies to the following organizations operating within the EU and non-EU entities providing services within the EU. NIS 2 categorizes organizations into “essential entities” and “important enterprises”. 

Essential entities include large organizations operating in sectors such as the Energy sector, Transportation, Banking, Infrastructure financial, Healthcare, Drinking water, Digital infrastructure, Managers of ICT services, Wastewater, Government services, and space. Large organizations are defined as those with at least 250 employees, an annual turnover of at least €50 million, or an annual balance sheet total of at least €43 million. 

Important enterprises are medium-sized organizations operating in the sectors above and medium-sized and large organizations operating in sectors such as Digital providers, Postal and courier services, Waste management, Food products, Research and development, and Manufacturing industry. Medium-sized organizations are defined as those with at least 50 employees and an annual turnover (or balance sheet total) of at least EUR 10 million. 

Gartner outlines how organizations can prepare for the Directive: 

  • Determine whether your organization needs to meet NIS 2’s requirements. 
  • Focus first on risk management, corporate accountability, reporting obligations and business continuity. 
  • Develop a comprehensive plan for cyberattack response, recovery, and communication. 

Companies should refer to the specific text of the NIS 2 directive, however, here are some ways to get started:  

  • Understand the Scope and Requirements: Companies need to first determine whether they fall under the expanded scope of NIS 2. The directive includes a broader range of sectors and also imposes more stringent requirements on "important" and "essential" entities. Understanding which category your organization falls into is critical because it determines the specific obligations you must fulfill. 
  • Risk Management Measures: Implement comprehensive and proportionate measures to manage the risks posed to the security of network and information systems. This includes securing IT infrastructure, implementing incident response capabilities, and ensuring data integrity and system availability. 
  • Incident Reporting: Develop or enhance processes for timely and effective incident reporting. NIS 2 requires entities to notify relevant national authorities about significant cyber incidents, so companies need clear procedures for detecting, reporting, and responding to incidents to comply with these requirements. 
  • Supply Chain Security: NIS 2 places increased emphasis on supply chain security. Companies must assess and manage the cybersecurity risks associated with their suppliers and service providers. This includes ensuring that contracts with third parties include clauses to maintain cybersecurity standards that comply with NIS 2. 
  • Governance and Accountability: Establish clear governance structures for cybersecurity, involving executive management. This includes assigning specific roles and responsibilities for cybersecurity oversight and ensuring there is adequate accountability at all levels of the organization. 
  • Training and Awareness: Regular training and awareness programs should be implemented for all employees. Ensuring that staff are aware of cybersecurity threats and know how to respond to them is crucial for maintaining security and preventing breaches.  
  • Regular Audits and Testing: Conduct regular audits and assessments of cybersecurity practices and policies to ensure compliance and effectiveness. Penetration testing, vulnerability assessments, and other methods can identify potential weaknesses in security practices. 
  • Legal and Regulatory Compliance: Stay informed about the specific national laws implementing NIS 2, as the directive will be transposed into national legislation with potentially varying interpretations and additional requirements. 
  • Engage with National Authorities: Build a relationship with national cybersecurity authorities and other relevant bodies. They can provide guidance, assistance, and updates on compliance requirements and cybersecurity threats. 
  • Collaboration and Information Sharing: Engage in information sharing and collaboration with other organizations and industry groups. Many sectors will benefit from shared experiences, threats, and defensive measures, which can help in adapting to new threats. 
  • Plan for Continuous Improvement: Cybersecurity is not a one-time effort but a continuous process of improvement. Regularly update security measures and company policies to adapt to new threats and comply with evolving legal requirements. 

By taking a proactive and comprehensive approach to NIS 2, companies will not only better comply with the directive but also significantly strengthen their resilience against cyber threats. 

Gartner goes on to provide much more depth to their assumptions in the full document here, which Archer is providing to you complimentary. Time is limited so please download the report soon. 

We’re interested in your thoughts. Join the conversation here at CRO Pathway. 

 Gartner, Quick Answer: How to Effectively Prepare for NIS 2. Published 11 September 2023 - ID G00789439 - Michael Kranawette. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

0 Kudos
Popular Articles