Complying with the EU directive
NIS2 Directive Compliance
What Are NIS and NIS2?
The NIS directive was introduced by the EU in 2016 as (EU) 2016/1148 to define requirements for the security of “Network and Information Systems” in organizations that deliver critical services to society. Examples of critical services include energy, water, healthcare, transportation, and electronic communication.
Each member state in the EU converted this directive into its own legislation. In Sweden this became ”Lag (2018:1174) om informationssäkerhet för samhällsviktiga och digitala tjänster”. What’s commonly called ”NIS2” is an updated directive that the EU enacted last year as (EU) 2022/2555. This directive is currently in the process of being implemented into Swedish legislation, with a target date of Q3 2024. The updated legislation reflects new trends in the evolving cybersecurity threat landscape and works to standardize the implementation of the directive across the member states.
One other significant change between the two directives is an expansion in the types of organizations that will be considered “in scope,” and this is the primary source of much of the conversations that are taking place today as there are many organizations that will fall under NIS2 which are not currently part of NIS.
What’s Required by NIS?
The requirements for an organization vary somewhat between the different sectors. In general, both generations of the directive lean heavily on existing standards and frameworks for cybersecurity, such as ISO and NIST:
- Establish a systematic method for continually improving the organization’s cybersecurity.
- Perform risk assessments regularly and have a clearly defined process for managing measures to mitigate identified risks.
- Implement standard protection measures for the organization’s network and information systems.
- Implement strong mechanisms for detecting events and well-defined processes for managing incidents.
- Prepare policies and procedures to document requirements and processes.
Two Tracks of NIS2
There are several things we won’t know about NIS2 until the local legislation is enacted:
- Who will perform oversight? (“tillsyn” in Swedish).
- How will oversight be performed?
- How will an organization be required to prove compliance with the legislation?
- What size of organization will be in scope?
- Will there be different regulations for organizations of different sizes?
- What penalties will be enacted if an organization fails to comply?
In some cases, the new legislation will be able to use structures that were developed for NIS, but there will be some changes as well. If nothing else, there are brand-new industry sectors that will require oversight and possibly brand-new government agencies to perform oversight.
We have a much better idea of what the technical requirements will be, in part because we have an existing NIS regulation, and we have lists of requirements that the directive passes on to each member state’s legislation. This may include:
- Risk management, including implementation of mitigating measures.
- Inventory of software, hardware, services, and network equipment.
- Incident Management.
- Change Management.
- Life cycle management, including baseline configurations and disposal.
- Logging and detection.
- Network segmentation.
- Access management.
- Endpoint security.
- Backup and recovery.
- Supply chain cybersecurity.
What Should You Do Today?
Every indication is that the NIS2 legislation will continue to stay very close to existing standards and frameworks, specifically ISO and NIST. With this in mind:
- Choose a framework or standard to align your cybersecurity efforts with, and
- Perform an assessment or gap analysis against this framework/standard.
The benefits of this are manifold. For one, you’ll find out if you currently have gaps in your cybersecurity practice and establish processes for evaluating mitigating measures and activities to close these gaps. As we receive more information about the developing legislation, you’ll then only need to tweak the process rather than invent a brand new one.
How Can Truesec Help?
Truesec has resources that can help with all aspects of this regulation.
We can support your organization, including:
- Legal and compliance analysis of scope.
- Vulnerability discovery as input to an educated risk assessment.
- Risk analysis.
- Comprehensive detection mechanisms for both IT and OT environments.
- NIST assessments.
- Advanced management methods for all types of incidents.
- Threat analysis.
- ISO Gap analysis.
- Writing policies and procedures.
- Improved access control and modern authentication mechanisms.
- Secure IT Infrastructure.
- Third-party analysis.
- Directed education for management and board.
About Our NIS2 Program
To help your company leverage Truesec’s many capabilities, we're proud to launch our NIS2 Program. Some of the deliverables from this program will include:
- Continuous monitoring of legislative developments both in NIS2 and also in adjoining and sometimes overlapping legislations (such as DORA, CSA, and CRA).
- Scoping support for organizations.
- Implementation support for the NIS2 regulation.
- Information and education about security measures.
- Technical support from Truesec’s wide range of technical and compliance services.
Contact Our Team of IT Strategists
Don't hesitate to reach out to our IT strategists if you want more information about how we can help you, or if you have questions, inquires, or thoughts.