The NIS 2 Directive is a recently approved document that obliges selected entities to increase their cyber resilience and improve cyber risk management in an effort to increase the security of key sectors and organizations across the EU.
It defines the terms essential and important entities, meaning obligated organizations, and expands the scope of its predecessor, NIS Directive of 2016, which was repealed when NIS 2 was passed.
It is worth noting that NIS2 does not have a direct mandate over any company within the EU, but it obliges EU Member States to transpose the Directive into their own legislation by 17 October 2024.
Every Member State will therefore introduce their own legal obligations for essential and important entities operating within them.
What these obligations will look like in each Member State remains to be seen, but already the NIS 2 Directive offers some guidance on the technical, organizational, and operational measures that organizations should implement to assure compliance.
In this article, we discuss each measure individually and list examples that companies might implement.
Please note that this article is for informational purposes only. It should not be considered legal guidance.
For an in-depth discussion of the NIS2 Directive, check our article, NIS 2 to Require Zero Trust as an Essential Security Measure.
Table of contents
Article 21 of the NIS 2 Directive
Article 21 of the Directive lists risk management measures that essential and important entities of Member States should implement.
All companies that provide a critical service must ensure that all parts involved in the provision of this service are properly secured.
Therefore, the specific measures put in place will vary depending on the national transposition of the Directive as well as each organization’s circumstances and budget.
Below is the full list of measures that Article 21 of the NIS 2 Directive mentions.
#1 Policies on risk analysis and information system security
Risk assessment is the first step to drafting any cybersecurity risk management policy.
Organizations need to create governance frameworks, organizational structures, policies, and procedures to analyze the cybersecurity risks they are facing.
This involves identifying resources that are involved in the provision of the critical service, their location (SaaS, cloud, on-prem, paper), and how important they are for the service.
Risk assessment is a continuous process that determines and updates the company’s comprehensive risk management policy.
Continuous risk analysis therefore includes regular vulnerability assessments and penetration tests to identify and address potential security weaknesses.
#2 Incident handling
Incident handling involves tools and procedures aimed at the detection, response to, and management of cybersecurity incidents.
Incident handling requires a comprehensive incident response plan that defines the roles and responsibilities during a security incident and includes clear protocols for communication and coordination.
To handle cybersecurity incidents proactively, organizations deploy technologies such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), activity monitoring, endpoint and network-based threat detection, and systems for event correlation (SIEM).
These tools enable real-time identification and response to malicious activities, enhancing the organization’s ability to counter cyberthreats swiftly and decisively.
#3 Business continuity
Business continuity encompasses strategies and protocols that ensure the uninterrupted operation of the organization’s critical functions.
To fortify against data loss and system failures, organizations carry out regular backups of critical data and systems and high-availability configuration of critical resources.
This practice serves as a protective mechanism for quickly restoring operations in the event of an unforeseen data loss.
Businesses can also invest in off-site data storage, which mitigates the risk of incidents affecting the main business site.
#4 Supply chain security
Supply chain security, including security-related aspects concerning the relationship between each entity and its direct suppliers or service providers, is a major part of the NIS 2 Directive.
As organizations continue to navigate an increasingly interconnected global marketplace, prioritizing supply chain security is to the benefit of the society as a whole.
To ensure the security of their supply chain, organizations establish contractual obligations mandating that suppliers adhere to cybersecurity standards.
Security assessments of third-party vendors are integral to identifying potential vulnerabilities and ensuring NIS2 compliance throughout the vendor supply chain.
This means suppliers and service providers may be asked to produce certification that attest their organization complies with legal requirements for cybersecurity.
Procurement processes should contain security assessments by default, as they not only safeguard sensitive information, but also fosters a culture of resilience against potential threats.
#5 Acquisition, development, and maintenance of network and information systems
Integrating security measures into the lifecycle of network and information systems involves identifying and mitigating vulnerabilities during acquisition, but also implementing secure practices during development.
By adhering to secure development life cycle (SDLC) practices, organizations can proactively address security concerns at every step, ensuring that potential vulnerabilities are identified and remedied early on.
Maintenance of network and information systems requires regular patches and updates. Timely application of patches is crucial to addressing emerging threats.
Organizations must also be transparent about vulnerabilities with a thorough vulnerability disclosure. This is vital to efficient collaboration in the cybersecurity community, ensuring that vulnerabilities are reported and addressed as fast as they emerge.
#6 Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
To evaluate and enhance the effectiveness of established processes, organizations must carry out periodic reviews of their cybersecurity policies and procedures, if these are to continue serving as vital components within their cybersecurity framework.
These assessments should aim at identifying potential vulnerabilities, gaps, or outdated practices. By conducting regular evaluations, businesses can stay ahead of the rapidly-evolving threat landscape.
Establishing metrics and KPIs for their security controls essential for continuous improvement of the organization’s cybersecurity risk-management procedures.
#7 Basic cyber hygiene practices and cybersecurity training.
Nurturing security awareness within the organization is another cornerstone of an effective cybersecurity risk management policy.
Training programs should cover essential procedures with a focus on recognizing and avoiding phishing attacks, spotting scams, and understanding the importance of immediate reporting of suspicious messages and sites.
Employees should be educated on the role of each person in safeguarding sensitive data.
Companies should also enforce strong password policies and set up regular password resets. Employees should be taught the importance of using strong, unique passwords.
Lastly, endpoint detection and response (EDR) systems and web/DNS filtering serve as a proactive measure that enables the swift detection and mitigation of potential security threats.
#8 Policies and procedures regarding the use of cryptography and encryption
End-to-end encryption greatly improves data security in remote access scenarios, where it shields the data from eavesdropping or man-in-the-middle attacks. Organizations should deploy a VPN or zero-trust-network-access (ZTNA) to protect sensitive data in transit.
At-rest encryption of sensitive files and databases adds an extra layer of protection against potential threats, rendering data unusable even if a potential attacker manages to exfiltrate it.
#9 Human resources, access control policies, and asset management
This set of risk management policies focuses on mitigating human error.
Organizations should create clear onboarding and offboarding policies to prevent departed employees from using their account.
In addition, least-privilege access control policies, such as zero-trust network access (ZTNA), significantly reduce the risk of damage caused by inadvertent error and dampen the impact of credential compromise by restricting the pool of resources accessible by the hijacked account.
In particular, network-based ZTNA is a straightforward way of securing older systems that do not support application-level access controls and MFA natively and their configuration for this purpose would otherwise be difficult.
#10 Multi-factor authentication
Multi-factor authentication (MFA) is a pivotal cybersecurity risk-management measure that adds an additional protective layer on user accounts.
Making it mandatory for users to provide additional forms of verification all but eliminates the chances of their account being compromised.
MFA is part of identity-based access management, which is an integral component of ZTNA. MFA can be implemented on the application layer, e.g. as part of SSO, or on the network layer, during authentication on the perimeter (cf. software-defined perimeter – SDP) and behind it.
An ideal scenario combines both approaches because many critical apps do not support MFA (e.g. older control systems in critical infrastructure or manufacturing operations), and it is often not possible to adapt these systems to support MFA and SSO.
Summary
EU Member States have until 17 October 2024 to transpose the NIS 2 Directive into their national legislation.Until that time, it is unclear what specific measures will be required of important and essential entities in each country.
But already, the NIS 2 Directive provides guidance on what risk management strategy organizations should prepare before that happens. Article 21 of the Directive lists 10 minimum measures organizations must implement to meet NIS 2 compliance requirements.
