noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3 Fill 1

Navigating the NIS2 Directive: A guide for business and security leaders

Discover how the Network and Information Systems Directive (NIS2) strengthens cybersecurity across the EU and learn practical steps to prepare your organization.

Jari Pirhonen / October 01, 2024

The digital landscape is constantly evolving, and so is the need for robust cybersecurity measures. The Network and Information Systems Directive (NIS2) is an important step in Europe's journey towards stronger cybersecurity. Understanding and preparing for the directive is key, but rest assured - NIS2 builds on familiar practices.

NIS2 isn't something to panic about - it's mostly about implementing sound, well-known cybersecurity practices. Let's explore what NIS2 is, how organizations can prepare, and how to work effectively with service providers.


Understanding NIS2: Enhancing cyber security across the EU

So, what is NIS2? Simply put, NIS2 is an updated EU directive that aims to improve the cybersecurity capabilities of member states and the resilience of critical infrastructure. It emphasizes the responsibility of management in dealing with cybersecurity risks, managing supply chain risks and the need to notify authorities of security incidents.

In addition, an organization must have, for example, cybersecurity policies and procedures, an incident handling process, including preparedness for major incidents, security awareness training for employees, identity and access management, and all good so-called cyber hygiene practices to ensure secure networks and systems throughout their lifecycle.

It's estimated that around 160,000 organizations in the EU are directly affected by NIS2 - less than 1% of all organizations. However, the requirements will undoubtedly cascade down the supply chain. As NIS2 is an EU directive, it will be implemented differently in each Member State's legislation, so there may be differences between countries.

Beyond organizations, NIS2 places many responsibilities on national governments, such as adopting a national cybersecurity strategy, designating competent authorities, and establishing a Computer Security Incident Response Team (CSIRT). There are also requirements for cooperation at EU level. However, this article focuses on what it means for your organization.

 

How to get ready for NIS2?

Preparing for NIS2 starts with understanding whether it applies to your organization. This will depend on your sector and size, so the first step is to identify your competent authority and provide the necessary information, such as IP ranges and contact details.

If you're worried about the NIS2 requirements, it's important to remember that NIS2 doesn't introduce anything groundbreaking - it's based on known good cybersecurity practice. The NIS2 requirements are designed to be proportionate to the level of risk your organization faces. The key is to be effective and adaptable, and to verify that your measures are working.

If your organization is ISO 27001 certified, or already meets other regulatory or customer cybersecurity requirements, you may already be in good shape. However, organizations with less mature security practices have more work to do. It's wise to base your efforts on cybersecurity standards such as ISO 27001, making NIS2 compliance a by-product of good security work.

Think of security compliance as the baseline you need to achieve - it's rarely enough. Conducting a cybersecurity maturity assessment is a great way to identify areas for improvement and ensure you're on the right track.

Tietoevry Tech Services is a key service provider for many organizations that provide vital services to society. Although we have quality and security certifications as well as security assurance reports, we go further by conducting regular cybersecurity maturity assessments, now also with NIS2 requirements in mind. Our aim is not only to comply with legal requirements, but also to achieve a higher level of cybersecurity.

 

How to work with Service Providers regarding NIS2

The EU Commission is set to publish an Implementing Act, which will set out more specific cybersecurity requirements for Service Providers, including defining what constitutes a significant incident, which Service Providers need to report to their supervisory authority.

A key to success under NIS2 is understanding the shared responsibility between service providers and their customers. Service providers need to ensure that their platforms and processes are NIS2 compliant. It is important for customers to understand their own cybersecurity risks and requirements, and to specify these requirements in contracts with service providers.

In practice, this means customers should conduct their own risk assessments, understand their regulatory and business requirements, and determine the right level of cybersecurity for their needs. Due diligence on your service providers to understand their cyber capabilities is essential, as is setting contractual requirements based on your own needs.

Remember that cybersecurity is a team effort. Shared responsibility and collaboration between service providers and customers is critical to achieving compliance and improving overall security.

NIS2: an opportunity to improve cyber security and build resilient organizations

The NIS2 directive is a significant step forward in improving cybersecurity across the EU, but it's not something to be feared. Instead, it should be seen as an opportunity to strengthen your organization's cybersecurity posture. Whether or not your organization is directly affected, the ripple effects will touch every supply chain, making it critical for businesses and their service providers to work together.

By focusing on good security practices, understanding your risks and building strong relationships with your service providers, you will be well on your way to not only complying with NIS2, but also improving your overall cybersecurity capabilities.

Let's use NIS2 as an opportunity to build stronger, more resilient organizations.

NordiCyber Resilience Report 2024: Discover the cybersecurity status of Nordic organizations. Report findings are based on approximately 1,000 responses from the region.

Introduction to cybersecurity

Jari Pirhonen
Security Lead, Tietoevry Tech Services
Share on Facebook Tweet Share on LinkedIn