top of page
The 2024 CrowdStrike Outage

Glossary

NIS2 compliance

What is NIS2 Compliance?

NIS2 compliance refers to the practices of operating in accordance with the rules and regulations set out by the Network and Information Security Directive, commonly known as NIS2. This term ‘NIS2’ denotes that it is an updated version of the European Union's original NIS Directive from 2016. NIS2 strictly mandates the implementation of robust security controls to enhance overall cybersecurity across EU member states. NIS2 compliance practices help organizations adhere to the provisions of current cybersecurity legislation, and to ensure resilience against evolving cyber threats.

What are the primary requirements for NIS2 compliance?

NIS2 places a variety of responsibilities on companies and organizations with regard to cybersecurity. These fall under the directive's four main organizational requirements:


  1. Risk manageme: Organizations are required to take minimum measures to mitigate and minimize cyber risks. This means taking actions such as strengthening supply chains, employing the latest access controls, and implementing encryption technologies to enhance security posture.

  2. Accountability: NIS2 mandates that organizations demonstrate corporate accountability. This means that companies must take responsibility for overseeing, approving, and training employees on new cybersecurity measures and procedures.

  3. Incident reporting: Organizations must have established processes for the reporting of cyber incidents. In the event of a significant incident that impacts service users or recipients, they must report to their relevant authorities in a timely manner, according to the notification deadlines specified by NIS2.

  4. Continuity planning: NIS2 mandates that organizations engage in contingency planning, setting our procedures and protocols for incident response, recovery, and business continuity.


What are the challenges of NIS2 compliance?

Organizations that are required to comply with NIS2 may encounter challenges in attempting to do so, for the following reasons:


  • Supply chain complexity: Modern organizations commonly use a wide variety of services from different vendors, meaning that their supply chains can be complex and difficult to manage. Consistent monitoring and communication are required to make sure that all third-party services meet the standards required by NIS2, which can be challenging to maintain.

    Resource constraints: Complying with NIS2 requirements means continually introducing and implementing the latest in advanced cybersecurity solutions. For smaller organizations, this can prove difficult as it requires a substantial investment of time, personnel, and capital.

    Evolving threats: With new cyber threats emerging all the time, organizations need to engage in continuous improvement through iterative enhancements of security measures and practices. With the threat landscape evolving at a rapid pace, keeping abreast of the latest threats and how to deal with them can be difficult at times.


What are NIS2 compliance best practices?

In order to consistently achieve NIS2 compliance, organizations need to take a strategic and proactive approach to cybersecurity. Best practices for NIS2 compliance include the following:


  • Risk assessment: From the outset, cybersecurity practices and procedures should be informed by the results of a comprehensive risk assessment. By identifying all possible vulnerabilities in their IT environments and evaluating their associated risk levels, organizations can devise effective security strategies and put appropriate controls in place to mitigate and minimize cyber risks.

  • Layered controls: For best results, security strategies should incorporate layered security controls. This includes encryption technologies, Intrusion Detection Systems (IDS), Multi-Factor Authentication (MFA), and the implementation of network segmentation in conjunction with firewalls to protect against breaches.

  • Least privilege: Organizations should employ the principle of least privilege, allowing users only the necessary level of access to perform their responsibilities. This helps to minimize risk by protecting against unauthorized access and lateral movement.

  • Supply chain security: Organizations should vet software and service vendors thoroughly to ensure that their products are in line with current industry standards. Additionally, stakeholders should collaborate with vendors regularly, including security requirements in agreements, and ensure that regular updating and patching are conducted to remediate vulnerabilities in third-party solutions.

bottom of page