Building a robust NIS 2 compliance strategy
Arriving on 17th October this year, NIS 2 is the EU’s most stringent cybersecurity Directive so far. Your level of cybersecurity maturity, risk management capabilities and what constitutes “appropriate and proportionate” for your organisation will determine your journey to compliance. Having said that, there are common challenges that all organisations will face, argues Martin Davies, Audit Alliance Manager at Drata.
The original NIS Directive held a lack of specificity about who was affected and a lack of consistency in application across EU member states. NIS 2 clarifies these issues and makes the Directive easier to enforce. It also provides more clearly defined governance and oversight; expanded scope; tougher cybersecurity and risk management requirements; mandatory reporting requirements; stricter enforcement and penalties; cross-border information sharing; and vulnerability disclosure.
That’s a lot to wrap our heads around in the few short months before it comes into force. Thankfully, we can break down some of the most common ‘heavy lifts’ and explore how best to approach them.
Leadership
NIS 2 includes requirements that extend beyond just the technology and encompass the whole business, from HR to procurement to legal. It is probable that employees in the non-IT, non-security parts of the business won’t have experience of being impacted by cybersecurity legislation. That means leaders have to step up and help facilitate the process.
There are three ways in which company leadership can help personnel reach and maintain NIS 2 compliance:
1. Enable and incentivise the responsible employees
People won’t stop doing their regular job to focus on compliance – unless there is an incentive involved. Most employees already have a lot on their plate; if they haven’t previously been involved in compliance projects, NIS 2 will most likely be seen as not part of their remit and a distraction. So, provide enablement and offer benefits to engage non-technical staff and secure buy-in from day one.
2. Listen to feedback
It’s easy to assume that the compliance process will be straightforward and seamless, but that’s rarely the case. Every organisation has its unique way of operating, and the methods and policies suggested by best practice frameworks (e.g., ISO 27001) may take some careful thought when being implemented in your organisation’s specific context.
In most situations, this challenge can be addressed by tailoring controls, policies, and processes to be proportionate to your organisation. However, this requires leadership to actively seek and consider input from across the organisation. A collaborative approach is key to achieving NIS 2 compliance before the enforcement deadline—attempting to impose rigid solutions that don’t suit your organisation’s reality is a recipe for failure.
3. Think about a risk amnesty
In addition to its breach reporting requirements, NIS 2’s risk management requirements are among the most stringent. Given its influence on business functions outside the technical realm, new and unexpected risks are likely to surface. However, bringing new risks to light is never the most comfortable task – many employees naturally want to keep quiet in case they are at fault. By offering a risk amnesty, employees can uncover risks without fear of reprisal.
Risk Management
NIS 2 asks organisations to deploy risk analysis to assess the effectiveness of risk management measures. However, implementing a comprehensive risk management framework is a big task. Organisations will need to implement a variety of risk management policies, designate risk owners, establish clear terminology, and ensure consistency in how risks are defined, analysed, and reported.
Achieving this requires following best practices, such as those recommended by ISO standards, but also demands input from across the entire organisation. While Chief Risk Officers (CROs) and risk teams specialise in risk measurement and management, they may not always have the expertise to identify what constitutes a risk in every area of the business. In the real world, risks can be best identified by personnel in the department affected so risk leaders must engage across the company to detect, understand and assess each risk covered by NIS 2.
Reporting
Although NIS 2’s reporting requirements may appear simple, providing incident reports within 24-72 hours is far from easy: it needs reliable and consistent internal processes and governance. At a bare minimum, you must be able to:
● Identify incidents promptly
● Determine whether they constitute a ‘significant’ incident
● Provide a meaningful early warning report
● Analyse the incident in detail within 72 hours
● Understand, resolve, implement additional controls and fully report within 30 days
Undertaking simulations of incident reporting is the best way to expose gaps in your current set up.
Supply chain security
This has been a hot topic in recent years, with many high-profile breaches exacerbated by supply chain attacks and outages. If your organisation currently has no formal supply chain security function, achieving NIS 2 compliance will be onerous and time-consuming. Look to respected supply chain security standards, such as ISO 27036 and Compliance Forge’s Cybersecurity Supply Chain Risk Management (C-SCRM) framework to make life easier.
These are just a few of the ‘heavy lifts’ associated with NIS 2 but they provide a great starting point on the compliance journey. Now is the time to lead from the front and make NIS 2 compliance a reality.