Avatar photo
Sebastiaan Bakker

NIS2 does not have to be complex

Although having to comply with the new NIS2 guideline may sound complex, the guideline largely builds on the NIB guideline (Wet Beveiliging Netwerk- en Informatiesystemen in Nederland) and there is a lot of overlap with existing frameworks such as the ISO27001 standard (2022). This means that many organisations already have a solid foundation and can face the elaboration of the NIS2 directive with confidence.

In this article, we explain the overlap of the NIS2 directive with existing frameworks and the 5 main categories of cybersecurity compliance that the NIS2 directive aims to achieve.

Existing standards as solid foundation NIS2

Cybersecurity is an indispensable aspect of business operations. That is why there is extra focus from Europe on further strengthening cybersecurity within member states. This is also how NIS2 came about.

In doing so, it was chosen to build on best-practices. Many of the requirements described in the NIS2 directive are therefore not new, but a further development of existing frameworks. Something that becomes clear by putting NIS2 alongside ISO27001:2022.

The ISO27001 standard, which aims to improve digital resilience, covers three basic principles of cybersecurity, which also play a prominent role in the NIS2 guideline, namely: availability, integrity and confidentiality.

Thus, by using existing standards and measures, organisations can cover many of the NIS2 obligations without significant additional effort.

The 5 key categories for cybersecurity compliance

For the NIS2 directive, there are five categories at the core of a robust (cybersecurity) approach: governance, data management, supply chain management, incident management and technical measures.

It is not without reason that the Digital Trust Center (DTC), an organisation set up by the Ministry of Economic Affairs and Climate, also has five similar basic principles, which are in line with the NIS2 directive. These five basic principles, which are very similar to the list above, in turn come from the NCSC and international standards such as ISO27001.

Each of these five categories, which form the core of a robust approach, are described in more detail below. For each category, an explanation has been given and some concrete tools have been named that can be used for quick, simple and effective implementation.

1. Governance

In cybersecurity, governance refers to the framework of policies, procedures and controls implemented to ensure information security. This includes defining roles and responsibilities within the organisation, setting objectives and ensuring compliance with relevant laws and regulations.

Effective governance ensures that cybersecurity is supported by all layers of an organisation and that there are clear guidelines, in who does what when securing data and assets. To fill this in, it is important to be able to answer the following questions:

  • Who, both inside and outside the organisation, is responsible for addressing cybersecurity?
  • What strategic, tactical and operational objectives have been defined?
  • What laws, regulations, guidelines and regulators are relevant to the organisation?

2. Data management

Data management involves identifying, storing, protecting and disposing of data in compliance with applicable privacy laws and security policies. It ensures that only relevant data is collected, that it is stored securely and that access to it is strictly regulated. Good data management minimises the risk of data breaches and helps ensure data integrity and confidentiality.

This component is often one of the most difficult aspects to complete, because, especially in modern complex IT environments, it is not easy to get a detailed picture of all data flows. However, by taking the actions below, metres can be made quickly:

  • For each application, make an overview of the dataset it contains,
  • Determine, for each dataset, the necessity in the context of business operations,
  • Identify the storage locations of the datasets,
  • Ensure contractual privacy protection with any third parties (by entering into a processor agreement, for example).

3. Supply chain management

This focuses on securing the chain of suppliers that contribute to the organisation’s own products and services. Supply chain management includes evaluating supplier measures, managing supplier access rights to systems and data, and regularly reviewing cooperation to ensure that security standards can be maintained.

A well-secured supply chain is crucial, as vulnerabilities at a supplier can lead to security risks for the entire organisation. Therefore, it is important to have an overview of all external suppliers and their access to data or applications. It is also wise to review contracts to make sure there are concrete agreements on data processing and to regularly sit down with key parties so that any questions or discrepancies can be corrected in time.

4. Incident management

Incident management is the process of responding to cybersecurity incidents. This process includes preparing for potential incidents by developing response plans, quickly detecting and assessing incidents as they occur, and effectively addressing them to minimise damage. Communicating about incidents with stakeholders and learning from events (to improve future security and prevent recurrence) are also indispensable components.

Incident management is a component that has received a lot of attention at NIS2. Even though it is desirable to prevent incidents at all times, it cannot be ruled out that occasionally something goes wrong. Being prepared for when a cybersecurity incident occurs is therefore a necessity.

The most pragmatic way to implement this is by drawing up processes on who, when, should do what (and which external parties should be involved) when things go wrong. Discussing these processes at least once every six months within the organisation can ensure that they (remain) relevant among all stakeholders.

5. Technical measures

Technical measures are aimed at being able to (better) manage risks in software, platforms or digital infrastructure, for example. Something that should minimise the chance of data breaches and limit the impact of incidents.

It is important to realise that an effective technical approach always consists of multiple measures. These measures all address different facets of cybersecurity, from strengthening the security of individual systems to protecting the organisation on a broader level.

By taking the set of measures below, in a simple and pragmatic way, many of the risks (and obligations from NIS2) can be captured:

  • Establish a strict update regime. This means regularly updating all software and systems with the latest patches and updates. These updates often contain security enhancements that address vulnerabilities that can be used by attackers.
  • Engage in vulnerability management, the continuous identification, analysis and mitigation of software vulnerabilities. This is to ensure that potential threats and weaknesses are actively managed and fixed, before they can be exploited.
  • Apply system hardening. This includes taking measures to make systems less susceptible to attack. Something that can include removing unnecessary software, disabling unused services and implementing vendor security guidelines.
  • Implement data encryption, encrypting information so that only authorised parties can read it. Encrypting sensitive data protects it from interception and unauthorised access, both at rest and during transmission over networks.
  • Install an Endpoint Detection and Response (EDR) solution. Such a solution provides monitoring and detection to identify and respond to malicious activity on endpoints (such as laptops, desktops and servers). EDR is critical for quickly identifying and responding to incidents.
  • Use a Zero Trust Network Access (ZTNA) solution for remote access to applications, platforms and infrastructures. Then access is granted only on the basis of strict identity authentication and contextual data, regardless of the user’s location or network.
  • Set up Multi-Factor Authentication (MFA) everywhere. This requires users to use two or more authentication methods to access systems, providing an extra layer of security on top of traditional username and password.
  • Make regular backups of data and systems. These backups are essential to recover after a data loss incident, such as a ransomware attack or an employee accidentally deleting a dataset. A backup and recovery plan ensures that critical information and services can be restored quickly.

Summary

Although the NIS2 guideline may be perceived as complex, it provides a structured framework, which helps strengthen cybersecurity approaches. By building on existing standards and guidelines such as the ISO27001 standard and the DTC’s recommendations, the requirements of the NIS2 directive can be met effectively and efficiently, significantly reducing complexity. This makes NIS2 not only an obligation, but also an opportunity to strengthen the organisation’s digital resilience and become even more resilient to digital threats.

NIS2 does not have to be complex

Although having to comply with the new NIS2 guideline may sound complex, the guideline largely builds on the NIB guideline (Wet Beveiliging Netwerk- en Informatiesystemen in Nederland) and there is a lot of overlap with existing frameworks such as the ISO27001 standard (2022). This means that many organisations already have a solid foundation and can face the elaboration of the NIS2 directive with confidence.

In this article, we explain the overlap of the NIS2 directive with existing frameworks and the 5 main categories of cybersecurity compliance that the NIS2 directive aims to achieve.

Existing standards as solid foundation NIS2

Cybersecurity is an indispensable aspect of business operations. That is why there is extra focus from Europe on further strengthening cybersecurity within member states. This is also how NIS2 came about.

In doing so, it was chosen to build on best-practices. Many of the requirements described in the NIS2 directive are therefore not new, but a further development of existing frameworks. Something that becomes clear by putting NIS2 alongside ISO27001:2022.

The ISO27001 standard, which aims to improve digital resilience, covers three basic principles of cybersecurity, which also play a prominent role in the NIS2 guideline, namely: availability, integrity and confidentiality.

Thus, by using existing standards and measures, organisations can cover many of the NIS2 obligations without significant additional effort.

The 5 key categories for cybersecurity compliance

For the NIS2 directive, there are five categories at the core of a robust (cybersecurity) approach: governance, data management, supply chain management, incident management and technical measures.

It is not without reason that the Digital Trust Center (DTC), an organisation set up by the Ministry of Economic Affairs and Climate, also has five similar basic principles, which are in line with the NIS2 directive. These five basic principles, which are very similar to the list above, in turn come from the NCSC and international standards such as ISO27001.

Each of these five categories, which form the core of a robust approach, are described in more detail below. For each category, an explanation has been given and some concrete tools have been named that can be used for quick, simple and effective implementation.

1. Governance

In cybersecurity, governance refers to the framework of policies, procedures and controls implemented to ensure information security. This includes defining roles and responsibilities within the organisation, setting objectives and ensuring compliance with relevant laws and regulations.

Effective governance ensures that cybersecurity is supported by all layers of an organisation and that there are clear guidelines, in who does what when securing data and assets. To fill this in, it is important to be able to answer the following questions:

  • Who, both inside and outside the organisation, is responsible for addressing cybersecurity?
  • What strategic, tactical and operational objectives have been defined?
  • What laws, regulations, guidelines and regulators are relevant to the organisation?

2. Data management

Data management involves identifying, storing, protecting and disposing of data in compliance with applicable privacy laws and security policies. It ensures that only relevant data is collected, that it is stored securely and that access to it is strictly regulated. Good data management minimises the risk of data breaches and helps ensure data integrity and confidentiality.

This component is often one of the most difficult aspects to complete, because, especially in modern complex IT environments, it is not easy to get a detailed picture of all data flows. However, by taking the actions below, metres can be made quickly:

  • For each application, make an overview of the dataset it contains,
  • Determine, for each dataset, the necessity in the context of business operations,
  • Identify the storage locations of the datasets,
  • Ensure contractual privacy protection with any third parties (by entering into a processor agreement, for example).

3. Supply chain management

This focuses on securing the chain of suppliers that contribute to the organisation’s own products and services. Supply chain management includes evaluating supplier measures, managing supplier access rights to systems and data, and regularly reviewing cooperation to ensure that security standards can be maintained.

A well-secured supply chain is crucial, as vulnerabilities at a supplier can lead to security risks for the entire organisation. Therefore, it is important to have an overview of all external suppliers and their access to data or applications. It is also wise to review contracts to make sure there are concrete agreements on data processing and to regularly sit down with key parties so that any questions or discrepancies can be corrected in time.

4. Incident management

Incident management is the process of responding to cybersecurity incidents. This process includes preparing for potential incidents by developing response plans, quickly detecting and assessing incidents as they occur, and effectively addressing them to minimise damage. Communicating about incidents with stakeholders and learning from events (to improve future security and prevent recurrence) are also indispensable components.

Incident management is a component that has received a lot of attention at NIS2. Even though it is desirable to prevent incidents at all times, it cannot be ruled out that occasionally something goes wrong. Being prepared for when a cybersecurity incident occurs is therefore a necessity.

The most pragmatic way to implement this is by drawing up processes on who, when, should do what (and which external parties should be involved) when things go wrong. Discussing these processes at least once every six months within the organisation can ensure that they (remain) relevant among all stakeholders.

5. Technical measures

Technical measures are aimed at being able to (better) manage risks in software, platforms or digital infrastructure, for example. Something that should minimise the chance of data breaches and limit the impact of incidents.

It is important to realise that an effective technical approach always consists of multiple measures. These measures all address different facets of cybersecurity, from strengthening the security of individual systems to protecting the organisation on a broader level.

By taking the set of measures below, in a simple and pragmatic way, many of the risks (and obligations from NIS2) can be captured:

  • Establish a strict update regime. This means regularly updating all software and systems with the latest patches and updates. These updates often contain security enhancements that address vulnerabilities that can be used by attackers.
  • Engage in vulnerability management, the continuous identification, analysis and mitigation of software vulnerabilities. This is to ensure that potential threats and weaknesses are actively managed and fixed, before they can be exploited.
  • Apply system hardening. This includes taking measures to make systems less susceptible to attack. Something that can include removing unnecessary software, disabling unused services and implementing vendor security guidelines.
  • Implement data encryption, encrypting information so that only authorised parties can read it. Encrypting sensitive data protects it from interception and unauthorised access, both at rest and during transmission over networks.
  • Install an Endpoint Detection and Response (EDR) solution. Such a solution provides monitoring and detection to identify and respond to malicious activity on endpoints (such as laptops, desktops and servers). EDR is critical for quickly identifying and responding to incidents.
  • Use a Zero Trust Network Access (ZTNA) solution for remote access to applications, platforms and infrastructures. Then access is granted only on the basis of strict identity authentication and contextual data, regardless of the user’s location or network.
  • Set up Multi-Factor Authentication (MFA) everywhere. This requires users to use two or more authentication methods to access systems, providing an extra layer of security on top of traditional username and password.
  • Make regular backups of data and systems. These backups are essential to recover after a data loss incident, such as a ransomware attack or an employee accidentally deleting a dataset. A backup and recovery plan ensures that critical information and services can be restored quickly.

Summary

Although the NIS2 guideline may be perceived as complex, it provides a structured framework, which helps strengthen cybersecurity approaches. By building on existing standards and guidelines such as the ISO27001 standard and the DTC’s recommendations, the requirements of the NIS2 directive can be met effectively and efficiently, significantly reducing complexity. This makes NIS2 not only an obligation, but also an opportunity to strengthen the organisation’s digital resilience and become even more resilient to digital threats.

Avatar photo
Sebastiaan Bakker
Previous post
News overview
Next post
News overview
Previous post
Next post
Sign up for our newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Back To Top