The cyber threat landscape continues to evolve at pace, and the need for organisations to enhance their cyber resilience is arguably more urgent than ever. Geopolitical instability, increased cloud adoption, AI driven attacks and supply chain complexity are all contributing factors to a ‘perfect risk storm’, threatening business operability.
In response to the growing risk, the EU has introduced the NIS2 Directive; an updated framework designed to ensure that critical sectors across Europe are better protected against cyber attacks.
The Directive builds on the original NIS (Network and Information Systems) Directive, further requiring operators of critical infrastructure and essential services to adopt enhanced security measures, implement robust resilience strategies, and to timely report security incidents to the relevant authority. All of which are designed to preserve business operability in times of a cyber attack.
Why NIS2 Matters
The Directive will become compulsory for those organisations falling within scope, when it is transposed into law, across all EU member states, at the end of this month.
Legal compliance aside, the Directive’s prescribed measures can only better assist businesses with increasing their overall security posture maturity; crucial to protecting its strategic interests in the current cyber threat climate.
Who Must Comply
The number of organisations considered as an “essential service” has now increased, bringing into scope additional sectors, and organisations previously falling outside of the NIS designation criteria.
Organisations, within an operating presence within the EU, if not already done so, should urgently confirm whether they meet the new designation criteria of ‘essential or important’ entity.
- An organisation is now considered an “essential entity” if it is a large and operating in a sector set out in annex one of NIS2, such as energy, transport, healthcare and financial services.
- Medium and large organisations operating in a sector set out in annex two of NIS2 is designated as an “important entity” such as manufacturing, waste management.
Key Changes & How to Prepare
1. Increased Sector Coverage
NIS2 expands and reorganises the definition of Operators of Essential Services (OES) into "Essential and Important entities". This now includes additional sectors such as public electronic communications services, digital services, wastewater and waste management, manufacturing of critical products, postal and courier services, and public administration.
DCR Recommendation: If your organisation is now designated as an ‘essential or important’ entity, it is important an implementation roadmap defines the route to compliance in the shortest possible timeframe. The starting point typically begins with a gap analysis against ENISA’s “Minimum Security Measures” framework, which is usefully mapped to other commonly used control frameworks such as ISO 27001. This will help identify current control gaps, and provide the basis for forming a tactical delivery plan.
2. Increased Penalties & Accountability
NIS2 introduces tougher penalties for non-compliance, including fines that can reach up to 2% of global turnover, and extends into personal accountability; which could result in senior executives facing personal prosecution.
DCR Recommendation: Ensure that senior leadership is engaged with the organisation’s cyber security strategy and is aware of its legal responsibilities. Regular board-level reviews of cyber risk management and compliance efforts are incredibly useful in attracting senior leadership support and ‘buy in’.
3. Mandatory Risk Management & Incident Reporting
Under NIS2, organisations are required to establish and maintain a risk management framework designed to identify, assess, and proactively mitigate cyber risks. Additionally, the directive mandates that significant cyber incidents must be reported to the relevant authorities within 24 hours; a decrease from the previous 72-hour reporting window.
DCR Recommendation: Implement a repeatable risk management methodology that leverages cyber threat landscape insights. This will inform the accuracy of current risk exposure, and assist with selecting effective risk mitigation strategies.
Developing and implementing incident response plans will further help establish protocols in the detection and reporting of security incidents to the relevant authorities. However, it is important the plans are regularly verified through exercising and testing.
4. Supply Chain Security
NIS2 places an increased focus on supply chain management; acknowledging that third-party suppliers are often targeted by threat actors as a way to by-pass the controls of more secure organisations. Supply chain attacks of late, have demonstrated how vulnerabilities in a supplier’s network can have far-reaching consequences.
DCR Recommendation: It is vitally important to assess the security posture of all third-party suppliers, particularly those with privileged access to systems and data. Implementing a risk-based supplier assurance process, where each supplier is evaluated based on the potential threat they pose, forms the foundations of effective supplier management.
5. Business Continuity & Crisis Management
NIS2 mandates that organisations must be able to maintain its critical business operations at all times, even in the event of a cyber security incident; and therefore minimising service disruption. This is achieved through the balance of operational redundancy and resilience.
DCR Recommendation: Establish comprehensive business continuity, disaster recovery and crisis management plans to respond to the eventualities of a cyber attack. A sensible starting point is to first identify critical business services, before performing a business impact assessment. This will help determine the required level of redundancy and resilience to maintain business critical operations.
6. Incident Prevention, Detection & Response
To ensure organisations can withstand a cyber attack, and can continue to deliver its business critical operations, NIS2 requires the development and implementation of robust and regularly tested Incident Management Response Plans and strategies; suitably preparing the organisation to effectively respond.
DCR Recommendation: Establish and rehearse Incident Management Plans and strategies; these should encompass roles of the incident management team and external agencies, and response and recovery strategies for the most likely of attacks faced i.e., malware and ransomware.
Non-Critical Industries
Though NIS2 is specifically intended to improve cyber resilience amongst critical sectors, its core principles related to risk through to operational resilience benefit, and can be applied to all organisations regardless of sector.
All organisations face similar threats and can adopt the practices and recommendations outlined; improving their cyber security posture and reducing the potential for operational disruption to occur.
How DCR Can Help
Navigating the new requirements NIS2 needn’t be complex, DCR is here to guide you every step of the way. From conducting gap analyses and strengthening your cyber resilience, to implementing robust incident response strategies, we work closely with your team to ensure full compliance with the directive.
DCR offers:
- Comprehensive risk assessments to identify gaps in your organisation’s current security posture.
- Tailored security strategies aligned with the ENISA’s “Minimum Security Measures for Operators of Essentials Services” to ensure that regulatory obligations are met.
- Supplier security reviews to protect your organisation from potential supply chain attacks; ensuring that your third-party dependencies are secure and compliant.
If you’d like to learn more about how we can support you, please don't hesitate to get in touch.