How to Prepare for the NIS 2 Directive
As EU member states transpose the NIS 2 Directive into their national laws by October 17, 2024, organizations under its purview must also ensure they’re ready to fully comply with the new cybersecurity regulations. Penalties for non-compliance will include significant fines, so if you haven’t started on any necessary implementations, now is the time.
As established cybersecurity experts who have disseminated the law as part of our efforts to stay apprised of the latest regulatory developments, we know that any new law can be intimidating for organizations to comply with, especially initially, and we’re here to help.
In this blog post, we’ll provide expert advice regarding two key facets of the NIS 2 Directive—incident response and third-party risk management—before detailing how cybersecurity leaders can align their strategies to satisfy the entire NIS 2, along with your other compliance initiatives.
Two Key Aspects of the NIS 2 Directive That You Need to Prioritize
To help strengthen cybersecurity across the EU, the NIS 2 Directive contains new mandates regarding risk management, business continuity/disaster recovery protocols, and access control. Of particular note are the incident response requirements as well as those involving supply chain security, and you’ll soon realize why.
1. Incident Reporting
To put it bluntly, the NIS2’s new reporting timelines are tight. Organizations are required to alert the relevant national authorities of an incident as such:
- Initial notifications must be sent within 24 hours of detecting a significant incident—these initial reports should include the nature of the incident, its suspected impact, and the steps to manage it.
- More comprehensive reports on cybersecurity incidents must then be sent within 72 hours.
- If necessary, organizations may also need to provide a final report with a full analysis of the incident and the lessons learned.
The only way to feasibly be able to satisfy these mandates is a highly efficient incident response system, which starts with defining the roles and responsibilities across teams to streamline your response protocol—you may even consider creating an incident “playbook” that outlines every step, from detection to reporting, including those pre-identified stakeholders who can act quickly. Automated monitoring and alerting systems, along with security information and event management (SIEM) tools could also help.
It won’t be enough to just implement a plan and some helpful tools, however—maintaining readiness demands conducting regular drills to simulate these incidents and test your reporting processes so you can fine-tune your workflow.
Of course, not everything must be reported—the Directive does limit reporting requirements to significant incidents, which it defines as one that:
- Results in or has the potential to cause severe operational disruptions or financial loss for the entity; or
- Affects other individuals or organizations by causing substantial damage.
Obviously, incidents that cause major disruptions to your services or impact your data's availability, authenticity, or integrity will likely meet this threshold. Still, each case must be assessed in context and things may not always be clear.
Having the real-time data provided by the aforementioned tools will help you make the right decisions, but you can also take it a step further and develop customized thresholds based on your risk landscape. After all, depending on their sector and services, an incident that disrupts a critical service for a few hours may not be significant for one company but could be catastrophic for another.
As such, building a robust incident classification framework that takes into account the number of users affected, potential financial impact, and the duration of the disruption can all serve as internal benchmarks for escalation protocol and triggering an incident report.
2. Third-Party Risk Management (TPRM)
The NIS 2 Directive also places particular emphasis on securing the supply chain. In securing yours, you’ll first need a thorough understanding, and not just knowledge regarding the big players—vendors of all sizes can put your organization at significant risk.
To get started mitigating that risk, conduct comprehensive risk assessments for every third-party partner:
- First, map out your supply chain to understand how data flows between your organization and external entities.
- Then, create a vendor risk management framework that categorizes vendors based on the criticality of the services they provide—vendors supplying mission-critical services should be prioritized for rigorous risk assessments and compliance checks.
- Implement a “partnership model,” i.e., rather than simply imposing requirements on your third parties, work with them to build up their cybersecurity capabilities (and that may involve providing resources, training, or even incentivizing them to adopt stronger cybersecurity practices).
- Clear contractual obligations that outline minimum cybersecurity standards and regular audits will also help ensure NIS 2 compliance.
- Once you’ve got a handle on it, you should employ technology to continuously track third-party risk, as tools that provide real-time insights into a vendor’s security posture can help you quickly spot weaknesses before they lead to larger issues.
How to Align Cybersecurity Strategies to Comply with NIS2 and Other Relevant Frameworks
All that said, the NIS 2 Directive and its complex mandates are likely not the first nor will they be the only framework your organization is beholden to, particularly if you’re operating in multiple regions. If that’s the case, the trick to navigating the maze of cybersecurity regulations is to establish a unified global cybersecurity framework that’s flexible enough to be tailored to different regulatory environments.
How to do that, you’re wondering.
Start by identifying the common ground. Most regulations emphasize core principles like:
- Data protection
- Risk management
- Incident reporting
- Business continuity
Use these elements as cornerstones—i.e., implement robust controls to support them—and you’ll have the foundation for a strong, globally applicable cybersecurity framework that you can then tailor to meet the specific requirements of each region. (For instance, you may have to adjust incident reporting timelines or encryption controls to meet local laws, but your overarching strategy can remain consistent.)
To help with that, establish cross-functional teams that include compliance, IT, legal, and cybersecurity experts. Not only will a staff with such breadth of knowledge streamline the process of aligning different regulatory frameworks but they can also better ensure that both your business operations and security policies are harmonized across those jurisdictions.
Once you’ve covered all your requirements (perhaps with the help of those personnel), you’ll need to maintain that coverage across borders, and that will demand regular audits—both internal and external. Periodically assessing your organization against the NIS 2 and any other mandatory regulations will help identify gaps in compliance before they become problems, and such proactivity will also aid your organization in evolving as the security landscape continues to change.
Stay Ahead of Cyberthreats in 2025 and Beyond
Because, while compliance lays the groundwork, it’s far from enough in today’s evolving threat landscape. Adopting a dynamic and forward-thinking approach is a must, and to do that, leaders must embrace the perspective that cybersecurity and compliance cannot be considered “burdens.” Rather, they’re strategic imperatives and must be properly resourced so your organization remains vigilant and adaptable.
Proactive organizations are the ones that will thrive in this advancing regulatory environment, and if you’re ready to get started—either with an independent assessment of your compliance with the NIS 2 Directive or one against another framework—contact us today to see if Schellman and our diverse suite of services are right for you.
About AVANI DESAI
Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.