The NIS Directive aims to enhance the resilience of critical sectors in the EU by promoting proactive cybersecurity measures and fostering better communication and collaboration among relevant entities. It seeks to establish a high common standard of cybersecurity across Europe.
Introducing a regulatory assessment tool designed for NIS2 compliance utilizing a unified knowledge model.
This tool extends the Data Privacy Vocabulary (DPV), providing a comprehensive and standardized set of terms, to conduct a NIS2 gap analysis against the ISO 27001:2022 framework. Each risk-management measure is mapped to specific ISO 27001:2022 controls. Guidance from ENISA outlines a number of essential security controls required for operators of essential services, establishing the minimum required security measures.
NIS2 provides clear direction on the steps that in-scope entities must take to enhance their overall level of cybersecurity risk maturity.
In-scope entities must implement appropriate and proportionate technical, operational, and organisational measures to manage the risks specific to their industry or sector.
Failure to comply will result in administrative fines.
Article 21 of the NIS2 Directive details ten cybersecurity risk-management measures:
| (a) Policies on risk analysis and information system security | (f) Policies and procedures (including testing and auditing) to assess the effectiveness of cybersecurity risk management measures |
| (b) Incident handling, such as the prevention, detection, and response to incidents | (g) Basic cyber hygiene practices and cybersecurity training |
| (c) Business continuity management, including backup management, crisis management and disaster recovery | (h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption |
| (d) Supply chain security including security-related aspects concerning the relationships between each entity and its suppliers or service providers | (i) Human resources security, access control policies and asset management |
| (e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure | (j) Multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate |
The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The NIS Directive aims to promote security measures and boost EU member states' level of protection of critical infrastructure.
The requirements for NIS2 can be split into four pillars:
| Risk Management | Business Continuity | Corporate Accountability | Reporting Obligations |
|---|---|---|---|
| Organisations must take necessary steps and initiatives to comply with the new Directive and minimise their cyber risks. These measures include incident management, stronger supply chain security, enhanced network security, better access control, and encryption. | Organisations must plan for how they intend to ensure business continuity in the case of major cyber incidents. This plan should include considerations about system recovery, emergency procedures, and setting up a crisis response team. | NIS2 requires corporate management to oversee, approve, and be trained on the entity’s cybersecurity measures and to address cyber risks. Breaches may result in penalties for management, including liability and a potential temporary ban from management roles. | The NIS2 directive outlines specific reporting obligations and timelines. Not following this reporting process could lead to administrative fines being imposed on the entity. |
