This week, the 27 nation states that comprise the EU are expected to have transposed the Network and Information Security Directive 2 into national law.
Several states, however – including Ireland – have already signaled that there will not be time to shepherd the lengthy directive through their respective legislatures ahead of the deadline. The new legislation is daunting and complex, and requires significant scrutiny from legislators on a national level. Its impact is profound and wide-ranging, and will impose stringent new regulatory and reporting mandates on a number of sectors.
You can see our full breakdown of NIS2, and what it consists of, in our previous article on the subject.
The missed deadline for transposition, however, offers businesses some valuable breathing room. There is still time to get thoroughly up to speed with all that NIS2 entails, and the responsibilites it will confer on businesses and businesses owners, before it is enforceable in national law.
Your business has time to prepare for the sweeping changes NIS2 will bring in – but is it ready? And if not, what can you do to get ready?
Understand Your Organisation’s Regulatory Landscape
Knowing the lay of the land and where your organisation sits within it is the first step to fully appreciating the steps you need to take to bring yourself up to NIS2 compliance. Before you lay out any sort of plan of action, take some time to understand the context your organisation finds itself post-NIS2, and how this will define the actions you must take to ensure compliance.
Is Your Business in the Scope of the Directive?
Find out immediately whether your business falls under the scope of NIS2, and if it does, whether it is classified as an “Essential” or “Important” entity (our article on the subject, linked above, breaks down the full criteria for each). These two classifications dictate not only the level of compliance and reporting businesses are mandated to conform to under NIS2, but also the level of regulatory enforcement that agencies can bring to bear on entities that fail to comply with NIS2.
Determine the Jurisdiction(s) you will Fall Under
By and large, organisations that fall within the scope of NIS2 will be subject to the regulatory framework established by the EU state they are established within. In the case of telecommunications companies, however, this also applies to the country or countries within the EU in which they provide their services.
Organisations established across multiple EU nations will be governed by the regulations of each, with regulatory agencies jointly supervising the company’s compliance under NIS2.
Map out your Obligations under NIS2
Decide if your organisation can conduct its regulatory gap analysis in-house, or if not, enlist the services of a third party consultancy to assist you in doing so. In order to avoid duplication of efforts, NIS2 modifies certain existing legal requirements, so understanding how it influences the regulatory environment as it exists before its implementation will help you better organise your response and supervisory facilities efficiently.
Assess your NIS2 Readiness and Implement Measures to Address Gaps
Once you understand the new regulatory landscape brought into being by NIS2, you will have a relatively clear picture of where your organisation falls within that framework already. Some organisations, by their very natures, will be better prepared than others at the outset. Others will have to scramble to get up to compliance in a timely manner. Whatever the case may be, at this point it’s now imperative that you identify the gaps between your existing level of compliance, and the standards being set by NIS2, and take steps to address them.
Map Existing Cybersecurity Policies Against the Directive’s New Requirements
NIS2 requires organisations to have proper procedures in place to deal wtih its reporting and standards structure. Comparing your existing policies to this legislation will help you identify areas you fall short, and allow you to begin putting new processes in place to close the regulatory gaps.
Clearly Communicate your New Cybersecurity Policies to your Organisation
Buy-in at every level of your organisation is vital to ensure the new policies and procedures are not only understood, but stick. The most effective way of achieving this is by clearly communicating not only the precise policies your organisation will be implementing, but the rationale for doing so and the regulatory framework against which they’ll be applied. By ensuring your people don’t just understand the policies but understand why they are being put in place, you ensure a greater level of buy-in and engagement than if the policies are simply passed down on a seemingly arbitrary basis.
Map your Supply Chain Dependencies
Under NIS2, entities are responsible for the security of the information systems supporting their operations, whether these systems are managed internally or outsourced to service providers.
Map your Organisation’s Direct Supply Chain
NIS2 only obligates management of supply chain risk from direct suppliers and service providers. NIS2’s processes in this regard, however, follow similar patterns to existing supply chain diligence requirements under GDPR – so your organisation is more than likely already doing this, just not yet in the cybersecurity field. Transposing cybersecurity regulatory policies over existing GDPR enforcement relationships will make this part of compliance much less of a headache.
Determine Whether your Direct Suppliers and Service Providers are in Scope of NIS2
As you did for your own organisation, once you’ve mapped the direct relationships in your supply chain, you must determine whether or not these are in scope of NIS2 – and if so, how. Even organisations that are not in scope will be required to adhere to certain regulations in their dealings with you, so ensuring they are up to compliance standard is also a responsibility of your organisation.
If you are not in scope, identify those organisations in your supply chain who are, and who thus will require you to observe compliance under NIS2’s provisions.
Review Existing Contracts with Direct Suppliers and Service Providers
Your best option moving forwards may be to incorporate NIS2 regulatory language into future contracts struck with direct relationships in your supply chain. This ensures compliance at the fundamental level of your relationship and means you are not relying on good faith that another organisation will maintain their obligations under NIS2.
Establish and Proactively Test your Incident Response Plan
A cybersecurity incident is no less a crisis than a fire alarm or break-in. Just as your building likely hosts semi-regular fire drills, thoroughly test your response plan so everyone knows exactly what they’re doing in the event of an incident.
Establish an Incident Classification Process to Categorise Incidents by Level of Severity, Urgency and Scale
This will allow your organisation to effectively prioritise incidents and allocate resources by severity of any cybersecurity breaches. Only significant incidents are subject to the reporting mandate under NIS2, but having a thorough understanding of the threat environment you operate in will demonstrate commitment to the spirit of the directive in the event of a cybersecurity audit. It will also make the process feel routine to the people empowered to take charge of it, so that when an incident under the scope of NIS2 does occur, they will know exactly how to handle it.
Ensure Clear Lines of Communication are Set Out in your Response Procedure
You must ensure that there are clear lines of communication, internally and externally, in the event of a major incident. This ensures that everyone within your organisation drafted to have a responsibility under your response procedure is kept apprised of all pertinent information as it becomes available, but that reports to external regulatory bodies can be filed in full and on time.
Leverage Standards and Certification Schemes
Existing standards and certification schemes can not only prepare your organisation for NIS2, but provide easily accessible evidence of your compliance to regulators. Many of NIS2’s requirements are in fact covered by existing international cybersecurity standards, meaning material already exists to bring your organisation and staff up to code. These include:
- ISO27001 – Information security management system.
- ISO22301 – Business continuity management system.
- IEC62443 – Addresses internationally recognised standards in cybersecurity.
Embed a Culture of Cybersecurity Training and Awareness in Your Organisation
Vouchsafing your organisation from cybersecurity threats begins internally, with a culture where cybersecurity is at the heart of every process, workflow and software implementation.
Implement a Regular Cybersecurity Training Plan for All Staff
This is not only a requirement under NIS2, but will help ensure your team is up to speed on basic cybersecurity best practice. Your staff are your first line of defence against cyber threats, and ensuring they have the skillset required to recognise those threats will help head off trouble before it can become a major incident.
Roll Out a Cybersecurity Literacy Training Program for Organisation Management
NIS2 places a great deal of responsibility on the shoulders of management in ensuring their organisation is complying with the directive. It is therefore integral that everyone given additional responsibilities under NIS2 receive specialised training to properly prepare them for their newfound obligations. This not only includes an understanding of basic cybersecurity practices but awareness of their obligations under NIS2, and the implications of failure to comply.
Assign Responsibility and Resources to NIS2 Compliance
Once you’ve understood the full sweep of your obligations and supervisory expectations under NIS2, you can properly assign the resources your organisation will require to meet its requirements.
Engage Management Early in the Process of Preparing for NIS2 Compliance
Leadership buy-in is essential to a steady transition into compliance with the new regulatory framework. Ensuring the people who hold the levers of power and change in your organisation are fully read in as to what is necessary, and why it is necessary, gives your compliance program momentum and the firepower needed to see it through to completion.
Ensure you Have Sufficient Resources to Successfully Meet all of your Obligations
Give your compliance procedures the budget allocation they need to get up to code. The cost of overlooking something or not implementing a procedure correctly could be far more devastating than simply going slightly overbudget on the compliance implementation. As a rule of thumb, some sources state that as much as 22% of a tech department’s budget should be allocated towards cybersecurity.