Preparing for Cyberthreats and Increased Cybersecurity Requirements | EU
Cybersecurity is at the top of the risk barometer for most businesses and public organisations. In an increasingly interconnected world, new digital opportunities inevitably come with new risks. The EU’s Cybersecurity Directive, NIS2, has clarified the requirements for handling cyberthreats and attacks. In this article, Bech-Bruun’s Mikkel Friis Rossa and Kasper Bilde Nielsen, who specialise in IT, tech, digitisation, and cybersecurity, examine the various forms of threats that organisations must address under NIS2.
Stricter Requirements and Broader Scope
By October 2024, a wide range of businesses and public organisations must be able to demonstrate compliance with the requirements of the Network and Information Security Directive (NIS2). NIS2 is built on the previous Network and Information Security Directive (NIS1), with NIS2 addressing the shortcomings of its predecessor.
The directive’s expanded scope and stricter requirements represent a comprehensive overhaul, reflecting the evolving cyberthreats of the digital age. These threats have proliferated in both variety and scale in recent years, posing a real operational risk to all organisations, regardless of whether they are subject to NIS2.
NIS2 extends its scope to encompass several new sectors and supply chains that collectively make up infrastructure critical to society. Specifically, the directive now covers, inter alia, energy, transport, banking, and digital infrastructure sectors, as well as organisations manufacturing or delivering drinking water, food, or chemicals.
Key Features of NIS2
NIS2 requires organisations to establish appropriate resilience against relevant cyber threats. NIS2 is technology- and method-neutral, which means that it is up to the individual organisation to assess the relevance, risk and means of the various threats.
"NIS2 requires that organisations take a risk-based and proactive approach to counter cyberthreats."
Overall, organisations must establish effective processes for risk management, incident management, supplier management, governance, and the involvement of management.
Below is a general overview of NIS2 tasks:
- mapping of critical network and information systems, including networks, systems, IT, OT, IoT and other technical support for operations;
- appropriate cybersecurity based on effective risk management and basic cyber hygiene practices, including risk assessments;
- risk assessments and information security policies, business continuity through backup management, disaster recovery plans and crisis management, policies for the use of cryptography or encryption, personnel security, access control policies and asset management, communication protection measures and access management;
- documentation of compliance with requirements, including, among other things, relevant cybersecurity policies and procedures;
- incident management, recovery and prevention procedures;
- security of supply chains, including contract and supplier management;
- procedures for the procurement, development and maintenance of network and information systems;
- cyber education and training of the organisation, including management;
- management involvement in the organisation’s cyberthreat management; and
- anchoring roles and tasks to the organisation (governance and operations).
Threats to be Addressed
Cyberthreats extend beyond just malicious hacker attacks. Organisations must also address risks that may originate from employees, suppliers, and even technical or environmental conditions.
Therefore, NIS2 requires that organisations take a risk-based and proactive approach to counter such threats in their network and information systems, which in a very broad sense should be understood as the critical digital and technical support of operations. This includes the critical support of operations through the organisation’s network and digital infrastructure, including IT, OT and other technical devices and the application layer, all of which are vulnerable to cyberthreats.
To meet these requirements, organisations must, among other things, have a comprehensive overview of assets that are critical to their operations and effective risk management strategies.
The Implementation of NIS2 Compliance
To facilitate the implementation process, an independent maturity assessment can be used to gauge the current level of compliance based on the legal requirements of NIS2 and the organisation’s risk profile. This approach ensures that the cybersecurity needs of the organisation are met, whether they are just embarking on their cybersecurity journey or have already implemented frameworks like ISO2700X, NIST, or CIS18.
The outcomes of the maturity assessment can be used to form a concrete and operational action plan. This plan can be broken down into distinct tasks, which can then be delegated to responsible parties. This targeted approach ensures that measurable progress is made towards achieving full compliance by the October 2024 deadline.