What is NIS2

NIS2 (Network and Information Security 2) is an EU-wide directive on cybersecurity, it encompasses the security of networks, information systems, applications, software and information. NIS2 goal is to increase the resilience of organizations against cyber attacks. It provides legal measures to boost the overall level of cybersecurity in the EU. It establishes common rules for the states of the European Union and the organizations to which these rules will compulsorily apply. These entities must comply with a number of regulations on network and information security established by the NIS Directive.

The different parts of NIS2 can be visualized in the fish diagram. People and training as the back fin set everything in motion. The policies as the dorsal fin together with the processes fin stabilize the whole system. Data, information, information technology and services are the innards. The risk management system is the brain. Audits and control as the watchful eye. Measures are the head behind which the whole system moves forward.

Who is responsible for NIS2 and what are the risks to organizations if they fail to comply with the law?

• The law establishes the direct responsibility of statutory bodies
• Failure to comply could result in a fine of up to €10 million or 2% of annual turnover

What organizations must comply with NIS2

The obligations arising from the NIS2 directive apply to operators of essential services in the energy, transport, banking, financial market, infrastructure, healthcare and digital infrastructure sectors. Entities are divided into two basic groups: essential entities and important entities.

Essential entities are all organizations from the following sectors

• energy (electricity, district heating and cooling, oil, gas and hydrogen)
  
• transport (air, rail, water and road)
• banking and financial market infrastructure
• healthcare and production of pharmaceutical and medical devices
• drinking water and waste water
• digital infrastructure, Internet exchange nodes, DNS service providers, Internet Top Level Domain (TLD) registries
• cloud computing service providers, data center service providers, content delivery networks
• providers of trust-building services and public electronic communications networks and electronic communications services
• public administration
• universities

Important entities include those that fall into these industries

• postal and courier services
• waste management
• chemical manufacturing
• foodstuffs
• production of other medical devices, computers and electronics, machinery and motor vehicles
• digital providers (internet marketplaces, internet search engines and social network service platforms)

Basic NIS2 obligations for companies and organizations

Businesses and organizations under NIS2 are obligated to implement, secure and document their information security management processes, technical, and organizational measures. This means implementing appropriate technical, organizational, and educational measures and document it.

Technical measures for NIS2

• secure your information systems, applications, software
• ensure network security and the security of other technical IT infrastructure
• physically secure the technical IT infrastructure
• ensure the resilience of the internal network and information systems
• introduce detection and evaluation of cyber threats
• implement data protection such as backup, encryption or other measures
• ensure technical measures to increase network and information security

Process, management and organizational measures for NIS2

• implement internal information security processes
• to ensure the continuity of services and operation of its information system and applications
• record and report every security incident that has a significant impact on the functioning of the organization
• carry out a cyber security risk assessment and implement a risk management system
• implement appropriate and adequate organizational security measures to increase network and information security

Measures in documentation and training of workers

• have security documentation such as a Security Policy
• ensure the training of users and employees in the field of information security
• provide documentation to demonstrate compliance with NIS2

NIS2 compliance documentation

Therefore, each organization must implement measures and maintain adequate documentation about it so that it can demonstrate compliance with NIS2. As an integrated risk management and compliance management system with NIS2, Aptien will help with complete compliance documentation management, incident information management, and managing your measures that follow audit findings, risk analysis, or arise from specific incidents.

• management of security guidelines
  
• documentation of information security management processes
• awareness and training of employees and other workers with security guidelines
• maintaining a register of information assets and IT infrastructure
• IT infrastructure documentation
• security documentation of the applications and software used
• documentation of technical and organizational measures to increase network and information security
• maintaining a register of cyber security risks, threats and vulnerabilities
• registration and management of incidents
• management of audits
• management of measures and continuous improvement

Keeping records of your assets - information and IT equipment

• maintaining information about your primary assets and their dependencies on supporting assets
• maintaining information and documentation on your supporting assets, IT equipment and infrastructure
  
• documentation security of applications and software used
• maintaining information about IT services and their suppliers
• keeping documentation of stored backups, test plans and maintenance 

Introducing a risk management system into the organization

• maintaining a risk register in accordance with the requirements of the Cyber Security Act
  
• maintaining an overview of threats and vulnerabilities 
  
• maintaining an overview of primary and supporting assets and their context

Process support

• maintaining information about your employees' permissions and access
• an overview of who has access to where and why (who has what key or access card)
• digital handover of keys and cards to employees with a simple app
• maintaining information about the access and permissions of your employees and suppliers
• documentation of your processes around information security management

Security Incident Logging

• records and incident handling (incident management and response)

Managing your suppliers

• maintaining information on service providers 
• maintaining information on suppliers' methodology
• maintaining information about your employees' access to services (e.g. cloud services)
• maintaining information on the security of purchased services

Staff training 

• creating training plans
• digital familiarisation of your employees with the guidelines and other documentation

Business continuity management and continuous improvement system

• documentation of technical and organizational measures to increase network and information security

Maintaining directives and other internal regulations

• maintaining guidelines, work procedures and policies for your employees (not only) on security

Managing your internal audits

• maintaining information on audits and their findings
• management of follow-up to findings
• planning regular testing, updating and maintenance management

Directive NIS 2 to download

• Directive EU 2016/1148 NIS 2 in PDF