NIS 2: How to comply with the NIS 2 directive 

July 5th, 2024 Posted in NIS 2 Directive

The NIS 2 directive will come into force in EU countries over the coming months, meaning that organisations in scope should be preparing for compliance in anticipation of the updated law.  

As we have covered in previous blog in this series, the new directive extends the sectors in scope from 7 to 17. This means that many organisations will need to comply with NIS requirements for the first time. It is estimated that at least 160,000 entities across the EU will fall within scope. 

Whilst the laws should come into effect by 17th October, there will likely be delays in some countries. Even then, the relevant regulators (or ‘competent authorities’) will be required to issue guidance and to engage with organisations in scope and these will take time to arrive. Nonetheless, now is the time to start preparing and planning for compliance.  

In this blog we are going to set out the steps we are advising organisations to take to prepare for NIS 2 compliance. This is the sixth article in our series of blogs on NIS 2. Together they provide an in-depth overview of the new directive together with our comments and recommendations for being ready. You can read the other blogs in this series by following the links below: 

How to prepare for NIS 2

We are recommending compliance readiness activities based around the following eight steps:  

Steps to NIS 2 compliance

If you’re in scope of NIS 2, you’re in something of a ‘chicken and egg’ situation because you need to start compliance preparations but don’t have the specific country laws, guidance, and interpretation available yet. 

This is not unusual when new regulations come into force, but whilst you await specifics, there is still foundational work you can undertake and which we recommend you plan for.  

Based on our experience of working with clients in scope of NIS 1 and security compliance in general, we are confident that you will be off to a strong start if you plan your work in line with the steps in the following sections.   

1: Scoping

Does the law apply to your organisation? 

The first step is to confirm your entity is within scope of NIS 2. You should refer to the sectors listed at Annex 1 and 2 of the new directive. There are 10 new sectors added to NIS 2 but some of the 7 sectors carried over from NIS 1 have also been expanded.  

We’d strongly recommend that you involve your legal and/or compliance function in this exercise, because it is ultimately a matter of law. More widely, your preparations for NIS 2 would be best served by a cross functional group including your legal team in additional to technical specialists.  

In which EU countries will you need to comply? 

You should also identify which EU countries you are established in, and in which you provide your services so you can monitor progress with their local NIS 2 laws and supporting guidance they publish. There are some useful status trackers available online, including this one from law firm Bird & Bird 

Are you an Essential or an Important entity? 

Assuming you are in scope, you will then need to determine if you are an ‘Essential’ or ‘Important’ entity, using the criteria explained in our blog on NIS 2 supervisory powers. You should take a view on this now and then monitor for changes in countries in which you operate as member states have some discretion on this point.  

This is important because Essential entities are subject to proactive supervision and can expect a higher level of regulatory engagement. Important entities are subject to reactive supervision. This means competent authorities will only engage in supervisory activities with Important entities if they have reason to believe the Important entity does not comply with NIS 2. 

We anticipate that this will result in a two-tier approach to compliance readiness, with Essential entities taking a more strategic and ‘best practice’ approach, and important entities taking a lighter touch ‘good enough’ approach.  

Which of your systems are in scope? 

Depending on the nature of your organisation, it may be the case that not all your systems will be covered by NIS 2. The systems in scope will be those required for your operations or for delivery of your services. In short, this means you should prioritise your efforts on those systems specifically and not all systems equally. This risk-based approach needs to take account of the impact to your operations or services if systems become unavailable. For some systems, they may be no impact. At the same time, be realistic and take account of important supporting systems, such as auxiliary power, HVAV and safety systems.  

2: Gap Analysis

Having validated your scope, we’d strongly recommend that you conduct a gap analysis. When you do so, it’ll be important to be realistic about the standard of your security measures. For example, many organisations we work with believe they have security risk management processes in place, but these are often ad hoc, lacking in detail and insufficiently owned and managed.   

We obviously don’t have country specific requirements to compare your security against right now, but this should not prevent you from using industry best practice standards as your baseline. You could use, for example, ISO 27001, the NIST Cyber Security Framework (CSF) or the IEC 62443 suite for industrial control system environments. Another alternative is the UK NCSC Cyber Assessment Framework (CAF) which has been used in the UK in support of NIS 1. 

These standards can be mapped against each other and the requirements at Articles 20, 21 and 23 of NIS 2. They will undoubtedly map to the guidance issued by each member state, but we would advise the following two considerations: 

Firstly, the focus for ISO 27001 and NIST CSF is on information security and meaning most organisations focus on confidentiality. NIS 2 covers information protection but it is very much a cyber resilience standard, meaning that availability will be the key consideration.  

Secondly, both standards cover system recovery following an incident, but we’d recommend placing a greater emphasis on the wider topic of business continuity planning and management for your operations and services. Recovery is just one part of effective business continuity management.  

Running a gap analysis is the basis for creating your NIS 2 improvement plan. Based on our experience of supporting organisations through NIS 1, the competent authorities will likely want to see your improvement plan and to monitor progress against it, especially for Essential entities.  

When developing your improvement plan, be realistic on timescales and prioritise efforts based on risk or the profile provided by your competent authority (i.e. they may require you to improve some areas more quickly than others to address commodity cyber-attacks).  

3: Impact & Risk Assessments

Up to date and comprehensive risk assessments will be a minimum expectation for NIS 2. Within your security management system (see Step 4), you will need a documented security risk management procedure and supporting documents. You will also needa defined level of appetite for security risk (generally or specifically to different asset types). The procedure should cover risk identification, analysis, evaluation against your risk appetite, risk treatment and reporting and monitoring.  

When done properly, risk assessments are harder and more time consuming than many organisations assume. You should therefore create your risk management procedure and governance processes early. Together with your information security policy, risk management documents and processes will form the foundation of your security management system.  

Define your risk register format early and keep it updated and controlled. Run risk workshops using a defined threat and vulnerability catalogue. Capture details of all existing controls and their level of optimisation (e.g. you may have IPS enabled next generation firewalls are the perimeter, but is the IPS function enabled, are events logged before being forwarded to a central logging solution, are alerts setup etc).  

You should prioritise your risk treatment on the basis of impact to availability. As such, you should conduct meaningful impact assessments for your network and information systems. These will inform your risk assessments and support the business continuity planning we recommend at Step 6. Your impact assessments would ideally be a business impact analysis (BIA) for all systems/operations in scope. If this is too detailed at this early stage, you may need to take a higher-level approach and to revalidate them at Step 6.  

4: Security Management

You will absolutely need to implement a security management system, which we’ll call an information and cybersecurity management system (ICMS) in this blog. Your information security policy,risk management process and outputs, will form the basis of this. 

Policies, standards, procedures, and other documents within the ICMS should establish the framework for security governance (NIS 2 Article 20), risk management measures (21) and incident response and notification (23). The minimum risk management measures (or controls) which must be addressed within the ICMS are listed in NIS 2 and cover: 

  • Policies on risk analysis and information system security. 
  • Incident handling.  
  • Business continuity, such as backup management and disaster recovery, and crisis management.  
  • Supply chain security.  
  • Security in systems acquisition, development, and maintenance, including vulnerability handling and disclosure.  
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.  
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption.  
  • Human resources security, access control policies and asset management.  
  • The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.  

The above are the minimum requirements, and in addressing these you will be compelled to tend to related topics. You will also need to establish processes to operationalise the requirements set out in the policies. This will include systematic processes covering asset management, configuration management, vulnerability and change management.  

If you utilise industrial control systems / operational technology (OT) to provide your services you may need to develop OT specific policies, standards and processes for these systems which differ from your IT systems. These might, for example, establish security zones and conduits and minimum controls for each based on the guidance provided in the IEC 62443 suite of standards.  

The ICMS will need to address supply chain security, business continuity and incident management. These are so important to compliance that we have included specific steps for each of these, but they form a part of your ICMS overall.  

5: Supply Chain

NIS 2 applies particular emphasis to supply chain security and the required level of due diligence expected, to ensure that entities in scope apply more than a tick box standard of compliance. Account must be taken of supplier specific vulnerabilities and their cyber security practices. If the supplier provides software, their secure development procedures must be considered.  

To meet these requirements, you should establish an approved supplier security management methodology, including individual supplier security due diligence or auditing. Start by tiering your suppliers based on potential impact if they were to suffer a security breach.  

From there apply the highest level of diligence to the highest impact suppliers.  

Create supplier security questionnaires, gather their feedback, and identify vulnerabilities. Then manage these within your risk management framework.  

You should aim to include security requirements and rights to audit clauses in supplier contracts where possible. 

This is an area we specialise in, providing clients including those in scope of NIS 1 with our SupplyIQ managed services. It is time consuming and can be challenging, which is why organisations often outsource it organisations like Evalian.  

Once again, we’d recommend you start this process early because suppliers are slow to respond and sometimes challenging to get any input from. Changes to contract terms can also necessitate the involvement of in-house or external legal counsel, which can sometimes delay progress.  

6: Business Continuity

Your ICMS will need to address business continuity management alongside security management. We’d recommend starting with a business continuity policy that establishes requirements for business continuity and crisis management plans 

The crisis management plan (CMP) sets out the structure for decision making, communication and response activities in the event of severe business disruption. Larger organisations tend to base their CMP on a Gold-Silver-Bronze structure with Gold representing executives (strategic), silver representing organisational management (operational) and bronze representing individuals handling specific response activities (tactical).  

Your business continuity plan (BCP) should address the framework to follow and the activities to be conducted across the organisation in response to a highly disruptive event. The BCP should cover roles, responsibilities, and criteria for invoking the plan. It should also set out continuity and recovery procedures to be followed, including recovery objectives, priorities, and timelines. You should also include BCP training and testing requirements.  

The BCP should be considered a living document which is kept under review and updated in response to changing systems, processes, priorities, and lessons learnt. You should exercise or test it regularly and ensure stakeholders are trained on its context and their responsibilities.  

The BCP should be based on a business impact analysis (BIA) covering your scoped systems and related operations. If you conducted full a BIA at Step 3 (Impact & Risk Assessments) you can use these here. If not, you should plan to conduct one now.  

In support of your BCP you will need to develop disaster recovery (DR) and backup procedures. Your DR plan should prioritise your most important systems (based on the outputs from your BIA) and include step by steps details of how to rebuild or recover systems including full configuration details. Backup procedures should set out what is to be backed up, when and how and include requirements for regular integrity and full recovery testing.  

7: Incident Management

To be confident of meeting the NIS 2 incident notification requirements you will need to update your cyber incident management plans. We’d recommend creating an incident management framework consisting of an Incident Management Policy, an Incident Response Plan and Incident Notification Procedure.  

The policy should set out your organisation’s expectations for the management of security incidents and provide impact definitions for different types of incidents, which are used for determining escalation, communication and how the incident is managed.  

Lower impact incidents are usually managed through your ordinary incident management process.  Higher impact incidents might necessitate the formation of an incident response team. They may also need to be managed within the crisis management structure set out in your CMP, if they lead to major disruption. 

 Your policy should establish the links between incident management, business continuity and crisis management. 

Your incident response plan should address the activities to be performed and procedures to be followed when responding to incidents. It should address the full lifecycle of incident response including preparation, detection and analysis, containment and eradication, recovery and post incident lessons learnt.   

You can learn more about incident response readiness and planning in our guide to incident response.  

Given the enhanced incident notification obligations in NIS 2, we recommend that you establish an Incident Notification Procedure. This should set out the steps to be followed to determine whether the incident has had a “significant impact”, which would make it notifiable. Include the inputs required to make this decision, responsibilities for providing these inputs and the person or role that has been authorised to make the decision and to make the notification.  

The inputs are likely going to need to come from the incident response team, analysis will likely sit with your legal team and the final decision may need to be made at an executive level.  

As such, the plan must ensure these individuals are involved and provided with all relevant facts required to meet the initial 24-hour early warning notification and the 72-hour detailed notification.Once established, your incident response plan and incident notification procedure should be exercised. This will help train stakeholders on their responsibilities, enable them to rehearse decision making and test the process. Most importantly, it will help identify areas for improvement.  

We recommend exercising your response plan and notification procedure at least annually, and potentially more often for Essential entities.  

8: Security Assurance

Assurance covers the activities that you perform, to confirm your security risk management measures are performing as required. Your ICMS should be built around the Plan-Do-Check-Act cycle.  

Assurance activities fall within the ‘check’ stage, but they can also provide inputs into other security processes. For example, penetration testing is a form of security assurance in that it validates how security controls are performing. Testing results are also an input into the vulnerability management process. 

We recommend that you establish an assurance programme which defines the minimum assurance activities to be undertaken, how often they should be performed and an annual schedule. As a minimum we would suggest internal auditing, independent audits / assessments, security testing based on system and asset impact, exercising and process testing.  

We’ve covered this in the steps above, but we’d recommend at least annual exercises of your business continuity and incident response plans. Likewise, for your backup processes.  

Record the outcomes of all assurance activities and add them to a tracker (sometimes called a corrective action plan) with follow up actions, action owner, dates and current-status.  

We can help with NIS 2 compliance

If the steps in our compliance plan appear daunting, or you need help to resource any of these activities, we can help.   

Evalian’s experienced security compliance consultants can provide you support throughout the process of preparing for NIS 2. We can lead your readiness project or contribute to it as an extended part of your wider team.  

Contact us to arrange a call with our friendly, expert team.  

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Sean Huggett Evalian

Written by Sean Huggett

Sean specialises in data protection, information risk and cyber security. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in privacy and security strategy, management and compliance. Sean is also Managing Director at Evalian®. His qualifications include CISM, CISA, CRISC, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISMP, CIPP-E, CIPT & GDPR Practitioner Certificate.