NIS2 – I want to comply. What now?
In our last blog post, we wrote about whether the NIS2 directive applies to UK businesses or not. Although Brexit means that UK businesses are “exempt”, there are some exceptions – such as trading with organisations within the EU and becoming part of their supply chain – that would make it beneficial for UK businesses to comply with the NIS2 directive. Additionally, the UK Cyber Security & Resilience Bill may adopt many of the features of the NIS2 directive in future.
For this reason, it may be practical and expedient to comply with NIS2. But there is a better reason: adhering to the stipulations within the directive will help improve your organisation’s security posture regardless of whether you need it for compliance purposes.
With that in mind, this blog will delve into the features of the NIS2 directive.
What should I focus on?
There are four key Articles in the NIS2 Directive that organisations need to prioritise. These areas are crucial as they relate to increased accountability, cybersecurity risk management obligations, more stringent reporting requirements, and certification.
The four Articles that matter most to UK businesses are Articles 20, 21, 23 and 24. See below for a summary of our guidance:
| Article 20: Governance | This Article holds management bodies of essential and important entities accountable for approving and overseeing the implementation of risk management measures. They are also ultimately liable for non-compliance or gross negligence. Additionally, Article 20 requires management bodies to undergo regular training and ensure similar training is provided to their employees. Management must guarantee that employees have sufficient knowledge and skills to identify risks and assess cybersecurity practices and their impact on services. |
| Article 21: Cybersecurity Risk-Management Measures | This Article mandates that entities implement appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information systems. Essential and Important entities must establish and maintain a cybersecurity framework suitable for their service provision, whether it is an Information Security Management System from the ISO 27000 series for IT environments or a Cybersecurity Management System from ISA/IEC 62443 for Industrial Automation and Control Systems (IACS). Various frameworks with customizable security controls are available to meet the organisation's needs. |
| Article 23: Reporting Obligations | This Article introduces more stringent reporting requirements than the original NIS Directive. Essential and Important entities must report significant cyber incidents to their relevant Computer Security Incident Response Team (CSIRT). An incident is considered significant if it can cause severe operational disruption or financial loss for the entity, or considerable material or non-material damage to individuals. The process for reporting significant incidents has become more detailed. |
| Article 24: Use of European Cybersecurity Certification Schemes | This Article requires organisations to demonstrate compliance with Article 21 by using ICT products, services, and processes, developed internally or sourced from third parties, certified under European cybersecurity certification schemes. It also encourages the use of qualified trust services. These schemes aim to harmonise the recognition of cybersecurity levels across the EU. If you wish to use an EU-wide scheme to demonstrate your organisation’s cybersecurity standards, Claranet can help you achieve your ISO 27001 accreditation. |
How can I prepare my organisation?
If you are unsure how to implement changes that comply with the stipulations made in Articles 20 and 21, there are a number of things organisation can do. The list below is not exhaustive, but it contains a few practical measures that organisations can consider.
Access control and asset management
Understanding and cataloguing your assets is crucial for their protection. Identify all devices, data, systems, and people as assets. Determine their locations, ensure they are stored securely, understand their functions, identify their interactions with other assets, evaluate their vulnerabilities, and assess the threats they face. Prioritise them based on these factors. The more comprehensive and detailed your knowledge, the better you can protect these assets.
To get started, you can conduct an IT asset mapping exercise to help you build a risk register. As we have written elsewhere, if you are unsure where to begin, work with Claranet to conduct a Security Risk Assessment.
As well as understanding what assets you have, discovering which security vulnerabilities within those assets and how attackers can exploit them is essential to protecting your organisation. Work with a penetration testing provider who can help you understand how to tackle security vulnerabilities throughout your organisation and how you can put in place defences to mitigate the progress of attackers.
Policies and procedures
Develop clear policies and procedures to support your cybersecurity efforts. Use your Governance Framework to create policies that define processes for risk analysis and information security. These policies should be designed to allow for ongoing review and improvement.
If you do not have policies for assessing and managing cyber risks, Claranet can help you through your ISO 27001 accreditation or use a Security Risk Assessment so you can understand where to begin.
Secure lifecycles
Ensure that security is integrated at every stage of a product or system's lifecycle, from acquisition, development, and maintenance to disposal. This aligns with the defence-in-depth philosophy, which involves setting and adhering to security requirements, product specifications, guidelines for handling and disposal, and processes for vulnerability management and disclosure.
Partner with an accredited penetration testing provider to ensure that you have a thorough list of the vulnerabilities present in any asset or system.
Supply chain
The supply chain can be a significant vulnerability, as many recent attacks have targeted this area. Understand what your suppliers have access to, including both physical and data assets, and how they secure them. Obtain assurances that your suppliers and third-party providers take security seriously and are protecting critical assets.
If you are unsure how to go about vetting third-party suppliers for their information security practices, a good starting point is to follow Claranet’s checklist.
Business continuity and incident response
To lower the risk of disruption to business continuity, you should build defensive measures to discover cyberattacks and halt their progress before they can cause greater damage. One way of doing this is to contract an expert Security Operations Centre (SOC) who can provider Endpoint Detection and Response and Managed Detection and Response services.
Given the strict reporting requirements and tight deadlines imposed by NIS2, it is essential to have a clear and detailed incident response plan. When an incident occurs, your organisation must know what information needs to be collected, reported, and prioritised, especially in the event of multiple incidents. Establish clear escalation procedures and identify the appropriate contacts for incident reporting.
Cyber hygiene and training
Human resources are both the greatest asset and potential vulnerability in any organisation. Ensuring that your staff are aware of cyber threats and possess the necessary knowledge and skills is crucial. NIS2 mandates training for management bodies, who must then provide training to their staff. Determine the required skill and knowledge levels for various roles within your organisation and develop a combination of awareness campaigns and training programs. These should be continuously reviewed and updated to address the organisation's needs and threat landscape.
Claranet provides some of the world’s most sought-after cybersecurity training courses, and has been a leading training provider with industry partners Blackhat.
Key compliance areas stipulated by NIS2
Duty of care:
Conduct a risk assessment and based on its findings, take measures to ensure business continuity and protect the information being used.
Duty to report:
Report incidents that might disrupt the provision of essential services to the supervising authority within 24 hours. The need to report an incident depends on factors such as the number of people affected, the duration of the disruption, and potential financial losses. For more information, see Article 23: Reporting Obligations.
Supervision:
Organisations in certain sectors covered by the NIS2 directive will be under supervision to ensure compliance with the directive's obligations, including the duty of care and the duty to report. Board-level reporting should include a comprehensive set of strategic Key Performance Indicators (KPIs) and, where applicable, Key Risk Indicators (KRIs) to assess risk and provide evidence of compliance. These metrics can also be used to assure the performance of critical third-party suppliers and may be relevant for compliance with the UK’s forthcoming Cyber Security & Resilience Bill.
Examples of useful KPIs
- Number of security incidents: Track the number of security incidents and breaches within a specific period. A lower number of incidents indicates effective security measures and compliance.
- Patch management compliance: Measure the adherence to timely patch management by assessing the percentage of critical vulnerabilities patched within a set timeframe, indicating proactive security maintenance and compliance.
- Employee training completion rate: Monitor the percentage of employees who have completed mandatory cybersecurity training. A high completion rate reflects a culture of security awareness and compliance with training requirements.
- Third-party threat assessment: Evaluate the frequency and comprehensiveness of third-party risk assessments conducted. Measure the percentage of critical third-party vendors assessed for cybersecurity risks to ensure compliance with supply chain security requirements.
- Incident response time: Measure the time taken to respond to and resolve security incidents. A quicker response time indicates efficient incident management processes.
Getting ready for compliance
Although the UK Cyber Security & Resilience Bill may be a year away from implementation, NIS2 is due to come into effect in some countries in just a few months . Companies must be prepared to comply and should not delay their efforts. Third-party consultancies can assist organisations on their path to compliance.
For more information on how you can improve your security posture and demonstrate the security of your organisation, contact Claranet today.
