Skip to content
News

How To Prepare for NIS2 Compliance

As cyber threats continue to evolve in complexity and scale, the need for robust cybersecurity measures has never been greater. NIS2 represents a significant step forward in enhancing cybersecurity resilience across the European Union.

Cyber Security
Security
Data protection
NIS2

Organisations must abide by the extensive framework set forth by NIS2 in order to improve cybersecurity and resilience, safeguard sensitive data and vital information systems, and combat new and developing cyber threats.

Who Does NIS2 Apply To?

NIS2 applies to both public and private sector entities that provide critical services or infrastructure, qualify as medium-sized or large enterprises, and operate within the EU. However, some entities will be subject to these new rules regardless of their size.

Member States also have the discretion to include additional entities within the scope of NIS2. Additionally, the supply chains of covered entities may be indirectly impacted by NIS2. One of the key elements of the NIS2 Directive is the implementation of policies, processes, and controls for assessing supply chain security, including risks associated with third and fourth parties.

It is estimated that NIS2 will impact over 100,000 organizations across the EU, expanding the scope from seven sectors to eighteen.

NIS2

What Major Changes Does NIS2 Bring?

NIS2 broadens the scope of the original NIS Directive (NIS-D) by including new sectors based on their level of digitalisation, interconnectedness, and societal and economic importance. Clear size thresholds have been established, bringing all medium and large organisations in selected sectors, including the public sector, under its jurisdiction.

Exemptions are available, and organisations should assess their applicability and whether other sector-specific rules apply. Does your company have over 50 employees or an annual turnover of €10 million? If so, you may be among the thousands of companies affected by NIS2.

NIS2 Compliance Checklist:

1. Governance and Risk Management

  • Define organisational goals and risk tolerance, ensuring the NIS2 compliance framework aligns with strategic objectives and acceptable risk levels.
  • Assign clear roles and responsibilities for NIS2 compliance, specifying accountability in case of non-compliance.
  • Identify and document cyber risks, considering internal and external factors impacting security.
  • Regularly review cybersecurity measures, involving management in the approval and oversight process.

 

2. Cybersecurity Policies and Procedures

  • Document and periodically assess security policies to ensure clarity and effectiveness.
  • Implement formal incident response plans with a detailed ticketing system for incident detection, triage, and response to meet reporting obligations.
  • Secure supply chain interactions, mitigating risks associated with suppliers or service providers.
  • Establish backup management and disaster recovery plans aligned with Recovery Time Objectives (RTOs) to ensure business continuity.

 

3. Technical and Operational Measures

  • Maintain basic cyber hygiene practices and conduct regular cybersecurity training.
  • Secure networks and information systems, emphasising robust vulnerability handling and disclosure practices.
  • Use strong encryption practices for sensitive data, ensuring encryption for data at rest and in transit.
  • Deploy robust endpoint protection and network security measures to prevent unauthorised access and attacks.

4. Security Technologies and Solutions

  • Implement comprehensive security solutions, including SIEM, SOAR, and UEBA tools, complying with standards like Common Criteria EAL3+ and supporting GDPR, Schrems II, and CCPA regulations.
  • Use SaaS solutions that adhere to EU data residency regulations (e.g., GDPR compliance) and secure cloud environments against breaches and unauthorised access.

 

4. Technical Compliance and Certifications

  • Ensure multi-factor authentication and secure communication systems for critical services, particularly for remote or privileged access.
  • Apply relevant security frameworks and comply with standards such as ISO 15408 (technology security) and ISO 27001 (information security management).

 

5. Compliance with Legal and Industry Standards

  • Implement the requirements of NIS2, noting key differences from the original NIS Directive.
  • Ensure cybersecurity strategies meet sector-specific requirements, such as healthcare (HIPAA), energy (NERC CIP), and finance (SOX). Use recognised frameworks like NIST SP 800, ISO/IEC 27001, CIS Controls, and Mitre Attack to strengthen security postures.

 

6. Reporting and Communication

  • Develop capabilities to swiftly detect, analyse, and report significant incidents to relevant authorities (e.g., national CSIRTs) and notify affected stakeholders within required timelines.
  • Document governance processes and cybersecurity efforts comprehensively, using benchmarks like ISO/IEC 27002:2022, and automate reporting processes as much as possible.

 

7. Human Resources and Training

  • Implement HR policies that control access based on roles, conduct regular security assessments, and enforce strict security training and awareness programs.
  • Provide comprehensive training for personnel on cybersecurity best practices, data handling, and compliance obligations.

Contact Ethos

Q1 Grant’s Road,
Greenogue Business Park,
Rathcoole, Co. Dublin
D24 EV8P
+353 (1) 401 1064

Consent(Required)
This field is for validation purposes and should be left unchanged.