Article

Unlocking business value through NIS2 compliance

Published

12 December 2023

The EU has passed new legislation on cybersecurity called NIS2, which will become effective in October 2024. In this whitepaper, we provide our recommendations on how to handle NIS2 in practice based on previous experience in supporting customers on their NIS2 journey.


We aim to provide you with useful considerations to ensure a data-driven, validated approach to the implementation and maintenance of a cybersecurity programme – both in line with NIS2 and regular cyber hygiene. Our approach will help you reach and maintain a defensible position for security and compliance.


NIS2 in a nutshell

In December 2022, the EU passed directive 2022/2555 on measures for a high common level of cybersecurity in the EU (the “NIS2” directive). 


NIS2 defines a broad range of sectors of critical importance to society and introduces stringent cybersecurity risk governance and management measures for entities within these sectors. NIS2 also requires that top management is actively involved in cybersecurity decision-making and regularly trained in cybersecurity risk management. Besides that, a tight 24-hour reporting obligation for incidents is introduced.


Since the adoption of NIS2 in the EU, we have helped numerous clients across sectors such as pharma and life science, the food and beverages industry, technical service providers, publicly owned companies, infrastructure, energy etc. with a practical approach, implementation and operations of NIS2 compliance efforts. 


Based on these projects, we have compiled our experience to create this whitepaper to help your organisation kick-start your NIS2 journey. As such, in this whitepaper, we will help you with a tangible and practical methodology to approach NIS2 applicability and potential implementation in your organisation.


We will go through our recommended approach to NIS2 implementation and provide you with a detailed blueprint to follow, considering all steps from assessing whether you are covered to identifying and remediating gaps to how to maintain and develop the maturity level over time.


An efficient and value-adding way of working

Before we dive into the implementation details, let us discuss the approach and mindset we recommend for NIS2.


In our opinion, NIS2 adoption should not be treated as a one-time project, as this often leads to compliance and security efforts falling short. Typically, a large project is launched, gaps are identified and addressed, and then progress stagnates.


If you take this traditional approach, you may achieve momentary compliance and security, but it will not maximise your investment potential.


In our view, the most effective approach is to see NIS2 implementation as the beginning of an ongoing process. While there will be an initial phase to enhance your capabilities, it is equally important to continually maintain and improve those capabilities over time.


This sustained effort is where you will truly see a return on investment, not only in terms of improved security and compliance but also in building trust and value with your stakeholders and within your organisation. 


Implementation blueprint

Now that we have clarified the approach, we can move on to the actionable steps we recommend organisations take. In our view, reaching a defensible NIS2 position requires the completion of four steps:

  1. Assessing applicability.
  2. Evaluating current gaps in compliance.
  3. Prioritising efforts and creating and executing a road map.
  4. Maintaining and continuously improving security capabilities.

Step 1: Assessing applicability


To begin with, it is essential to determine which segments of your organisation fall under the scope of NIS2. During this evaluation, it is critical to bear in mind that NIS2 requirements apply to individual legal entities. Therefore, if your organisation encompasses multiple legal entities, such as a group of companies, you should ideally conduct a separate assessment for each entity.


The conditions for an entity being covered by NIS2 are the following:

  1. The entity must be established in the EU or conduct its activities in the EU.
  2. The entity must be covered by the sectors listed in NIS2.
  3. The entity must meet threshold requirements.

We will not go into the specifics or legal details of each requirement. Instead, we will give some practical notes on how to approach each of them.


First, if your organisation consists of many legal entities, consider bundling them before making the assessment. For example, we have helped a client that was a group of companies consisting of around 400 entities. For this client, instead of making 400 different assessments, we bundled the different entities into clusters corresponding to the different types of entities in the organisation (for instance, production, distribution, sales and administration) as well as geography (e.g. “EU” vs “non-EU”).


Second, when determining threshold requirements, it is important to adhere to a general principle that involves considering what are known as “linked enterprises.” This means that if various segments of your organisation are interconnected in some way, whether through shared services, common infrastructure, shared leadership or similar connections, you do not need to allocate excessive resources to assess whether you meet the threshold requirements1.


Third, NIS2 may also apply indirectly to other parts of your organisation than those directly in scope. This is because NIS2 encompasses the supply chain, which includes your internal supply chain. So, when mapping out which parts of your organisation fall under NIS2’s purview, be sure to account for any additional entities that could potentially impact the risk exposure of those directly within the scope.


In essence, consider how interactions between the entities directly covered by NIS2 and other entities might contribute to an increased cybersecurity risk.


Fourth, use the results of the applicability assessment actively in the other steps as outlined above. Instead of only seeing the applicability assessment as a compliance exercise, use its results when you scope your gap assessment and implementation efforts to ensure that you prioritise the areas of your organisation that are directly in the scope of NIS2.


Step 2: Evaluating current gaps in compliance


For those parts of your organisation that are directly or indirectly in the scope of NIS2, it is essential to identify and evaluate your existing gaps in compliance.


The gap assessment should be based on the specific cybersecurity governance and management requirements in NIS22


First, because NIS2 is very generic and abstract in its requirements, we recommend supplementing these statements with more specific controls when performing the gap assessment. 


While any established information security framework could be used for this exercise, we have had positive experiences with ISO 27001 and CIS 18. 


Therefore, we recommend utilising the pertinent controls found in Annex A of ISO 27001 to enhance and clarify the risk management requirements in NIS2. Furthermore, CIS 18 controls can serve as a valuable foundation for verifying the status of technical controls.


It is important to note that this approach does not transform the gap assessment into a comprehensive ISO 27001 or CIS 18 assessment. Many requirements and controls within ISO 27001 or CIS 18 may not explicitly fall within the scope of NIS23. However, by aligning NIS2 requirements with applicable controls from these frameworks and grounding the assessment in established information security best practices, you can yield considerably more valuable and actionable results.


Second, when assessing whether each of the requirements in NIS2 is fulfilled, we recommend assessing the current maturity of controls considering NIS2 requirements. This will help you achieve a more granular result and ease prioritising implementation efforts. You can base the control maturity assessment on any existing scale or create your own4.


Third, when assessing current capabilities, it is essential to take a two-pronged approach. Consider gaps from a risk management perspective, which involves establishing a baseline against your policies, procedures and the roles and responsibilities in your organisation. Also, assess them from a technical security perspective, baselining them against your operational security capabilities. This dual approach will provide insights into the existence, communication and adherence to policies and procedures as well as the effectiveness of your current controls in mitigating risks.


Step 3: Developing and implementing a strategic road map


Based on the identified gaps across your organisation, you should assess which gap-closing activities should be completed in which particular order to create and execute a road map.


We cannot overemphasise how important it is to prioritise efforts and create a road map before starting implementation. This approach will allow you to identify dependencies and the most important measures to start with, allowing for efficient and effective security improvements with little resource strain. 


When prioritising and creating your road map, we recommend that you consider at least these factors:

  1. Gaps related to risk governance and management should be handled first.
  2. Areas where security can the most easily be uplifted should be prioritised.
  3. Areas where a small increase in well-documented security will require a large effort should not be prioritised initially.
  4. Gap-closing activities with interdependencies should be addressed together.

First, when creating the road map and implementing NIS2, allow yourself to become smarter. We are still in the early days of NIS2’s lifespan, and case law and authority guidelines will help remove some of the uncertainties in the current phrasing of the NIS2 requirements. This does not mean that you should not begin now. It does, however, mean that you should prioritise apparent and obvious security and compliance gaps over potential minor uplifts that might be affected by case law, guidelines and the like.


Second, it is crucial to bear in mind that the successful execution of your road map relies on having the right people in place. Consequently, obtaining support from management and securing the necessary resource allocation should be a top priority before embarking on the journey. If you discover that the current resource allocation is not sufficient to reach an appropriate level of security and compliance, initiate a dialogue with management. While it is not guaranteed that additional resources will be allocated, this discussion should involve gaining management’s approval for prioritising certain gap-closing activities or extending their completion timelines as needed.


Third, remain firm on the security impact you want to achieve but stay soft on the specific deliverables. Compliance requirements, threat landscapes and business needs may change, and your road map must be flexible enough to accommodate such changes.


Fourth, be pragmatic. Perfect is the mortal enemy of the good, and it is not advisable to strive for perfect compliance in the first iteration. Therefore, stay rational throughout implementation efforts and have the courage to finalise the implementation phase even if you do not consider the situation perfect.


Step 4: Maintaining security capabilities


This marks the transition from project mode to operational mode, and navigating this phase can be challenging. To ensure that NIS2 adds lasting value, it is imperative to embrace a growth mindset. This means empowering your organisation to continually improve and acknowledging that achieving one hundred per cent compliance and security may not be entirely feasible or needed.


To adopt this approach, we have summarised our four most important learnings.


First, you should develop clear reporting metrics. You can design your own reporting metrics, but we generally recommend that you take inspiration from a known framework such as ISO, NIST, CAF or CIS. If reporting is new to you, we also recommend starting out light. Begin by defining the goals and key objectives of your security maintenance work in line with your business strategy. Be as specific as possible. Consider whether your goal for NIS2 is, for instance, to reach a minimally viable position for compliance, to continuously grow in line with your sector or to be “best in class” in your domain.


Based on your goals, define specific metrics such as key performance indicators (KPIs) to support you in reaching those goals. To develop effective KPIs and metrics, it is important to consider a few factors, including the data sources and tools you will use to measure progress, and the frequency and format of reporting. It may also be helpful to establish a baseline for each KPI so you can track progress over time and identify areas for improvement. 


Second, management should be involved on a continuous basis. Just like in the gap identification and remediation phases described above, management should be involved in defining targets, establishing budgets and agreeing on a cadence for reporting on your maturity progression. When reporting to management, it is crucial to be brave enough to show both successes and failures. 


This will allow management to make informed decisions about your security journey, including accepting any risks that are not handled or allocating additional budgets.


Third, readopt a project-based approach when necessary. It is important to remain flexible and recognise that factors outside your control may render completed gap identification and remediation insufficient, requiring further resources for a short amount of time. Therefore, it may be necessary to go back into “project mode” to ensure that required security uplifts which are too big to be handled in operations are addressed. 


Fourth, support, train and develop. As you expand your NIS2 activities, your leadership and operational teams will need training and upskilling to in-house your practices and new technology.


Closing remarks

Every organisation is different, and it is very important to tailor the presented approach to your organisation and context. Some steps of the approach may not be as relevant to your organisation or may be completed swiftly while others may require more extensive efforts.


If you are interested in learning more about NIS2 and how we can support you on the journey, feel free to reach out.

Sources

1 This is also because the threshold values are rather low, and they can be as low as 50 employees as well as a balance and/or yearly turnover of EUR 10 million.

2 Articles 20-21 of NIS2.

3 In juxtaposition, there are some specific elements of the NIS2 Directive that may not be completely covered by best practice controls.

4 CMMI stands for Capability Maturity Model Integration and assesses the maturity of a control from 1 to 5 – 1. being initial, 2. being managed, 3. being defined, 4. being quantitatively managed and 5. being optimising. Generally, NIS2 compliance requires maturity between 3 and 4.

Related0 4