NIS2 – An easy, two-day effort, I’ve heard it said. However, this may not be the case and requires a slightly more comprehensive approach to the matter. This is especially true for organizations where administrative cybersecurity may have previously taken a back seat. The NIS2 EU directive comes into force this October. Now, at the latest, organizations should examine the matter more closely.
What is NIS2?
The European Union’s Network and Information Security Directive NIS2 comes into force this October. NIS2 is an expanded and updated version of the previous NIS EU directive, which came into force in 2016. The purpose of the directive is to improve member states’ capabilities to combat cyber threats and to harmonize the level of cybersecurity between member states. NIS2 targets critical sectors of society, such as healthcare, energy, transport, finance, public administration, and the ICT sector. The directive sets minimum requirements for organizations regarding the level of cybersecurity. Organizations must be able to demonstrate compliance with these minimum requirements if necessary.
I personally consider the arrival of the directive to be genuinely positive and welcome. It covers a very broad range of cybersecurity areas and provides a good foundation for further developing cybersecurity. Responsibility for the obligations of the NIS2 directive also extends beyond organizations’ IT departments. Now, at the latest, the gap between IT management and general management in cybersecurity matters will close, as the framework’s obligations extend to the leadership level. Secondly, I would highlight the general emergence of the administrative cybersecurity aspect in organizations. Especially in small and medium-sized enterprises, cybersecurity improvements are often made at a technical level, and there’s nothing wrong with that, but a comprehensive overview with cybersecurity strategies may not have been considered. Organizations should consider answers to questions such as: What purpose do we aim for and address with technical changes? What requirements are placed on us by different stakeholders? What cybersecurity framework do we follow?
Is everything clear concerning the directive?
There seems to be some ambiguity as to whether the NIS2 directive applies specifically to our organization or not. The sectors have been specified at a very high level, and clarifications have been requested for at least some of the areas. There is room for interpretation in certain areas, for which further clarifications are hopefully forthcoming. However, it is important to note that even if an organization does not directly fall within the scope of the NIS2 directive, it may, as part of the supply chain, be required to demonstrate its level of cybersecurity to an organization that does fall within the scope of the NIS2 directive.
One of the areas of the NIS2 directive is partner management, which includes verifying the cybersecurity level of partners. Generally, NIS2 targets organizations in socially critical sectors with more than 50 employees or an annual turnover and balance sheet exceeding 10 million euros. The sectors targeted by the directive are divided into essential sectors (highly critical) and important sectors (critical). There is no difference between these two in terms of requirements, but the penalties for non-compliance with the directive are stricter for operators in essential sectors.
Essential Sectors
-
- Energy
- Transport
- Finance
- Healthcare
- Water
- IT
- Public Administration
- Space
Important Sectors
- Postal Services
- Waste Management
- Chemicals
- Food
- Manufacturing
- Digital Services
- Research
NIS2 - Cybersecurity Areas
NIS2 consists of thirteen different cybersecurity areas for which minimum requirements have been set. The main themes can be considered administrative, technical, and human-centric. The administrative section includes, among other things, the definition and documentation of cybersecurity objectives, the implementation of management reviews, and commitment to cybersecurity management. Furthermore, the administrative side emphasizes the reporting obligations of cybersecurity incidents to authorities within certain time limits. Technical requirements include, for example, measures required for system logging and the detection of cybersecurity incidents, as well as the implementation of system backup solutions related to continuity management. As an example for the human-centric theme, regular cybersecurity training for organization employees can be mentioned. There are, of course, many other subject areas besides those mentioned above. In summary, it can be stated that this is a very comprehensive entity.
How to get started with NIS2?
Regarding NIS2, it is advisable to start by conducting a GAP analysis, which provides an understanding of the current state of cybersecurity, what issues should be paid attention to, and what aspects the organization may have already handled well. I warmly recommend using a cybersecurity management system that supports the NIS2 directive’s framework. One excellent product that can be mentioned is the Finnish Cyberday’s Digiturvamalli (Digital Security Model), which we also use ourselves. Compliance can also be worked on using the free Cybermeter (Kybermittari | Kyberturvallisuuskeskus) provided by the National Cyber Security Centre.
Why did we at Above IT start preparing for NIS2?
Above IT may not directly fall within the scope of the NIS2 directive. However, we interpret that all IT companies should practically meet NIS2 requirements. For example, larger clients in our target group and those in socially critical sectors are very likely to impose requirements on us within their supply chain. It was also clear to us that we want to ensure and, if necessary, demonstrate that our operating methods and the services we offer are in line with these requirements. Furthermore, NIS2 provided us with a good foundation to start working on the requirements of the ISO27001 cybersecurity framework in the near future.
Conclusion
The world is by no means ready in terms of cybersecurity, even if NIS2 requirements are met in organizations, but it provides an excellent foundation for managing cyber threats. In my opinion, every organization should meet these minimum requirements, whether the requirement officially applies to the organization or not. From experience, I can say that even just conducting a GAP analysis according to the NIS2 framework as an exercise helps bring comprehensive visibility into the current state of cybersecurity.
On Thursday, August 22nd, at 9:00 AM, we held a webinar where the topic was discussed more broadly, as well as how the directive should be considered regarding the Microsoft 365 service.
Check out the webinar recording here: Webinaari: Microsoft 365 ja NIS2 vaatimukset – ABOVE IT
Above IT is a partner and resource for IT management. In the field of administrative cybersecurity, we build a bridge over the gap between organizational leadership and IT management. As our client, you gain genuine expertise in cybersecurity and data protection development, as well as support and security amidst global upheavals! If you want to step above IT with us, contact us by clicking the link below!