COMPLIANCE WITH THE EUROPEAN NIS2 DIRECTIVE
The European Union's NIS2 directive introduces new measures to strengthen cybersecurity in the EU, requiring organizations to adopt more sophisticated approaches to manage risks and ensure data protection.
ISGroup guides you to NIS2 compliance through our spot or continuous process that includes services, consulting, and training to implement the necessary countermeasures and meet the directive's requirements, as well as effectively protect information systems.
Description
WHAT IS THE NIS2 DIRECTIVE?
NIS2 is the new EU directive on information systems security. Effective from January 17, 2023, it must be transposed in Italy by October 17, 2024. NIS2 aims to improve the overall level of cybersecurity in the European Union. This community strategy is necessary due to digitalization and new cybersecurity threats.
Organizations subject to NIS2 are divided into essential and important entities. These categories are defined according to sector membership and the size of the organization.
HOW TO MAKE YOUR COMPANY NIS2 COMPLIANT?
NIS2 contains a detailed list of information security risk management measures designed to protect information systems, networks, applications, and in general, companies and entities from potential cyber incidents. These measures include risk analysis, incident management, business continuity, and more.
To comply with NIS2, it is necessary to adopt technical, operational, and organizational measures to manage cybersecurity risks. It is essential to ensure that:
- information security policies are documented, communicated, and evaluated to proactively protect effectively;
- there are well-defined processes to prevent, detect, and respond to incidents;
- manage Backups;
- manage Disaster Recovery;
- have a formal patch management program;
- have and apply encryption policies;
- have a two-factor authentication system to protect critical and remote access.
ISGroup supports its Consultants and Cyber Security experts to complete the project of adapting your organization to the requirements of the regulation and significantly increase the maturity of your management system (or create it from scratch) and the security of your IT systems.
Achieve NIS2 compliance with ISGroup
ISGroup offers a guided path and a complete range of services to help companies meet the minimum compliance requirements of NIS2.
Our approach consists of four main phases:
- Current situation analysis (GAP Analysis): in this first intervention, a complete assessment of the adequacy level concerning NIS2 in which the company is located is drawn up, performing an in-depth and detailed analysis of security policies and practices.
- Drafting of the Remediation Plan: at this point, the ISGroup team will be able to provide a remediation plan, i.e., an "action plan" to correct non-compliance.
- Selection of ISGroup services to cover the requirements: subsequently, and based on the specific needs of the client, the services offered by ISGroup are selected to meet the NIS2 compliance requirements.
- Verification of the remediation plan status: finally, ISGroup verifies the effectiveness of the security measures adopted by the company against the main threats, confirming the achievement of the NIS2 compliance standard.
Maintain NIS2 compliance with ISGroup
ISGroup is an ally that supports you every year to ensure the maintenance of compliance with planned and continuous activities, such as:
- Updating the cybersecurity risk assessment;
- Adopting appropriate security measures;
- Implementing and updating cybersecurity management processes, including:
- Risk management;
- Incident response;
- Communication and training;
- Audit and compliance;
- Ensuring that processes are adequately documented and tested.
- Increasing awareness and training:
- Training employees on good cybersecurity practices;
- Raising awareness of cybersecurity risks and responsibilities;
- Monitoring and updating:
- Continuously monitoring the effectiveness of implemented security measures;
- Updating security measures and processes based on new threats and vulnerabilities.
- Keeping track of compliance:
- Documenting NIS2 compliance activities;
- Being ready to demonstrate compliance to competent authorities.
Are you interested?
Contact us to receive a quote for the services offered by ISGroup to your company.
NIS2 Requirements
|
Minimum requirement for NIS2 compliance |
Security objective |
ISGroup service to meet the requirement |
NIS2 Article 21.aPolicies for risk analysis and information systems security. |
Security policies are documented, communicated, and evaluated |
vCISO - Virtual CISO
|
NIS2 Article 21.bIncident management |
Consider the following: Is there a process to report potential significant incidents? Is a ticketing system implemented to manage and document the triage and response to incident detection? Is there a process to prevent, detect, and respond to incidents? |
vCISO - Virtual CISO
DFIR - Digital Forensics and Incident Response MDR - Multi-Signal MDR |
NIS2 Article 21.cBusiness continuity (BC) |
Backup and disaster recovery management, and crisis management |
vCISO - Virtual CISO
|
NIS2 Article 21.dSupply chain security |
Ensure that security aspects in relationships between each organization and its direct suppliers or service providers are included: Supply chain risks are identified and measures are implemented for risk mitigation |
vCISO - Virtual CISO
|
NIS2 Article 21.eSecurity in the acquisition, development, and maintenance of networks and information systems, including vulnerability management and disclosure. |
The organization is able to identify, monitor, alert, and respond to a threat |
vCISO - Virtual CISO
MDR - Multi-Signal MDR Vulnerability Management Service (MVS) NPT - NETWORK PENETRATION TESTING WAPT - WEB APPLICATION PENETRATION TESTING MAST - MOBILE APPLICATION SECURITY TESTING EH - ETHICAL HACKING |
NIS2 Article 21.fPolicies and procedures to assess the effectiveness of cybersecurity measures |
Cybersecurity policies are documented, communicated, and evaluated for cyber risk management |
vCISO - Virtual CISO
NPT - NETWORK PENETRATION TESTING WAPT - WEB APPLICATION PENETRATION TESTING MAST - MOBILE APPLICATION SECURITY TESTING EH - ETHICAL HACKING |
NIS2 Article 21.gBasic cyber hygiene practices and cybersecurity training. |
Consider the following: Is there a formal patch management and vulnerability management program? Is cybersecurity awareness training conducted regularly? |
vCISO - Virtual CISO
CTS - Cyber threat simulation
|
NIS2 Article 21.hPolicies and procedures for the use of cryptographic techniques, including encryption when appropriate. |
Are policies and procedures implemented for the use of encryption and to establish when to resort to encryption? |
vCISO - Virtual CISO
|
NIS2 Article 21.iHuman resources security, access control, and asset management. |
Are the assets in scope identified, actively monitored, and are vulnerabilities and threats managed? It is essential that all critical processes and related resources are adequately identified, documented, and protected by appropriate security measures. |
vCISO - Virtual CISO
Vulnerability Management Service (MVS) MDR - Multi-Signal MDR |
NIS2 Article 21.jUse of two-factor authentication solutions or continuous authentication, secure voice, video, and text communications, and secure emergency communication systems within the organization, where necessary |
Is two-factor authentication used for critical access (systems/services), remote access, privileged access, and cloud access? |
vCISO - Virtual CISO
|
Mapping between NIS2 controls and ISGroup services
NIS2 Article 21.a
| Minimum NIS2 compliance requirements | Policies for risk analysis and information systems security. |
| Security objective | Document security policies, communicate them, and evaluate them. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Policy Review and Guidance
NIS2 Article 21.b
| Minimum NIS2 compliance requirements | Incident management. |
| Security objective |
Create a process for reporting significant incidents. Implement a ticket system for managing and documenting the triage from detection to incident response. Create a process to prevent, detect, and respond to incidents. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Incident Response Planning
Security Program Maturity Assessment - Digital Forensics and Incident Response (DFIR)
- Multi-Signal MDR (MDR)
NIS2 Article 21.c
| Minimum NIS2 compliance requirements | Business Continuity (BC). |
| Security objective | Backup and Disaster Recovery (DR) management and crisis management. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Incident Response Planning
NIS2 Article 21.d
| Minimum NIS2 compliance requirements | Supply Chain Security. |
| Security objective |
Ensure that security aspects in relationships between the organization and its direct or service providers are considered. Identify supply chain risks and implement measures for risk mitigation. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Vendor Risk Management
NIS2 Article 21.e
| Minimum NIS2 compliance requirements | Security in the acquisition, development, and maintenance of networks and information systems, including vulnerability management and disclosure. |
| Security objective |
The organization is able to identify, monitor, and alert. It has the capabilities to respond to a threat. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment - Multi-Signal MDR (MDR)
- Vulnerability Management Service (MVS)
-
Penetration Test (PT)
Network Penetration Testing (NPT)
Web Application Penetration Testing (WAPT)
Mobile Application Security Testing (MAST)
Ethical Hacking (EH)
NIS2 Article 21.f
| Minimum NIS2 compliance requirements | Policies and procedures to assess the effectiveness of cybersecurity measures and information. |
| Security objective | Cybersecurity policies are documented, communicated, and evaluated for proper risk management. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Policy Review and Guidance -
Penetration Test (PT)
Network Penetration Testing (NPT)
Web Application Penetration Testing (WAPT)
Mobile Application Security Testing (MAST)
Ethical Hacking (EH)
NIS2 Article 21.g
| Minimum NIS2 compliance requirements |
Basic Cyber Hygiene Practices Cybersecurity Training. |
| Security objective |
Formalize a vulnerability management, Patch, and Change program. Conduct regular cybersecurity awareness training. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Policy Review and Guidance -
Cyber Threat Simulation (CTS)
Managed Phishing
Security Awareness Training
NIS2 Article 21.h
| Minimum NIS2 compliance requirements | Policies and procedures for the use of cryptographic techniques. |
| Security objective | Implement policies and procedures for the use of encryption and to establish when to resort to encryption. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Policy Review and Guidance
Security Architecture Review
NIS2 Article 21.i
| Minimum NIS2 compliance requirements |
Human Resources Security. Access Control. Asset Management. |
| Security objective |
Identify the assets in scope, perform active monitoring, and manage vulnerabilities and threats. It is essential that all critical processes and related resources are adequately identified, documented, and protected by appropriate security measures |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Policy Review and Guidance - Multi-Signal MDR (MDR)
- Vulnerability Management Service (MVS)
NIS2 Article 21.j
| Minimum NIS2 compliance requirements |
Use of two-factor authentication solutions or continuous authentication. Secure audio, video, and text communications. Secure emergency communication systems within the organization. |
| Security objective | Use two-factor authentication for critical access (systems/services), remote access, privileged access, and cloud access. |
ISGroup services to meet the requirement:
-
Virtual CISO (vCISO)
Security Program Maturity Assessment
Security Architecture Review
What is NIS2?
NIS2 is the update of an EU directive on cybersecurity. It establishes harmonized rules for the entire European Union.
What is the difference between NIST and NIS2?
The NIS2 Directive, also known as the Network and Information Systems Security Directive, is a crucial framework that sets cybersecurity standards and requirements for companies. NIS2 is a European Union (EU) regulation aimed at improving the cybersecurity of critical infrastructure operators and digital service providers. Its primary goal is to ensure the continuity of essential services and the protection of critical infrastructures from cyber threats. NIS2 builds on the original NIS directive issued in 2016, bringing significant updates aimed at simplifying the implementation process. According to the European Parliament's The NIS2 Directive Briefing document, the three general objectives of the NIS2 directive are:
Increase the level of cyber resilience of a comprehensive set of companies operating in the European Union across all affected sectors.
Reduce inconsistencies in resilience in the internal market in sectors already covered by the directive.
Improve the level of common situational awareness and collective preparedness and response capacity.
Consequently, some key developments of NIS2 include:
Expansion of scope: Under the new directive, all medium and large enterprises in certain selected sectors will fall within the regulatory framework, as well as micro-organizations deemed central to society.
Stricter incident reporting requirements: The regulatory framework lowers the threshold for incidents that must be reported.
Who must comply with NIS2?
Companies in the European Union operating in 11 critical sectors and 7 important sectors must comply with NIS2. The regulation requires these companies to protect their systems from cyberattacks and have effective plans to manage incidents. For specific details on the sectors involved, it is necessary to consult the full text of the NIS2 directive.
What are the NIS2 breach notification rules?
NIS2 imposes strict rules for reporting cyber breaches (Art. 23). Notification must be made "without undue delay," within 24 hours of discovering a significant incident (initial report) and with an initial assessment within 72 hours. This applies even if no personal data is involved.
What are the penalties for non-compliance with NIS2?
Like the GDPR, non-compliance with NIS2 carries heavy penalties. For example, Article 34 of the NIS2 Directive sets the following penalties for non-compliance: for Essential Entities up to €10 million or 2% of worldwide annual turnover, for Important Entities up to €7 million or 1.4% of worldwide annual turnover.
Are you interested?
Contact us to receive a quote for the services offered by ISGroup to your company.
Useful resources:
Working with us is pretty simple, just call the number (+39) 045 4853232 or send an e-mail so that we can get to know each other and discuss about your IT Security needs.
Request a quotation forCOMPLIANCE WITH THE EUROPEAN NIS2 DIRECTIVE