NIS2 risk management measures

Threat actors are learning and innovating fast, as evidenced by increasingly sophisticated and frequent cyberattacks. Regulators and law makers are also on the move, so companies will face an increasing regulatory burden.

In this context, the upcoming EU NIS2 directive (full name "Directive on measures for a high common level of cybersecurity across the Union") is perhaps the most relevant: it is now being implemented across EU member states and is expected to be enforced no later than October 2024. Elements of the directive will also influence legislation in neighboring countries that may not be in the EU (yet).

NIS2 more than triples the number of sectors and types of entities affected compared to the current NIS regime, thus involving a big chunk of a national economy. It also introduces corporate accountability, reporting obligations and most importantly risk management measures and assessments.

NIS2 is explicit in terms of these measures and broadens the scope compared to the old directive. Although more clarification will emerge in the upcoming months regarding those measures, it's useful to have them in mind:

1. Risk Management: define internal rules and policies for risk analysis and information system security. Includes security incident management process and risk management framework. Define roles, responsibilities and procedures for risk identification, assessment and mitigation.

2. Incident Handling - Strengthen Your Defenses: effective incident handling is crucial in today's cyber threat landscape. NIS2 emphasizes the need for robust incident response plans to minimize damage and ensure a swift recovery.

3. Business Continuity - Prepare for the Unexpected: implement reliable backup and disaster recovery solutions. Ensure your critical data is protected and recoverable in the event of an incident. Also, includes a plan for handling security incidents and address crisis management.

4. Supply Chain Due Diligence: continuously document your IT suppliers and IT service providers. Assess them via due diligence, security rating services, security certifications, security audits and other risk mitigation techniques. Remediate your contractual, operational or technical vulnerabilities.

5. Security-first approach during procurement: when acquiring, developing or maintaining IT systems, always have its security in mind. Particular focus on vulnerability handling process and disclosure.

6. Review effectiveness: regularly assess the effectiveness of cybersecurity risk-management measures. Define a process and policy on how you assess new risks and how effective are the existing measures.

7. Cybersecurity Training: implement basic cyber hygiene practices and security awareness training. A well-informed workforce is the first line of defense against cyber threats. Equip your employees with the knowledge and skills to identify and respond to potential security risks effectively.

8. Encryption usage: define policies and procedures regarding the use of cryptography and encryption. Pay attention to transport and data-at-rest encryption coupled with access controls. Are these protecting your data and assets in case of a breach?

9. Access control and Asset management: controlling access to your critical systems and assets is paramount to prevent unauthorized access and data breaches. NIS2 highlights the need for robust access control mechanisms combined with pervasive asset management practices.

10. Secure authentication and communication: use multi-factor authentication (MFA) to the broadest extent possible. Secure voice, video and text communications and secured emergency communication systems within the organization.