NIS2 intends to improve the protection of network and information systems, safeguarding systems and their physical environment from incidents, and ensure effective incident handling to reduce impact when incidents do occur.
The areas in which NIS2 stipulates that appropriate and proportionate technical, operational, and organisational measures to be taken include:
Policies | Basic cyber hygiene and training | Authentication (including MFA) |
Business continuity | Incident handling | Secure system acquisition, development and maintenance (including vulnerability management) |
Supply chain security | Policies and procedures for the use of encryption | |
Risk management effectiveness assessment | HR security including access management | |
We expect that many regulated organisations will need to incorporate elements of the following into their change and readiness programmes. The nature and extent of change will need to be informed by an applicability and gap analysis and build upon the existing standards in place.
Interpretation of the term “appropriate and proportionate technical, operational, and organisational measures” will be vital to achieving a fit for purpose risk management regime, this will be the subject of a further Insight article:
- Selecting, establishing and appointing an EU representative
- Updating or establishing policies and standards across various security topics. Implementing those policies and standards into operational and technical practice.
- Conducting risk assessments
- Implementing procedures to evaluate the effectiveness of security measures
- Developing, enhancing, and testing plans for handling security incidents (including accounting for new notification obligations and timescales arising from NIS2)
- Enhancing security measures relating to the procurement and development of systems.
- Improving ongoing risk monitoring and security risk management of networks and systems
- Strengthening vulnerability management procedures to better identify and appropriately respond to vulnerabilities (and/or disclose them)
- Providing appropriate cybersecurity training to the general workforce and targeted training to specific user groups (which may include third parties and other suppliers)
- Implementing enhanced security monitoring and / or authorisation procedures for employees with access to sensitive or important data
- Adopt, or improve the coverage and operation of authentication measures including using multi-factor authentication, and (when appropriate) continuous authentication solution
- Implementing security around supply chains and the relationship between the company and direct supplier.