5 Reasons Why NIS2 Directive Preparation Should Start Now, Part One: Audits Take Time
You probably heard about the European Union’s updated Network and Information Security Directive (NIS2). This directive will translate into active law in October 2024. You should be ready for it, as there are high fines and sanctions for non-compliance.
But you might be tempted to think that October 2024 is far away, right? Think twice.
After all, how can you know if you have plenty of time to prepare if you don’t know how well you currently comply with the projected regulations?
So, between now and October 2024, you must audit your current cybersecurity status. Specifically:
- Identify gaps in meeting the NIS2 directive’s requirements, starting now
- Review your current supply chain security flaws
In the second part of this series, I’ll review the three areas you’ll need to address to fix the gaps your audits uncover — including how to:
- Inform management about your cybersecurity gaps.
- Implement new organizational and technical security measures correctly.
- Find time to train all of your employees.
1. Identify gaps in meeting the NIS2 Directive's requirements, starting now
The NIS2 Directive is the EU-wide legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU. It modernises the existing legal framework to keep up with increased digitization and an evolving cybersecurity threat landscape.
The directive expands the scope of the cybersecurity rules to new sectors and entities, improving the resilience and incident response capacities of public and private entities, competent authorities and the entire EU.
The NIS2 directive outlines increased measures for resilience against cyberattacks to minimize vulnerabilities and improve cyberdefense.
To comply with the NIS2 Directive, you must:
- Assess your cybersecurity posture and identify any gaps or weaknesses that may expose you to cyber risks.
- Map your existing policies, procedures and controls to the directive's requirements and see where to improve or update them.
- Evaluate your incident response capabilities and reporting mechanisms and ensure they align with the directive's standards.
A big problem with the NIS2 is that it tells you what you should do, but not how you should do it. Luckily, multiple frameworks can help you with the how, including:
In Belgium, the CCB has created a Cyberfundamentals Framework based on multiple frameworks with references to how the different parts of the frameworks relate to the GDPR and NIS2.
After selecting the framework, you must identify gaps in relation to the chosen framework and the directive's requirements. Identifying gaps is not a simple or quick task; it requires a thorough and systematic analysis of your organization's cybersecurity maturity and readiness.
You not only need to check your cybersecurity strategy and policies, but you also need to do a risk analysis to find the most critical assets and the cybersecurity risks they present, then consider security controls to bring down the risk score of those vital assets.
The sooner you start this process, the more time you’ll have to obtain the budget needed to address any issues and implement any necessary changes.
Possible NIS2 environment gaps
Some possible gaps that you may encounter in your environment are:
- Lack of a comprehensive cybersecurity strategy or policy that covers all aspects of risk management, incident response, business continuity, data protection, etc.
- Lack of a dedicated cybersecurity team or function that oversees, coordinates and monitors all cybersecurity activities and initiatives across the organization.
- Lack of adequate security controls or measures for protecting your network and information systems from unauthorized access, use, disclosure, modification or destruction.
- Lack of regular testing or auditing of your security controls or measures to ensure their effectiveness and compliance with the directive's requirements.
- Lack of proper training or awareness programs for your staff, management, other employees or other stakeholders on cybersecurity issues and best practices.
- Lack of clear communication or reporting channels for notifying relevant authorities or parties of any incidents or breaches that affect your services.
Potential security solutions for your environment to comply with NIS2
To identify and fix these security gaps, you can:
- Run gap analysis frameworks or models that help you compare your current state with your desired state and identify areas for improvement.
- Implement cybersecurity maturity models or standards that help you measure your level of cybersecurity performance and progress.
- Conduct a risk assessment to identify your assets, threats, vulnerabilities, impacts and likelihoods of cyberattacks.
- Request external audits or assessments that help you validate your compliance status and identify any weaknesses or deficiencies.
2. Review current supply chain security flaws with enough time to coordinate action with suppliers
The NIS2 Directive also introduces new provisions on supply chain security (chapter 0, point 54, 56), recognizing that cyber threats can originate from third-party providers or subcontractors.
The directive requires organizations to ensure that their suppliers follow appropriate security standards and practices (article 21-2d) and regularly monitor their performance and compliance (article 21–3).
This isn't without reason. Supply chain attacks are on the rise:
In BlackBerry research with over 1500 IT decision-makers in 2022, four-fifths of respondents said they had been notified of an attack or vulnerability in their supply chain within the year. Seventy-seven percent said they uncovered hidden participants in their software supply chain that they weren't previously aware of.
Accenture research also reveals 40% of security breaches are indirect, occurring through the supply chain.
Therefore, securing your supply chain is essential for ensuring business continuity, resilience, reputation and trust.
But in Ivanti’s Press Reset: A 2023 Cybersecurity Status Report, we found that only 42% of the over 1,300 executive leaders and security professionals surveyed said they're prepared to safeguard against supply chain threats, even though 46% call it a high-level threat.
Supply chain threats not only come via attacks on solution providers like Okta, Kaseya or SolarWinds, but also through partners either directly connected to your IT infrastructure or who can log into it.
And don’t forget about attacks on your resource suppliers that may cripple them so they're unable to deliver certain resources you need for your own operations. You have to be prepared and have backup vendors available who can supply those resources if your primary supplier is out of action due to a cyberattack or other cause.
Supply chain security is a complex and challenging issue involving multiple actors, dependencies and interconnections — and cannot be achieved overnight.
You need to:
- Establish clear and transparent communication channels with your suppliers and define your expectations and obligations regarding cybersecurity.
- Conduct regular audits and assessments of your suppliers' security practices and verify that they meet the directive's requirements.
- Establish contingency plans and backup solutions in case of a disruption or compromise of your supply chain.
Furthermore, you must start engaging with your suppliers as soon as possible and work together with them to ensure your supply chain is secure and resilient.
Supply chain security challenges for NIS2
Some possible challenges that you may face in securing your supply chain are:
- Lack of visibility or transparency into your suppliers' security practices, policies, or incidents.
- Lack of trust or cooperation among your suppliers or between you and your suppliers.
- Lack of consistency or alignment in security standards, requirements, or expectations across your supply chain.
- Lack of resources or capabilities to monitor, audit or verify your suppliers' security performance or compliance.
- Lack of contingency plans or backup solutions to mitigate or recover from any disruptions or compromises of your supply chain.
- Lack of information as to what you expect from your supplier’s security practices.
Supply chain security solutions for NIS2
To overcome these supply chain security challenges, you can:
- Establish clear contracts or agreements with your suppliers that specify their security obligations, responsibilities and liabilities.
- Develop common security criteria, guidelines or frameworks that apply to all suppliers in your supply chain and align with the directive's requirements.
- Implement security controls, measures or tools that enable you to track, monitor or verify your suppliers' security activities, incidents or compliance status.
- Create joint security teams, committees or forums that facilitate information sharing, collaboration and coordination among your suppliers or between you and your suppliers.
- Build trust and mutual understanding with your suppliers through regular communication, feedback and recognition.
When your NIS2 Directive audits are complete, now what?
Now that you’ve determined where you currently stand in relation to the NIS2 Directive, it’s time to implement critical changes to ensure compliance by October 2024. I’m certain that addressing the gaps that your audits identified will require all the time you have — and then some! – before the regulations are officially implemented in your country.
But how can you systematically address these gaps in a timely fashion? We discuss the three areas of security changes you’ll need for NIS2 in our next blog post, as we examine how to:
- Inform management about your cybersecurity gaps.
- Correctly implement new organization and technical security measures.
- Find time to train all of your employees.