Category: NIS 2

Posted on by Leave a comment

How to determine the ‘significance’ of a NIS2 incident: a clear guide to the 9 ENISA criteria

The NIS2 Directive introduces a key concept: not all cyber incidents are the same. Some must be reported because they fall into the category of significant incidents.
According to ENISA (Reg. 2690/2024), the security manager’s ‘impression’ is not enough to determine this: nine regulatory criteria must be applied, each with precise thresholds.

The main criteria include:

significant economic damage (≥ £500,000 or 5% of turnover)

exfiltration of trade secrets

CIA compromise caused by malicious action

serious operational disruption

duration of unavailability beyond sector thresholds

degradation of response time

impact on health

percentage of users affected

recurrence in the last 6 months

Each criterion requires specific information, comprehensive data and an objective approach. Performing the assessment ‘by hand’ increases the risk of error, with potential consequences in an increasingly stringent regulatory environment.

👉 Would you like to see a practical example of applied assessment?
Watch the video demo of the NIS2 Incident Significance Manager software.

 

Posted on by Leave a comment

NIS 2 – T-SCRM is born – the innovative Software for IT Vendor Risk Management

IT Security of the supply chain is no longer a choice, but an obligation.
The NIS 2 Directive and the DORA Regulation require organisations to ensure operational resilience and control over IT and critical service providers.

This is why we have developed T-SCRM., the Windows PC software that simplifies IT risk management with a practical and documented approach:

✅ Assessment of suppliers according to compliance, cybersecurity and reliability criteria
✅ Incident log with severity index (1 = slight, 5 = critical)
✅ Monitoring of contracts and certifications, with alerts on deadlines
✅ Interactive dashboard with risk indicators and graphs
✅ Automatic reports for audits, Supervisory Board 231, NIS 2 and DORA

Who it is aimed at:

NIS 2 and DORA consultants
IT, Compliance and Procurement Managers
DPOs

With T-SCRM  you move from Excel sheets to a structured, reliable and compliant management.

Posted on by Leave a comment

New Release: Asset Manager NIS 2 – The Essential Software for Full ICT Asset Mapping and Compliance

Are you a company, public body, or consultant navigating the complexities of the NIS 2 Directive?
The Asset Manager NIS 2 software is built specifically to support your compliance journey.

With this intuitive tool, you can:

✅ Register and classify all ICT assets, distinguishing between critical and non-critical
✅ Link assets to business processes and managers for clear accountability
✅ Manage external ICT providers (e.g., cloud services) in one centralized system
✅ Automatically assess risks, known vulnerabilities, and security measures applied
✅ Generate detailed reports for audits and inspections
✅ Manage unlimited companies under one license

Runs on Windows 10 or later – no web connection required

Ideal for:
Companies subject to NIS 2
️ Privacy and cybersecurity consultants
️ Public institutions

Learn more & request a demo here:
 https://edirama.eu/prodotto/software-asset-manager-nis-2-annual-license/

#NIS2 #Cybersecurity #ICTAssets #RiskAssessment #ComplianceTools #DigitalSecurity #Edirama #CyberResilience #ConsultingTools

Posted on by Leave a comment

How to Develop Your NIS 2 Consulting Business with Edirama’s Professional Kits

The implementation of the NIS 2 Directive and the 2025 ACN Specifications has created a growing demand for consulting services—from essential and important entities to ICT providers working with regulated companies.

For privacy consultants, management systems experts (ISO 27001, ISO 9001, ISO 45001, etc.) and IT auditors, this is the perfect time to expand their services with a concrete and structured offering.

To support this goal, Edirama has developed the NIS 2 Consultant Kit, which includes:

How each consultant profile can use these tools

1. Privacy Consultant / DPO
Offer a “Privacy + Cyber Risk” package by integrating:

  • Impact assessment on critical data processes using the Audit Kit.

  • Incident and continuity plans from the Documentation Kit.

2. ISO Consultant
Offer a “NIS 2 Compliance Add-On” by integrating:

  • ISO/NIS 2 gap analysis (Audit Kit).

  • NIS 2-specific procedures (Documentation Kit).

  • Asset mapping and risk analysis (Asset Manager Software).

3. IT Consultant / Auditor
Provide a practical technical service, including:

  • Asset classification and service mapping.

  • Security measures implementation.

  • Incident simulation and recovery plans.

Example revenue potential:

Consultant Type Service Offered Avg. Price Clients/year Annual Revenue
DPO Privacy + NIS 2 Package €2,500 10 €25,000
ISO Consultant NIS 2 Add-On to ISO €3,500 8 €28,000
IT Consultant Technical Cyber Risk Package €5,000 6 €30,000

Now is the time to prepare. The NIS 2 Consultant Kit provides all the tools to start delivering compliant, professional, and high-value consulting services.

Posted on by Leave a comment

ENISA NIS360 2024 report: A comprehensive look at cybersecurity maturity and criticality of NIS2 sectors

Posted on by Leave a comment

Managing artificial intelligence threats with ISO/IEC 27001

Managing artificial intelligence threats with ISO/IEC 27001

The increasing integration of artificial intelligence (AI) into business processes brings both opportunities and new challenges in terms of information security. To effectively address the threats associated with AI, the adoption of ISO/IEC 27001 provides a structured framework for information security management.

ISO/IEC 27001 and IA Security

ISO/IEC 27001 is an international standard that defines the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). This standard is designed to protect organisations’ information from threats, vulnerabilities and attacks, ensuring confidentiality, integrity and availability of data.

ISO 27001 Controls Relevant to IA

In the field of IA, some specific controls of ISO/IEC 27001 are particularly relevant:

  1. Risk Assessment (Clause 6.1.2): Identify and assess the risks associated with IA systems, considering potential vulnerabilities and specific threats.
  2. Data Security (Clause 8.2): Ensure that data used for training and operation of AI models is protected from unauthorised access and manipulation.
  3. Technical Vulnerability Management (Clause 12.6.1): Implement processes to identify, assess and mitigate vulnerabilities in AI systems, ensuring timely updates and patches.
  4. Access Management (Clause 9.1): Define and control access rights to AI systems, ensuring that only authorised personnel can interact with them.
  5. Security in Development (Clause 14.2.1): Integrate security measures during the development and implementation of AI systems, following secure coding practices and rigorous testing.

Enhancing IA Security with ISO 27001

Implementation of ISO/IEC 27001 helps organisations to:

  • Structure Risk Management: Through systematic risk assessment, organisations can identify and mitigate specific AI-related threats.
  • Establish Operational Controls: Establish operational procedures and policies that ensure the safe and responsible use of AI systems.
  • Ensure Regulatory Compliance: Align with applicable data protection and information security regulations, reducing the risk of penalties.
  • Promote a Culture of Security: Raise staff awareness of the importance of security in the use and development of IA, promoting an organisational culture geared towards information protection.

In addition, the recently published standard ISO/IEC 42001:2023 provides specific guidelines for the management of IA systems, complementing and extending the security measures provided by ISO/IEC 27001.

By adopting an ISO/IEC 27001-based approach, organisations can proactively address AI-related security challenges while ensuring innovation and operational efficiency.

Self-Assessment Checklist:

  1. Risk Assessment
    • Have we identified and assessed the specific risks associated with our AI systems?
    • Is there a documented process for managing AI-related risks?
  2. Data Security
    • Is the data used for training and operating AI models protected from unauthorised access?
    • Have we implemented measures to ensure the integrity and confidentiality of AI data?
  3. Technical Vulnerability Management
    • Is there a procedure for identifying and resolving vulnerabilities in AI systems?
    • Do we regularly monitor vulnerabilities and apply the necessary patches in a timely manner?
  4. Access Management
    • Do we have clearly defined access rights to AI systems?
    • Do we use authentication and authorisation mechanisms to control access to AI systems?
  5. Security in Development
    • Do we apply secure development practices when creating our AI systems?
    • Do we perform regular security tests on our AI models before their implementation?
  6. Regulatory Compliance
    • Are our AI processes aligned with current data protection and information security regulations?
    • Have we documented the measures taken to ensure compliance with applicable regulations?
  7. Security Culture
    • Are our staff trained and aware of AI-related security practices?
    • Do we promote a corporate culture that values information security in the use of AI?

This checklist helps assess the implementation of security controls relevant to IA according to ISO/IEC 27001. A proactive approach to managing these aspects strengthens the overall security of AI systems within the organisation.

Posted on by Leave a comment

Audits Required by the NIS 2 Directive: Types and Compliance Requirements

The NIS 2 Directive (Network and Information Security), adopted by the European Union to strengthen cybersecurity resilience, introduces strict governance requirements for cybersecurity. Among these, conducting regular and targeted audits is a fundamental pillar for ensuring compliance. The audits required by the NIS 2 Directive are essential tools for assessing the effectiveness of implemented measures, identifying vulnerabilities, and preventing security incidents. Below, we analyze the main types of required audits and their relevance.

1. Regulatory Compliance Audit

The regulatory compliance audit aims to verify that the organization meets the requirements set out in the NIS 2 Directive and any related national or sector-specific regulations. This audit focuses on:

  • Security policy documentation.
  • Cybersecurity governance.
  • Incident reporting to competent authorities.
  • Adoption of risk management practices.

Auditors examine the organization’s processes and their adequacy against regulatory standards, such as ISO/IEC 27001, which can serve as a reference framework.

2. Technical Security Audit

Technical audits focus on IT infrastructure and critical systems to assess the robustness of implemented security measures. Key areas include:

  • Network assessment: Analyzing firewall configurations, VPNs, network segmentation, and connection security.
  • Penetration testing: Simulating attacks to identify exploitable vulnerabilities.
  • Vulnerability assessments: Scanning systems to detect software flaws or misconfigurations.
  • Access management: Verifying authentication and authorization controls, with particular attention to multi-factor authentication (MFA).

This audit aims to identify technical weaknesses that could expose the organization to security incidents.

3. Risk Management Audit

The NIS 2 Directive places great emphasis on risk management. Audits in this area evaluate whether the organization:

  • Has correctly identified cybersecurity risks.
  • Has implemented a structured process to mitigate these risks.
  • Maintains an updated risk register and countermeasures.

The goal is to verify the effectiveness of the risk management lifecycle, from identification to continuous monitoring.

4. Incident Response and Business Continuity Audit

The ability to respond to cybersecurity incidents and ensure business continuity is central to the NIS 2 Directive. These audits assess:

  • Incident response and crisis management plans.
  • The ability to recover critical data and systems (disaster recovery).
  • Compliance with reporting timelines for notifying authorities and affected parties.

Verification includes simulations and testing of response and continuity plans to ensure they are realistic and actionable.

5. Supply Chain and Third-Party Audit

With increasing reliance on third parties, the NIS 2 Directive requires organizations to assess the security of their entire supply chain. This audit verifies:

  • Supplier contracts to ensure they include adequate security clauses.
  • Supplier compliance with required security standards.
  • Policies for monitoring and periodically reviewing third parties.

These audits aim to reduce risks arising from vulnerabilities in the supply chain.

6. Periodic and Ad-Hoc Audits

The NIS 2 Directive specifies that audits should be:

  • Periodic: Conducted regularly, with a frequency based on the organization’s risk profile.
  • Ad-hoc: Conducted after significant events, such as a cybersecurity incident or major infrastructure changes.

A combination of regular and targeted audits ensures a constant level of vigilance.

Guidelines for NIS 2 Audits

To ensure audit effectiveness, organizations should:

  • Define an annual audit plan based on risk assessments.
  • Engage internal or external auditors with expertise in NIS 2 compliance.
  • Document all findings and promptly implement corrective actions.

Conclusion

The audits required by the NIS 2 Directive are essential tools for continuously assessing and improving the security of critical infrastructures and IT systems. Implementing a structured and comprehensive audit program is not only a regulatory obligation but also a strategic investment in protecting the organization from increasing cyber threats.

Taking a proactive and systematic approach to audits can make the difference between a resilient system and a vulnerable one. Organizations that integrate these audits into their cybersecurity governance will be better prepared to tackle today’s digital challenges.

Posted on by Leave a comment

The cost of consulting for NIS 2 Directive compliance: practical examples

The NIS 2 Directive, issued by the European Union, has established new cybersecurity standards for operators of essential services and digital service providers. Compliance with these regulations requires specialized expertise, and many organizations turn to expert consultants for support. But how much does NIS 2 consulting cost? In this article, we will explore the key factors that determine the fees and provide practical examples.


Factors influencing consulting fees

  1. Size of the organization
    • Larger organizations with complex IT infrastructures require more detailed consulting, resulting in higher costs.
  2. Type of services requested
    • Some companies need a comprehensive review of their security policies, while others may require specific interventions, such as drafting a Risk Assessment or conducting a Vulnerability Assessment.
  3. Consultant’s experience
    • Professionals with years of experience in cybersecurity and in-depth knowledge of the NIS 2 Directive typically charge higher rates than less experienced consultants.
  4. Duration and complexity of the project
    • A full compliance project may take months, with costs proportional to the hours or working days involved.
  5. Consultant certifications

Practical examples of consulting fees

1. Basic consulting for an SME

  • Scenario: An SME in the manufacturing sector requires an initial assessment of its compliance with the NIS 2 Directive.
  • Tasks performed:
    • Initial analysis of processes and IT infrastructures.
    • Drafting an action plan for compliance.
  • Duration: 5 working days.
  • Average cost: €5,000 – €7,500.

2. Full compliance for a large organization

  • Scenario: An energy company needs to implement all the security measures required by the regulation.
  • Tasks performed:
    • Comprehensive IT infrastructure audit.
    • Drafting security procedures and policies.
    • Internal staff training.
    • Penetration Testing.
  • Duration: 6 months.
  • Average cost: €100,000 – €200,000.

3. Staff training and awareness

  • Scenario: A transportation company wants to train its employees on cybersecurity best practices.
  • Tasks performed:
    • Creating a customized training program.
    • Delivering training sessions in person or online.
  • Duration: 3 training days.
  • Average cost: €3,000 – €5,000.

4. Ongoing consulting services

  • Scenario: A digital service provider requires continuous support to ensure ongoing compliance with the NIS 2 Directive.
  • Tasks performed:
    • Periodic vulnerability monitoring.
    • Regulatory updates.
    • Incident management support.
  • Duration: Annual contract.
  • Average cost: €20,000 – €50,000 per year.

Conclusion

The cost of NIS 2 consulting varies significantly depending on the specific needs of the organization, the complexity of the tasks, and the consultant’s experience. Investing in professional support not only ensures regulatory compliance but also strengthens the organization’s resilience against cybersecurity threats. Therefore, it is essential to carefully evaluate the cost-benefit ratio and choose a qualified consultant capable of providing tailored solutions.

Posted on by Leave a comment

NIS 2 EU Implementing Regulation 2024/2690 – 17/10/2024

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down detailed rules for the implementation of Directive (EU) 2022/2555 as regards technical and methodological requirements for cybersecurity risk management measures and further specification of when an incident is considered significant with regard to DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social network service platforms, and trust service providers.


DOWNLOAD DOCUMENT

The technical and methodological requirements are described in the annex, the required procedures are available in Edirama’s NIS 2 Documentation Kit

1 Information Systems and Network Security Policy [art.21.2a NIS2]
2 Risk management policy [Art. 21.2a NIS2].
3 Incident management [Art. 21.2b NIS2].
4 Business continuity and crisis management [NIS2 Art. 21.2c].
5 Supply chain security [NIS2 Art. 21.2d].
6 Security of acquisition, development and maintenance of information and network systems [Art.21.2e NIS2]
7 Strategies and procedures for evaluating the effectiveness of cybersecurity risk management measures [art.21.2f NIS2]
8 Basic computer hygiene practices and security training [NIS2 Art. 21.2g].
9 Cryptography [Article 21.2h NIS2].
10 Human Resources Security [Art.21.2i NIS2].
11 Access control [Art. 21.2i/j NIS2]
12 Resource management [Art.21.2i NIS2]

Posted on by Leave a comment

NIS2 and DORA – What Kind of Consulting Opportunities Do They Provide?

As the European Union continues to evolve its cybersecurity and digital resilience framework, the implementation of the NIS2 Directive and DORA (Digital Operational Resilience Act) has opened up new and diverse consulting opportunities. Both frameworks aim to enhance the cybersecurity posture and operational resilience of critical sectors, presenting a valuable chance for consultants to offer expertise. In this article, we’ll explore the consulting prospects these regulations bring to the market and the specific types of support organizations will need.

1. Risk Assessment and Compliance Readiness

One of the primary consulting needs stemming from NIS2 and DORA is helping organizations assess and understand their current level of compliance. Consultants can:

  • Conduct initial gap analyses to identify areas where a company’s current practices fall short of the regulatory requirements.
  • Evaluate risk exposure, including analyzing existing cyber threats, business continuity plans, and potential vulnerabilities.
  • Develop compliance roadmaps by setting up actionable steps for companies to close gaps and align with the new directives.

2. Policy Development and Implementation

Both NIS2 and DORA require organizations to adopt stringent policies covering various cybersecurity and operational resilience areas. This creates a need for consulting services in:

  • Drafting tailored security policies that address the specific requirements of each directive, as well as the organization’s operational and industry needs.
  • Establishing incident response plans that outline structured procedures to react swiftly to cyber incidents, aligned with regulatory expectations.
  • Policy enforcement training to ensure that policies are not only developed but also implemented across all departments effectively.

3. Cyber Hygiene and Awareness Training

One of the cornerstones of both regulations is ensuring that employees at all levels understand the importance of cybersecurity practices. Consulting services can focus on:

  • Developing and delivering cybersecurity training that covers essential topics, including password management, phishing prevention, and secure handling of sensitive data.
  • Building a culture of cyber resilience by instilling best practices through awareness programs that engage all levels of the workforce.
  • Creating training materials and protocols that comply with NIS2 and DORA standards, ensuring consistent, organization-wide understanding.

4. Incident Management and Response Consulting

Incident response is a critical focus in both NIS2 and DORA, which demand that companies have robust mechanisms in place to handle cybersecurity incidents effectively. Consultants can support by:

  • Establishing incident response teams and workflows that align with the directives’ requirements for timely and organized response to threats.
  • Providing simulation exercises to prepare organizations for potential attacks, such as mock phishing campaigns and cyber-attack simulations.
  • Offering post-incident analysis and improvement plans to refine processes based on lessons learned from previous incidents.

5. Business Continuity and Disaster Recovery Planning

NIS2 and DORA stress the need for comprehensive business continuity and disaster recovery (BC/DR) plans to ensure resilience in the face of disruptions. Consultants can assist by:

6. Supply Chain Risk Management

Both directives emphasize the need for enhanced scrutiny and oversight of third-party vendors and supply chains, as vulnerabilities in these areas can expose organizations to risk. Consulting opportunities here include:

  • Assessing third-party risk by evaluating the security posture of key suppliers and vendors and identifying potential vulnerabilities.
  • Establishing vendor management frameworks that ensure compliance with regulatory requirements while maintaining resilience.
  • Developing vendor risk assessment processes that can be integrated into the organization’s procurement policies to improve security oversight.

7. Cloud Security and Digital Infrastructure Management

With increasing adoption of cloud services, both NIS2 and DORA require organizations to ensure secure management of their digital infrastructure. Consulting opportunities in this area include:

  • Guiding secure cloud migration strategies that align with regulatory requirements, covering aspects like data encryption, access control, and vulnerability management.
  • Auditing cloud providers to ensure they meet necessary security standards, reducing risk exposure from third-party cloud services.
  • Implementing infrastructure monitoring solutions that provide continuous visibility into potential threats and vulnerabilities within an organization’s digital assets.

8. Assistance with Regulatory Reporting and Documentation

NIS2 and DORA impose strict reporting requirements for cyber incidents and regulatory compliance. Consultants can offer support by:

  • Developing standardized reporting protocols to streamline incident reporting processes and maintain clear documentation for regulators.
  • Setting up monitoring systems that can detect and report incidents as per the regulatory requirements.
  • Providing audit preparation and support to ensure that organizations are well-prepared for regulatory inspections and reviews.

Final Thoughts

The NIS2 Directive and DORA are reshaping the cybersecurity and resilience landscape in Europe, creating a high demand for consulting services across various domains. For consultants, this is an opportunity to offer specialized guidance, from initial compliance assessments to detailed policy implementation and incident management strategies. By supporting organizations in meeting these regulatory requirements, consultants can help clients not only achieve compliance but also build robust, resilient systems that are well-prepared to handle the cybersecurity challenges of the future.