Category: NIS 2

Posted on by Leave a comment

NIS 2 – Navigating Compliance for Cybersecurity Frameworks

Introduction

The EU NIS 2 Directive, an extension of the original NIS (Network and Information Systems) Directive established in 2016, is a pivotal piece of legislation focused on enhancing cybersecurity across EU member states. As global cyber threats evolve, the NIS 2 Directive aims to fortify the resilience of critical infrastructure and essential digital services within the EU by establishing stringent security measures and incident response requirements.

Objectives and Scope of the Regulation

The primary objective of the NIS 2 Directive is to improve the overall level of cybersecurity within the European Union by harmonizing cybersecurity requirements across member states. It brings additional sectors and services under its domain, including telecommunications, energy, transport, healthcare, and digital service providers. Specifically, it focuses on both “essential” and “important” entities, reflecting the critical nature of their operations.

Practical Implications for Organizations Subject to NIS 2

For organizations classified as essential or important entities, compliance with NIS 2 is not only a legal obligation but also a critical measure to safeguard their operations, reputation, and customer trust. The directive emphasizes risk management, incident reporting, and governance mechanisms that organizations must adopt for robust cybersecurity practices.

Cybersecurity Risk Management Obligations

Operational Impacts of NIS 2 Compliance

One of the central themes of the NIS 2 Directive is its insistence on proactive cybersecurity risk management. Organizations are required to identify, assess, and mitigate risks to the security of their network and information systems. This involves implementing a wide array of technical and organizational measures tailored to each entity’s specific cybersecurity risk profile.

Compliance Challenges

The primary challenges for organizations lie in the complexity of risk assessment and management processes. Many organizations struggle with understanding how to effectively identify their risk landscape, especially in dynamic environments where new threats can emerge rapidly. This often leads to significant gaps in compliance, as organizations may not have robust processes to assess and manage their cybersecurity risks in alignment with NIS 2.

Another challenge is the documentation and reporting requirements associated with risk management. Organizations must ensure they are maintaining comprehensive records of their risk management activities, which will be scrutinized during compliance audits.

Common Gaps and Regulatory Expectations

Common gaps observed in organizations include inadequate risk assessment methodologies, insufficient incident response planning, and a lack of clear accountability across management levels. Regulatory agencies expect organizations to not only have documented processes but also to demonstrate the effectiveness and continuous adaptation of these processes in response to changing threats.

Practical Compliance Steps

Key Actions Required for Compliance

Organizations must take concrete steps to align their operations with the requirements of the NIS 2 Directive:

  1. Conduct Comprehensive Risk Assessments: Organizations should undertake thorough risk assessments that incorporate a wide range of cyber threats. They must continuously revisit and update these assessments to reflect changes in the risk landscape.

  2. Implement Technical and Organizational Security Measures: Based on the risk assessment outcomes, organizations need to deploy appropriate cybersecurity controls. This includes not only technology solutions but also organizational changes, such as training staff and enhancing incident response capabilities.

  3. Establish Clear Incident Handling Procedures: Develop detailed incident response plans that outline the steps to be taken in the event of a cybersecurity incident. This plan should include roles and responsibilities as well as communication strategies both internally and externally.

  4. Maintain Documentation for Audits: Organizations should prepare and maintain documentation demonstrating compliance efforts. This documentation will be critical during audits and inspections. Records should include risk assessments, security policies, incident reports, and training records.

  5. Adopt Best Practices for Ongoing Compliance: Continual monitoring, regular auditing of controls, and adapting policies as new threats emerge can help organizations maintain compliance in the long term. Establish a culture of security within the organization that emphasizes the importance of compliance at every level.

Expected Documentation During Audits

During audits or inspections, organizations should expect to provide:

  • Detailed risk assessment reports
  • Incident response plans and associated training documentation
  • Security policies and governance frameworks
  • Evidence of ongoing risk management activities, including updates to risk assessments and security measures

Conclusion

In conclusion, the EU NIS 2 Directive sets forth crucial requirements for organizations to enhance their cybersecurity posture. From comprehensive risk management obligations to stringent incident response protocols, compliance presents both challenges and opportunities for critical entities within the EU. To navigate this complex regulatory landscape effectively, organizations must adopt a structured and continuous approach to compliance that not only satisfies regulatory obligations but also fortifies their defenses against an ever-evolving threat landscape. By doing so, organizations can secure their operations and uphold their responsibilities to stakeholders and the broader community.

A well-prepared compliance strategy is not just about adhering to regulations; it is an integral part of the organization’s resilience and sustainability in the face of cyber threats.

Posted on by Leave a comment

How to determine the ‘significance’ of a NIS2 incident: a clear guide to the 9 ENISA criteria

The NIS2 Directive introduces a key concept: not all cyber incidents are the same. Some must be reported because they fall into the category of significant incidents.
According to ENISA (Reg. 2690/2024), the security manager’s ‘impression’ is not enough to determine this: nine regulatory criteria must be applied, each with precise thresholds.

The main criteria include:

significant economic damage (≥ £500,000 or 5% of turnover)

exfiltration of trade secrets

CIA compromise caused by malicious action

serious operational disruption

duration of unavailability beyond sector thresholds

degradation of response time

impact on health

percentage of users affected

recurrence in the last 6 months

Each criterion requires specific information, comprehensive data and an objective approach. Performing the assessment ‘by hand’ increases the risk of error, with potential consequences in an increasingly stringent regulatory environment.

👉 Would you like to see a practical example of applied assessment?
Watch the video demo of the NIS2 Incident Significance Manager software.

 

Posted on by Leave a comment

NIS 2 – T-SCRM is born – the innovative Software for IT Vendor Risk Management

IT Security of the supply chain is no longer a choice, but an obligation.
The NIS 2 Directive and the DORA Regulation require organisations to ensure operational resilience and control over IT and critical service providers.

This is why we have developed T-SCRM., the Windows PC software that simplifies IT risk management with a practical and documented approach:

✅ Assessment of suppliers according to compliance, cybersecurity and reliability criteria
✅ Incident log with severity index (1 = slight, 5 = critical)
✅ Monitoring of contracts and certifications, with alerts on deadlines
✅ Interactive dashboard with risk indicators and graphs
✅ Automatic reports for audits, Supervisory Board 231, NIS 2 and DORA

Who it is aimed at:

NIS 2 and DORA consultants
IT, Compliance and Procurement Managers
DPOs

With T-SCRM  you move from Excel sheets to a structured, reliable and compliant management.

Posted on by Leave a comment

New Release: Asset Manager NIS 2 – The Essential Software for Full ICT Asset Mapping and Compliance

Are you a company, public body, or consultant navigating the complexities of the NIS 2 Directive?
The Asset Manager NIS 2 software is built specifically to support your compliance journey.

With this intuitive tool, you can:

✅ Register and classify all ICT assets, distinguishing between critical and non-critical
✅ Link assets to business processes and managers for clear accountability
✅ Manage external ICT providers (e.g., cloud services) in one centralized system
✅ Automatically assess risks, known vulnerabilities, and security measures applied
✅ Generate detailed reports for audits and inspections
✅ Manage unlimited companies under one license

Runs on Windows 10 or later – no web connection required

Ideal for:
Companies subject to NIS 2
️ Privacy and cybersecurity consultants
️ Public institutions

Learn more & request a demo here:
 https://edirama.eu/prodotto/software-asset-manager-nis-2-annual-license/

#NIS2 #Cybersecurity #ICTAssets #RiskAssessment #ComplianceTools #DigitalSecurity #Edirama #CyberResilience #ConsultingTools

Posted on by Leave a comment

How to Develop Your NIS 2 Consulting Business with Edirama’s Professional Kits

The implementation of the NIS 2 Directive and the 2025 ACN Specifications has created a growing demand for consulting services—from essential and important entities to ICT providers working with regulated companies.

For privacy consultants, management systems experts (ISO 27001, ISO 9001, ISO 45001, etc.) and IT auditors, this is the perfect time to expand their services with a concrete and structured offering.

To support this goal, Edirama has developed the NIS 2 Consultant Kit, which includes:

How each consultant profile can use these tools

1. Privacy Consultant / DPO
Offer a “Privacy + Cyber Risk” package by integrating:

  • Impact assessment on critical data processes using the Audit Kit.

  • Incident and continuity plans from the Documentation Kit.

2. ISO Consultant
Offer a “NIS 2 Compliance Add-On” by integrating:

  • ISO/NIS 2 gap analysis (Audit Kit).

  • NIS 2-specific procedures (Documentation Kit).

  • Asset mapping and risk analysis (Asset Manager Software).

3. IT Consultant / Auditor
Provide a practical technical service, including:

  • Asset classification and service mapping.

  • Security measures implementation.

  • Incident simulation and recovery plans.

Example revenue potential:

Consultant Type Service Offered Avg. Price Clients/year Annual Revenue
DPO Privacy + NIS 2 Package €2,500 10 €25,000
ISO Consultant NIS 2 Add-On to ISO €3,500 8 €28,000
IT Consultant Technical Cyber Risk Package €5,000 6 €30,000

Now is the time to prepare. The NIS 2 Consultant Kit provides all the tools to start delivering compliant, professional, and high-value consulting services.

Posted on by Leave a comment

ENISA NIS360 2024 report: A comprehensive look at cybersecurity maturity and criticality of NIS2 sectors

Posted on by Leave a comment

Managing artificial intelligence threats with ISO/IEC 27001

Managing artificial intelligence threats with ISO/IEC 27001

The increasing integration of artificial intelligence (AI) into business processes brings both opportunities and new challenges in terms of information security. To effectively address the threats associated with AI, the adoption of ISO/IEC 27001 provides a structured framework for information security management.

ISO/IEC 27001 and IA Security

ISO/IEC 27001 is an international standard that defines the requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS). This standard is designed to protect organisations’ information from threats, vulnerabilities and attacks, ensuring confidentiality, integrity and availability of data.

ISO 27001 Controls Relevant to IA

In the field of IA, some specific controls of ISO/IEC 27001 are particularly relevant:

  1. Risk Assessment (Clause 6.1.2): Identify and assess the risks associated with IA systems, considering potential vulnerabilities and specific threats.
  2. Data Security (Clause 8.2): Ensure that data used for training and operation of AI models is protected from unauthorised access and manipulation.
  3. Technical Vulnerability Management (Clause 12.6.1): Implement processes to identify, assess and mitigate vulnerabilities in AI systems, ensuring timely updates and patches.
  4. Access Management (Clause 9.1): Define and control access rights to AI systems, ensuring that only authorised personnel can interact with them.
  5. Security in Development (Clause 14.2.1): Integrate security measures during the development and implementation of AI systems, following secure coding practices and rigorous testing.

Enhancing IA Security with ISO 27001

Implementation of ISO/IEC 27001 helps organisations to:

  • Structure Risk Management: Through systematic risk assessment, organisations can identify and mitigate specific AI-related threats.
  • Establish Operational Controls: Establish operational procedures and policies that ensure the safe and responsible use of AI systems.
  • Ensure Regulatory Compliance: Align with applicable data protection and information security regulations, reducing the risk of penalties.
  • Promote a Culture of Security: Raise staff awareness of the importance of security in the use and development of IA, promoting an organisational culture geared towards information protection.

In addition, the recently published standard ISO/IEC 42001:2023 provides specific guidelines for the management of IA systems, complementing and extending the security measures provided by ISO/IEC 27001.

By adopting an ISO/IEC 27001-based approach, organisations can proactively address AI-related security challenges while ensuring innovation and operational efficiency.

Self-Assessment Checklist:

  1. Risk Assessment
    • Have we identified and assessed the specific risks associated with our AI systems?
    • Is there a documented process for managing AI-related risks?
  2. Data Security
    • Is the data used for training and operating AI models protected from unauthorised access?
    • Have we implemented measures to ensure the integrity and confidentiality of AI data?
  3. Technical Vulnerability Management
    • Is there a procedure for identifying and resolving vulnerabilities in AI systems?
    • Do we regularly monitor vulnerabilities and apply the necessary patches in a timely manner?
  4. Access Management
    • Do we have clearly defined access rights to AI systems?
    • Do we use authentication and authorisation mechanisms to control access to AI systems?
  5. Security in Development
    • Do we apply secure development practices when creating our AI systems?
    • Do we perform regular security tests on our AI models before their implementation?
  6. Regulatory Compliance
    • Are our AI processes aligned with current data protection and information security regulations?
    • Have we documented the measures taken to ensure compliance with applicable regulations?
  7. Security Culture
    • Are our staff trained and aware of AI-related security practices?
    • Do we promote a corporate culture that values information security in the use of AI?

This checklist helps assess the implementation of security controls relevant to IA according to ISO/IEC 27001. A proactive approach to managing these aspects strengthens the overall security of AI systems within the organisation.

Posted on by Leave a comment

The cost of consulting for NIS 2 Directive compliance: practical examples

The NIS 2 Directive, issued by the European Union, has established new cybersecurity standards for operators of essential services and digital service providers. Compliance with these regulations requires specialized expertise, and many organizations turn to expert consultants for support. But how much does NIS 2 consulting cost? In this article, we will explore the key factors that determine the fees and provide practical examples.


Factors influencing consulting fees

  1. Size of the organization
    • Larger organizations with complex IT infrastructures require more detailed consulting, resulting in higher costs.
  2. Type of services requested
    • Some companies need a comprehensive review of their security policies, while others may require specific interventions, such as drafting a Risk Assessment or conducting a Vulnerability Assessment.
  3. Consultant’s experience
    • Professionals with years of experience in cybersecurity and in-depth knowledge of the NIS 2 Directive typically charge higher rates than less experienced consultants.
  4. Duration and complexity of the project
    • A full compliance project may take months, with costs proportional to the hours or working days involved.
  5. Consultant certifications

Practical examples of consulting fees

1. Basic consulting for an SME

  • Scenario: An SME in the manufacturing sector requires an initial assessment of its compliance with the NIS 2 Directive.
  • Tasks performed:
    • Initial analysis of processes and IT infrastructures.
    • Drafting an action plan for compliance.
  • Duration: 5 working days.
  • Average cost: €5,000 – €7,500.

2. Full compliance for a large organization

  • Scenario: An energy company needs to implement all the security measures required by the regulation.
  • Tasks performed:
    • Comprehensive IT infrastructure audit.
    • Drafting security procedures and policies.
    • Internal staff training.
    • Penetration Testing.
  • Duration: 6 months.
  • Average cost: €100,000 – €200,000.

3. Staff training and awareness

  • Scenario: A transportation company wants to train its employees on cybersecurity best practices.
  • Tasks performed:
    • Creating a customized training program.
    • Delivering training sessions in person or online.
  • Duration: 3 training days.
  • Average cost: €3,000 – €5,000.

4. Ongoing consulting services

  • Scenario: A digital service provider requires continuous support to ensure ongoing compliance with the NIS 2 Directive.
  • Tasks performed:
    • Periodic vulnerability monitoring.
    • Regulatory updates.
    • Incident management support.
  • Duration: Annual contract.
  • Average cost: €20,000 – €50,000 per year.

Conclusion

The cost of NIS 2 consulting varies significantly depending on the specific needs of the organization, the complexity of the tasks, and the consultant’s experience. Investing in professional support not only ensures regulatory compliance but also strengthens the organization’s resilience against cybersecurity threats. Therefore, it is essential to carefully evaluate the cost-benefit ratio and choose a qualified consultant capable of providing tailored solutions.

Posted on by Leave a comment

NIS 2 EU Implementing Regulation 2024/2690 – 17/10/2024

Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down detailed rules for the implementation of Directive (EU) 2022/2555 as regards technical and methodological requirements for cybersecurity risk management measures and further specification of when an incident is considered significant with regard to DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social network service platforms, and trust service providers.


DOWNLOAD DOCUMENT

The technical and methodological requirements are described in the annex, the required procedures are available in Edirama’s NIS 2 Documentation Kit

1 Information Systems and Network Security Policy [art.21.2a NIS2]
2 Risk management policy [Art. 21.2a NIS2].
3 Incident management [Art. 21.2b NIS2].
4 Business continuity and crisis management [NIS2 Art. 21.2c].
5 Supply chain security [NIS2 Art. 21.2d].
6 Security of acquisition, development and maintenance of information and network systems [Art.21.2e NIS2]
7 Strategies and procedures for evaluating the effectiveness of cybersecurity risk management measures [art.21.2f NIS2]
8 Basic computer hygiene practices and security training [NIS2 Art. 21.2g].
9 Cryptography [Article 21.2h NIS2].
10 Human Resources Security [Art.21.2i NIS2].
11 Access control [Art. 21.2i/j NIS2]
12 Resource management [Art.21.2i NIS2]

Posted on by Leave a comment

NIS2 and DORA – What Kind of Consulting Opportunities Do They Provide?

As the European Union continues to evolve its cybersecurity and digital resilience framework, the implementation of the NIS2 Directive and DORA (Digital Operational Resilience Act) has opened up new and diverse consulting opportunities. Both frameworks aim to enhance the cybersecurity posture and operational resilience of critical sectors, presenting a valuable chance for consultants to offer expertise. In this article, we’ll explore the consulting prospects these regulations bring to the market and the specific types of support organizations will need.

1. Risk Assessment and Compliance Readiness

One of the primary consulting needs stemming from NIS2 and DORA is helping organizations assess and understand their current level of compliance. Consultants can:

  • Conduct initial gap analyses to identify areas where a company’s current practices fall short of the regulatory requirements.
  • Evaluate risk exposure, including analyzing existing cyber threats, business continuity plans, and potential vulnerabilities.
  • Develop compliance roadmaps by setting up actionable steps for companies to close gaps and align with the new directives.

2. Policy Development and Implementation

Both NIS2 and DORA require organizations to adopt stringent policies covering various cybersecurity and operational resilience areas. This creates a need for consulting services in:

  • Drafting tailored security policies that address the specific requirements of each directive, as well as the organization’s operational and industry needs.
  • Establishing incident response plans that outline structured procedures to react swiftly to cyber incidents, aligned with regulatory expectations.
  • Policy enforcement training to ensure that policies are not only developed but also implemented across all departments effectively.

3. Cyber Hygiene and Awareness Training

One of the cornerstones of both regulations is ensuring that employees at all levels understand the importance of cybersecurity practices. Consulting services can focus on:

  • Developing and delivering cybersecurity training that covers essential topics, including password management, phishing prevention, and secure handling of sensitive data.
  • Building a culture of cyber resilience by instilling best practices through awareness programs that engage all levels of the workforce.
  • Creating training materials and protocols that comply with NIS2 and DORA standards, ensuring consistent, organization-wide understanding.

4. Incident Management and Response Consulting

Incident response is a critical focus in both NIS2 and DORA, which demand that companies have robust mechanisms in place to handle cybersecurity incidents effectively. Consultants can support by:

  • Establishing incident response teams and workflows that align with the directives’ requirements for timely and organized response to threats.
  • Providing simulation exercises to prepare organizations for potential attacks, such as mock phishing campaigns and cyber-attack simulations.
  • Offering post-incident analysis and improvement plans to refine processes based on lessons learned from previous incidents.

5. Business Continuity and Disaster Recovery Planning

NIS2 and DORA stress the need for comprehensive business continuity and disaster recovery (BC/DR) plans to ensure resilience in the face of disruptions. Consultants can assist by:

6. Supply Chain Risk Management

Both directives emphasize the need for enhanced scrutiny and oversight of third-party vendors and supply chains, as vulnerabilities in these areas can expose organizations to risk. Consulting opportunities here include:

  • Assessing third-party risk by evaluating the security posture of key suppliers and vendors and identifying potential vulnerabilities.
  • Establishing vendor management frameworks that ensure compliance with regulatory requirements while maintaining resilience.
  • Developing vendor risk assessment processes that can be integrated into the organization’s procurement policies to improve security oversight.

7. Cloud Security and Digital Infrastructure Management

With increasing adoption of cloud services, both NIS2 and DORA require organizations to ensure secure management of their digital infrastructure. Consulting opportunities in this area include:

  • Guiding secure cloud migration strategies that align with regulatory requirements, covering aspects like data encryption, access control, and vulnerability management.
  • Auditing cloud providers to ensure they meet necessary security standards, reducing risk exposure from third-party cloud services.
  • Implementing infrastructure monitoring solutions that provide continuous visibility into potential threats and vulnerabilities within an organization’s digital assets.

8. Assistance with Regulatory Reporting and Documentation

NIS2 and DORA impose strict reporting requirements for cyber incidents and regulatory compliance. Consultants can offer support by:

  • Developing standardized reporting protocols to streamline incident reporting processes and maintain clear documentation for regulators.
  • Setting up monitoring systems that can detect and report incidents as per the regulatory requirements.
  • Providing audit preparation and support to ensure that organizations are well-prepared for regulatory inspections and reviews.

Final Thoughts

The NIS2 Directive and DORA are reshaping the cybersecurity and resilience landscape in Europe, creating a high demand for consulting services across various domains. For consultants, this is an opportunity to offer specialized guidance, from initial compliance assessments to detailed policy implementation and incident management strategies. By supporting organizations in meeting these regulatory requirements, consultants can help clients not only achieve compliance but also build robust, resilient systems that are well-prepared to handle the cybersecurity challenges of the future.