Category: NIS 2

Posted on by Leave a comment

FAQ: What to Do If a Company Believes It Is Not Subject to NIS 2 Despite Potential Inclusion

1. How can I determine if my company is subject to the NIS 2 Directive?

Conduct a comprehensive analysis to determine if your company meets the criteria set by NIS 2. Consider the following:

  • Sector of Activity: Check if you operate in a sector designated as essential, such as energy, transport, health, or financial services.
  • Company Size: Evaluate based on employee count, annual turnover, and balance sheet size.
  • Impact and Criticality: Determine if your services have significant impact on public security or economic stability.

2. What actions should we take if we conclude that our company is not subject to NIS 2?

  • Draft a Compliance Assessment Report: Create a formal document outlining why your company does not meet the NIS 2 criteria.
  • Secure Internal Approval: Ensure the Board of Directors formally endorses the assessment.

3. Which documents should be prepared to support our exclusion?

  • Assessment Report: A comprehensive analysis explaining the criteria and your conclusions.
  • Management Meeting Minutes: Document the Board’s approval of the assessment.
  • Review Plan: Schedule periodic reassessment to ensure ongoing alignment with regulatory updates.

4. Should we consult an external expert?

It is recommended but not required. Consulting an expert in cybersecurity and compliance can confirm the accuracy of your evaluation.

5. What if our circumstances change?

If your company grows or regulatory changes occur, re-evaluate your status. Notify relevant authorities if you then fall under NIS 2.

Posted on by Leave a comment

NIS 2 Directive and DORA Regulation – The differences in less than 1 minute


FeatureNIS 2DORA ACT
Full NameNetwork and Information Systems Security Directive 2Digital Operational Resilience Act (DORA)
Adoption Date2022 (Member States must transpose it by October 2024)2022, effective from January 2025
ScopeAll entities operating in essential sectors, including energy, transport, health, finance, and critical infrastructuresFinancial sector and its ICT service providers
Main ObjectiveStrengthening cybersecurity in essential and digital sectors, enhancing the resilience of critical infrastructuresEnsuring digital operational resilience of financial entities against cyber incidents or cyberattacks
Type of RegulationDirective (requires transposition into national laws)Regulation (directly applicable in Member States)
Involved EntitiesCompanies in essential sectors (health, energy, transport, water, public administration) and digital service providers (cloud, online platforms, search engines, etc.)Banks, financial institutions, insurers, asset managers, and digital service providers in the financial sector
Security ObligationsIntroduction of cybersecurity requirements for affected entities, including risk management, periodic assessments, and technical and organizational measuresDefining requirements to manage ICT and operational risks, with a focus on operational resilience and third-party risk management
Incident ReportingObligation to report relevant incidents within 24 hours of detection, with follow-up within 72 hours and final reportingObligation to report major cyber incidents to relevant authorities within a specified timeframe (to be defined in the regulation)
SanctionsMember States must provide for effective and proportionate sanctions, with fines of up to 2% of global annual turnover or up to €10 millionSimilar sanctions to NIS 2, with a focus on violations in the financial sector
ICT Risk ManagementICT risk is part of the overall risk management frameworkICT risk is central, with specific obligations for managing third-party providers and operational risks
Supervision and ControlSupervision by national competent authorities in each Member StateSupervision by European financial authorities, such as the European Banking Authority (EBA)
Third-party ProvidersFocus on the security of essential digital service providersStringent obligations for managing risks related to critical ICT providers
Posted on by Leave a comment

How to Use ISO 27001 to Comply With NIS2 and DORA

The evolving regulatory landscape, with the introduction of NIS2 (Network and Information Systems Directive) and DORA (Digital Operational Resilience Act), requires organizations, particularly those operating critical infrastructure or within the financial sector, to align their security and operational practices with stringent requirements. ISO 27001:2022, the internationally recognized standard for information security management systems (ISMS), provides a robust framework to help organizations meet the expectations of these regulations.

This article explores how ISO 27001:2022 can be used to align with NIS2 and DORA through specific mapping and application strategies for critical infrastructure and financial organizations, as well as their suppliers.

1. Mapping ISO 27001 with NIS2

NIS2, a strengthened version of the original NIS Directive, applies to essential and digital service providers. Its focus is on improving cybersecurity capabilities, risk management, incident reporting, and information sharing for critical sectors such as energy, transport, and healthcare.

ISO 27001 can be effectively mapped to NIS2 requirements by following these steps:

  • Risk management: NIS2 emphasizes risk-based security practices. ISO 27001’s risk assessment (clause 6.1.2) and treatment processes (clause 6.1.3) are integral to identifying risks to critical information systems and applying appropriate controls.
  • Incident management: Both NIS2 and ISO 27001 focus on managing security incidents. Clause 16 of ISO 27001 deals with incident management procedures and can be tailored to meet NIS2’s requirements for reporting significant incidents to national authorities.
  • Supply chain security: NIS2 places greater responsibility on securing supply chains. ISO 27001 Annex A.15 addresses supplier relationships, ensuring that the security controls extend to third-party contractors and service providers.

By leveraging ISO 27001’s existing controls, organizations can systematically address the key components of NIS2, allowing them to ensure a holistic cybersecurity posture.

2. Using ISO 27001 for Critical Infrastructure Companies

For companies operating in critical infrastructure sectors, ISO 27001 provides a structured approach to meeting the stringent cybersecurity requirements of NIS2. Specifically, it aids in:

  • Establishing a risk-based approach: Critical infrastructure organizations are required to focus on preventing and managing cyber risks that can disrupt essential services. ISO 27001’s risk assessment process (Clause 6) ensures that organizations continuously identify, analyze, and mitigate risks associated with their operational environments.
  • Ensuring operational resilience: Annex A of ISO 27001 emphasizes business continuity and disaster recovery, which are vital for critical infrastructure. These align with NIS2’s requirements for maintaining operational resilience in the face of cyber incidents.
  • Maintaining compliance with reporting obligations: NIS2 requires timely and detailed reporting of security incidents. ISO 27001’s structured incident management (Clause 16) ensures that organizations have documented procedures to detect, report, and learn from security events.

ISO 27001 helps critical infrastructure organizations stay compliant with NIS2 while improving their overall security posture and operational resilience.

3. Using ISO 27001 for Suppliers of Critical Infrastructure Companies

Suppliers to critical infrastructure companies are also subject to NIS2 requirements. They must ensure that their security practices are robust enough to protect the supply chain. ISO 27001 is particularly valuable here:

  • Supply chain risk management: ISO 27001 Annex A.15 outlines specific requirements for managing risks associated with suppliers, helping them implement appropriate security controls across their relationships with critical infrastructure operators.
  • Compliance with client demands: Critical infrastructure companies often pass on compliance obligations to their suppliers. By implementing ISO 27001, suppliers can proactively demonstrate their commitment to security and regulatory compliance, fostering trust and ongoing partnerships.

ISO 27001 thus ensures that suppliers can meet the stringent security requirements expected by their clients under NIS2.

4. Mapping ISO 27001 with DORA

DORA (Digital Operational Resilience Act) applies to financial institutions and aims to ensure their ability to withstand cyber threats and operational disruptions. It emphasizes the need for robust cybersecurity, incident response, and third-party risk management.

ISO 27001 offers a practical framework that aligns well with DORA’s key requirements:

5. Using ISO 27001 for Financial Organizations

For financial institutions, ISO 27001 plays a crucial role in building a compliant and resilient cybersecurity framework:

  • Meeting DORA’s resilience requirements: Financial organizations are expected to have robust incident detection and response mechanisms under DORA. ISO 27001’s structured processes (Clause 16) ensure that organizations are prepared to detect, report, and respond to incidents, maintaining operational continuity.
  • Regulatory alignment: With DORA’s focus on governance, ISO 27001 ensures that financial organizations have the necessary security governance structure (Clause 5) in place, including roles, responsibilities, and accountability for information security management.

By adopting ISO 27001, financial institutions can align their information security frameworks with DORA’s rigorous operational resilience and risk management expectations.

6. Using ISO 27001 for Suppliers of Financial Organizations

Similar to critical infrastructure suppliers, suppliers of financial organizations face increased scrutiny under DORA. ISO 27001 helps these suppliers align with DORA’s requirements by:

  • Implementing robust security practices: ISO 27001 ensures that suppliers have standardized security practices, making them reliable partners for financial organizations and compliant with DORA’s supply chain resilience expectations.
  • Proactive risk management: Suppliers must identify, assess, and manage risks in their operations to avoid disruptions in services provided to financial organizations. ISO 27001’s risk management framework allows suppliers to continuously manage these risks in line with DORA.

By using ISO 27001, suppliers of financial organizations can ensure that they meet DORA’s operational and security demands, making them a valuable part of the financial ecosystem.

Conclusion

ISO 27001:2022 serves as a powerful tool for aligning with both NIS2 and DORA regulations. Whether for critical infrastructure companies or financial organizations, the ISO 27001 framework provides the necessary structure for risk management, incident response, and third-party security, enabling compliance with these new regulatory frameworks. Suppliers in both sectors also benefit from implementing ISO 27001, as it ensures they meet the heightened security and resilience demands of their clients under NIS2 and DORA.

Posted on by Leave a comment

10 FAQs (Frequently Asked Questions) to help understand and comply with the NIS 2 Directive requirements

10 FAQs (Frequently Asked Questions) to help understand and comply with the NIS 2 Directive requirements:

1. What is the NIS 2 Directive?

The NIS 2 (Network and Information Systems) Directive is an update to the 2016 NIS Directive aimed at strengthening cybersecurity and resilience in digital infrastructure across the European Union. It applies to a wide range of sectors, including energy, transport, healthcare, finance, and digital infrastructure.

2. Who is subject to the NIS 2 Directive?

NIS 2 applies to organizations of “essential importance” and “significant importance.” These entities include critical infrastructure, digital service providers, and companies operating in strategic sectors such as energy, transport, finance, healthcare, and telecommunications.

3. What are the main compliance requirements of the NIS 2 Directive?

Organizations must implement adequate technical and organizational measures to prevent, manage, and mitigate risks to the security of networks and information systems. This includes incident management, business continuity, supply chain security, protection against cyberattacks, and compliance with incident reporting obligations.

4. What are the key differences between NIS and NIS 2?

NIS 2 extends the scope to more sectors and enforces stricter penalties for non-compliance. It also introduces more rigorous governance, risk management, and cooperation requirements among EU Member States.

5. How can I determine if my company is subject to NIS 2?

Your company is subject to NIS 2 if it operates in one of the critical sectors listed in the directive. Typically, EU Member States are responsible for formally identifying entities subject to the new rules. It is advisable to check with national authorities and assess the potential impact on your organization.

6. What are the penalties for non-compliance with NIS 2?

Non-compliance with NIS 2 can result in significant administrative penalties, which may vary depending on the EU country and the severity of the breach. Fines can be up to 2% of the annual global turnover or €10 million, whichever is higher.

7. What are the deadlines for compliance with NIS 2?

NIS 2 must be transposed by EU Member States by 2024. Entities subject to the directive need to be prepared to comply with the new rules within the deadlines set by national regulations.

8. How can I implement a security management system compliant with NIS 2?

Implementing a compliant system requires thorough risk analysis, the definition of security policies, staff training, technical solutions such as firewalls, intrusion detection systems, vulnerability management, and a response plan for security incidents.

9. What security measures are required to protect critical systems?

Security measures include perimeter protection, data encryption, continuous network monitoring, vulnerability management, regular system audits, and a business continuity plan to ensure that essential services can continue during and after a cyberattack.

10. How does incident reporting work under NIS 2?

Entities subject to NIS 2 are required to promptly notify significant incidents to competent authorities (such as CERTs or national cybersecurity authorities). The notification must occur within 24 hours of identifying the incident, with regular updates on the resolution status.

These FAQs provide a basic guide, and each organization should consult legal and technical advisors to ensure proper compliance with the NIS 2 Directive.

Posted on by Leave a comment

NIS 2 – Implementation Steps for Cybersecurity Risk Management Measures

Complying with regulations like the NIS 2 Directive can be complex, but having a clear plan simplifies the process. Below are the best practices for achieving compliance with Chapter IV of the NIS 2 Directive, which focuses on “Cybersecurity risk-management measures and reporting obligations.” This chapter is crucial for essential and important entities to comply with.

Step 1: Gain support from senior management
Although compliance with NIS 2 is mandatory, it is essential to secure senior management’s active support. Without it, the project may face delays, lack funding, and experience obstacles at every stage.

Step 2: Establish project management
Given the complexity of NIS 2, it is critical to approach it as a formal project, with clear roles, responsibilities, milestones, and outcomes. A structured management approach is key to success.

Step 3: Conduct initial training
Cybersecurity training is emphasized in NIS 2. Early training helps all involved parties understand the regulation and its importance, facilitating a smoother project initiation.

Step 4: Develop an Information System Security Policy
A top-level policy, while not required by NIS 2, is best practice according to international standards. It defines cybersecurity goals, responsibilities, and success metrics.

Step 5: Define the Risk Management Methodology
To comply with NIS 2, a clear risk management process is necessary, detailing how risks are assessed and managed within the organization.

Step 6: Conduct risk assessment and treatment
Identify potential threats to information systems, assess the risks, and implement mitigation measures for the most critical threats, ensuring actions are based on a comprehensive analysis.

Step 7: Create and approve a Risk Treatment Plan
This plan outlines the cybersecurity measures to be implemented, including timelines and responsibilities. Approval from senior management is crucial.

Step 8: Implement cybersecurity measures
Implement new security processes, activities, and potentially technologies, based on the risk assessment outcomes. Formalize these through documented policies and procedures.

Step 9: Strengthen supply chain security
NIS 2 highlights the importance of managing risks related to suppliers. Assess suppliers’ vulnerabilities and include security clauses in contracts.

Step 10: Assess cybersecurity effectiveness
Monitor cybersecurity continuously, conduct internal audits, and perform management reviews to ensure the effectiveness of cybersecurity measures.

Step 11: Implement incident reporting protocols
Significant incidents must be reported to the CSIRT or relevant authority, along with service recipients, following a defined reporting process.

Step 12: Continue cybersecurity training
Regular training for all employees, including senior management, is essential. Focus on relevant topics and choose cost-effective training methods.

Step 13: Conduct periodic internal audits
Although not required by NIS 2, regular internal audits are best practice for identifying nonconformities and providing senior management with an accurate cybersecurity status.

Step 14: Conduct periodic management reviews
Formal reviews provide senior management with the information needed to make key decisions about cybersecurity, including budget allocation and defining objectives.

Step 15: Execute corrective actions
Corrective actions ensure that any identified nonconformities are addressed, preventing recurrence.

Posted on by Leave a comment

What are the main cybersecurity requirements of NIS 2?


Surprisingly, only Chapter IV “Cybersecurity risk-management measures and reporting
obligations” defines what essential and important entities must do to comply with NIS 2.
All the other chapters are not relevant for these companies, because they specify the
obligations of the EU countries (Member States), and what government agencies must do
to enforce NIS 2.
Chapter IV has the following articles:

  • Article 20 – Governance
  • Article 21 – Cybersecurity risk-management measures
  • Article 22 – Union level coordinated security risk assessments of critical supply
    chains
  • Article 23 – Reporting obligations
  • Article 24 – Use of European cybersecurity certification schemes
  • Article 25 – Standardisation