NIS 2 – Implementation Steps for Cybersecurity Risk Management Measures

Complying with regulations like the NIS 2 Directive can be complex, but having a clear plan simplifies the process. Below are the best practices for achieving compliance with Chapter IV of the NIS 2 Directive, which focuses on “Cybersecurity risk-management measures and reporting obligations.” This chapter is crucial for essential and important entities to comply with.

Step 1: Gain support from senior management
Although compliance with NIS 2 is mandatory, it is essential to secure senior management’s active support. Without it, the project may face delays, lack funding, and experience obstacles at every stage.

Step 2: Establish project management
Given the complexity of NIS 2, it is critical to approach it as a formal project, with clear roles, responsibilities, milestones, and outcomes. A structured management approach is key to success.

Step 3: Conduct initial training
Cybersecurity training is emphasized in NIS 2. Early training helps all involved parties understand the regulation and its importance, facilitating a smoother project initiation.

Step 4: Develop an Information System Security Policy
A top-level policy, while not required by NIS 2, is best practice according to international standards. It defines cybersecurity goals, responsibilities, and success metrics.

Step 5: Define the Risk Management Methodology
To comply with NIS 2, a clear risk management process is necessary, detailing how risks are assessed and managed within the organization.

Step 6: Conduct risk assessment and treatment
Identify potential threats to information systems, assess the risks, and implement mitigation measures for the most critical threats, ensuring actions are based on a comprehensive analysis.

Step 7: Create and approve a Risk Treatment Plan
This plan outlines the cybersecurity measures to be implemented, including timelines and responsibilities. Approval from senior management is crucial.

Step 8: Implement cybersecurity measures
Implement new security processes, activities, and potentially technologies, based on the risk assessment outcomes. Formalize these through documented policies and procedures.

Step 9: Strengthen supply chain security
NIS 2 highlights the importance of managing risks related to suppliers. Assess suppliers’ vulnerabilities and include security clauses in contracts.

Step 10: Assess cybersecurity effectiveness
Monitor cybersecurity continuously, conduct internal audits, and perform management reviews to ensure the effectiveness of cybersecurity measures.

Step 11: Implement incident reporting protocols
Significant incidents must be reported to the CSIRT or relevant authority, along with service recipients, following a defined reporting process.

Step 12: Continue cybersecurity training
Regular training for all employees, including senior management, is essential. Focus on relevant topics and choose cost-effective training methods.

Step 13: Conduct periodic internal audits
Although not required by NIS 2, regular internal audits are best practice for identifying nonconformities and providing senior management with an accurate cybersecurity status.

Step 14: Conduct periodic management reviews
Formal reviews provide senior management with the information needed to make key decisions about cybersecurity, including budget allocation and defining objectives.

Step 15: Execute corrective actions
Corrective actions ensure that any identified nonconformities are addressed, preventing recurrence.