Ready for the NIS2 Directive? Your checklist for a smooth transition!

The four commitments

Companies covered by the NIS2 Directive are subject to four types of obligations: a registration obligation, a duty of care, a reporting obligation and, finally, mandatory supervision. We have already discussed these obligations in a previous blog. To answer the question of what measures should be taken to comply with the NIS2 Directive, the duty of care is particularly important. Under the directive, companies must take measures to protect network and information systems against incidents and to limit the consequences of incidents for customers. The same applies, incidentally, to the physical environment in which the systems are located.

But "taking measures" is still fairly vague. What exactly must your company do to comply with the NIS2 directive? The guideline itself lists ten measures that must at least be met in order to comply with the duty of care. These measures will be briefly named and explained in this blog.

The ten measures

1. Policy on risk analysis and information systems security
   
   Conduct a risk analysis and create policy on it. From this policy should follow the purpose of the analysis, who is involved in performing the analysis, roles and responsibilities, how often a risk analysis is performed, and what is then done with the results. For example, a decision may be made to accept a risk, or it may be decided to resolve, stop or transfer the risk.
   
   
2. Security when managing, developing and maintaining networks and systems
   
   If you can no longer access the information on your systems due to an incident, this can bring your entire organization to a standstill. It is therefore important to properly secure your network (for example, by a "firewall") and to monitor this security. In addition, there should be policies on how to handle the configuration of the network and systems, as well as how to perform repairs and maintenance. To keep security as strong as possible, timely security updates are also important. The measures should be well monitored. It is also important to make good agreements with your IT suppliers so that it is clear who is responsible for the security of your networks and systems.
   
   
3. Using multifactor authentication and secure communications
   
   Multifactor authentication (MFA) uses two different factors to establish legitimate access, such as through a control e-mail or through an application. Use these MFAs at least on essential systems, for accounts that can be accessed over the Internet and for accounts with management privileges.
   
   
4. Cyber hygiene and cyber security training
   
   Cyber incidents can occur due to wrong intentions from the outside. However, the majority of incidents occur due to human error from within your organization. So make sure every employee is aware of cyber risks by regularly educating them about password use, multifactor authentication, performing updates, safe email use and anti-phishing. We also already described in this blog that attending driver training is essential.
   
   
5. Security aspects regarding personnel, access policies and asset management
   
   In addition to policies for already existing personnel, it is also important to have procedures in place for new employees. Especially in the context of new employees, departing employees or job changes, an administration of access rights is necessary. Who has access to which systems and what are the roles and rights within them? In addition to staff, a company's assets (such as computers, phones and USB sticks) also pose a risk. So ensure secure use, but equally ensure proper storage, transportation and destruction if the assets are written off.
   
   
6. Policies and Procedures on the Use of Cryptography and Encryption
   
   Cryptography is used to encrypt data so that only people with permission can read the information. In this way, its confidentiality is ensured. A policy document should define the techniques used to ensure this confidentiality of information. This should also show, for example, how keys are generated or can be destroyed.
   
   
7. Policies and procedures to assess the effectiveness of management measures
   
   The above shows that establishing appropriate and proper policies is an important step in complying with the NIS2 guideline. To keep the policies created and measures taken appropriate, they should be regularly reviewed and evaluated. This can be done, for example, through a security test.
   
   
8. Supply Chain Security
   
   Many companies depend on supplier products. As a result, an incident at one can have many consequences at another. Therefore, ensure that you have policies in place that identify the dependence on suppliers, but also the risks that this entails. In addition, record agreements made with suppliers by contract. It must be clear who is responsible for what (such as security (see point 2), updates and backups) and what the agreements are in case of an incident.
   
   
9. Incident Handling Plan
   
   When an incident occurs, it is important to respond quickly and properly. Therefore, create policies in which you name tasks and assign responsibilities. Set up a hotline and then communicate the policy to all employees. The key to proper handling is continued training and practice for cyber incidents. Also make sure the policy is accessible in case of an incident.
   
   
10. Business continuity plan; backup management, contingency and crisis management
    
    A cyber-attack can cause a company's operations to be down for a long period of time. Given the critical condition that then arises, it is good to prepare a plan in advance and think about business continuity. A business continuity plan involves a number of steps, such as risk analysis, prioritization of these risks, followed by establishing a policy on how, when and by whom the plan will be put into action.

Although the implementation of the European legislation is still some time away, there are certainly steps that can already be taken to prepare your organization for the NIS2 directive. An essential first step is to perform a risk analysis and then implement measures so that your organization is better protected against these risks (for example, by offering training or applying MFAs). Should an incident nevertheless occur, make sure there is a policy on how and by whom to act in case of an incident, also with a view to the continuity of your company.