NIS-2 Directive: Ten Steps to Compliance - Part 3
The NIS-2 Directive aims to strengthen the cybersecurity level across the EU Economic Area, a necessary initiative in today’s digital landscape. This article delves into the third part of a series elaborating on the essential steps to achieve NIS-2 compliance.
Step 6: Establishing an ISMS
A fundamental requirement of NIS 2 for essential and important entities is the implementation of “appropriate and proportionate technical, operational, and organizational measures” to manage the security risks associated with their critical network and information systems. Additionally, organizations must take steps to prevent or mitigate the impact of security incidents on customers and third parties. This aligns with frameworks like BSI IT Basic Protection and ISO 27001, mandating the establishment of an Information Security Management System (ISMS).
The term “Information Security Management System” (ISMS) does not refer to a singular IT system but rather a comprehensive set of rules and methods designed to ensure information security within an organization. It’s about creating a structured approach to safeguard one’s environment against risks.
For companies that have yet to consider an ISMS, expert Marco Eggerling, CISO Global at Check Point, suggests starting with basic security questions. The first queries focus on endpoints: Do I have disk encryption and an antivirus solution? The second revolves around infrastructure: Is there a firewall, or am I relying solely on the one provided by my router? Eggerling advises SMEs to engage a service provider to implement the firewall to avoid misconfiguration, which is often a leading entry point for threats.
Next comes the essential question regarding data: “Where are my data stored? On an external hard drive? Can I enhance security through physical protection, such as locking them in a cabinet?” Only after addressing these issues should organizations consider NIS 2 Article 21: “Where are processes in disarray where access is unrestricted?” It is crucial to implement user-specific access controls to safeguard these areas. “With these measures for physical and logical protection in place, I can assert that the best-effort principle is established,” explains Eggerling.
Dirk Wocke, Compliance Manager at Indevis, recommends aligning with ISO 27001 rather than the BSI IT Basic Protection. “If a company implements the BSI’s IT Basic Protection, it effectively meets the ISMS requirements under 27001,” he states. “However, I wouldn’t advise a medium-sized enterprise to adopt BSI’s guidelines, as they are very detailed and complex, making compliance labor-intensive.”
Strategies for cybersecurity compliance
The NIS-2 Directive represents a critical advancement in the realm of cybersecurity for organizations operating within the EU. As digital threats continue to evolve, compliance with this directive not only enhances individual security postures but also contributes to a more resilient digital economy across the region. With the implementation of an ISMS being a central component, businesses must prioritize their efforts in this area to ensure they are equipped to handle current and future cyber threats.
Corporate leaders must remain vigilant and proactive in their approach to cybersecurity. By regularly assessing their security measures and protocols, organizations can identify gaps in their defenses and cultivate a culture of cybersecurity awareness among employees. This is not just about avoiding fines or penalties; it’s about fostering trust with customers and stakeholders in an increasingly insecure digital landscape.
As we move toward the next steps in achieving NIS-2 compliance, organizations must recognize that cybersecurity is a continuous journey that demands ongoing investment, education, and adaptation.
Subscribe to our Newsletter
Stay updated with the latest information on IT security!
Business Email:
Please enter a valid email address.
With your click on “Subscribe to Newsletter,” you agree to the processing and utilization of your data according to our consent declaration and accept the terms of use.
More information can be found in our privacy policy.
To summarize, adapting to the NIS-2 Directive is not merely about compliance; it is about sustaining growth and security in a digital-first world. Businesses that embrace comprehensive security measures will find themselves better positioned for future challenges and opportunities in their respective sectors.