Does your organisation need to comply with the new NIS2 cybersecurity directive? If so, you need to implement various cybersecurity risk management measures. But even if your organisation is not covered by the regulations, NIS2 sets the standard for a robust security policy. We give you a handy overview of the minimum requirements.
Tien minimumvereisten voor informatiebeveiliging
-
1. Risk management
Map all your organisation's assets, including hardware, software and data. Assess the impact of potential threats on the continuity of your business if these assets are no longer available. Also determine what measures you can take to contain the risks.
-
2. Incident handling
How you respond to incidents makes a big difference. Therefore, make sure you have a well-thought-out security incident response plan (SIRP) so that you can handle incidents quickly and efficiently. This includes several things, such as detecting and assessing incidents and investigating, assigning and evaluating priorities. Serious security incidents should be reported to the Centre for Cybersecurity Belgium (CCB) under NIS2.
-
3. Business continuity and crisis management
A crisis can strike at any time. Therefore, it is crucial to have a business continuity plan with measures to keep essential business processes running. Also establish a crisis management roadmap with clear instructions, including the necessary internal and external communication. This way, your employees will know what to do in the event of a crisis.
-
4. Secure supply chain
The security of your own systems partly depends on the security measures of your suppliers. At all times, you want to avoid them being a weak link and jeopardising your business continuity. Therefore, set the same risk management requirements for key suppliers as for your own organisation. Ask them to demonstrate their security measures or present an ISO 27001 certificate.
-
5. Handling vulnerabilities
Vulnerabilities in your network and information systems pose an immediate risk. It is essential to identify and fix them quickly, before someone can take advantage of them. Therefore, regularly scan your systems for known vulnerabilities and ensure a clear process for addressing them with updates. When doing so, take into account the severity and potential impact of the threat. The Exploit Prediction Scoring System (EPSS) is a useful tool to determine which vulnerabilities should be fixed first.
-
6. Assessments of measures
It is not enough to implement measures once; you need to continuously assess and update them. Regular assessments ensure that your cybersecurity measures remain effective and state-of-the-art. Consider internal and external audits to identify and remedy deficiencies.
-
7. Basic cyber hygiene rules
Cyber security starts with your employees. With awareness campaigns and training, ensure that every employee masters basic cyber hygiene practices. This includes recognising phishing attempts and handling sensitive information safely, as well as not letting just anyone into the company. A strong human firewall is as important as technical measures.
-
8. Use of encryption
Encryption is the basic technology to ensure the confidentiality and integrity of your data. Apply encryption wherever possible and establish policies and procedures to manage its use and management. Both NIS2 and GDPR (General Data Protection Regulation) prescribe the use of encryption.
-
9. Security policy
Clearly define in a security policy how access to systems is managed, how data is protected and how employees should act in different situations. Make sure all employees are aware of it and attach consequences to non-compliance. After all, security is everyone's responsibility.
-
10. Secure authentication
Wachtwoorden alleen volstaan niet meer voor authenticatie. Beveilig de toegang tot uw systemen daarom met multifactorauthenticatie of continue authenticatie. Dat voegt een extra beveiligingslaag toe en maakt het moeilijker voor onbevoegden om toegang te krijgen tot uw systemen. Uit verschillende studies blijkt dat meer dan 90% van alle incidenten te voorkomen is met multifactorauthenticatie.
How to achieve NIS2 compliance?
There are two main paths to achieving NIS2 compliance: by starting from the CCB's Cyberfundamentals Framework or through ISO 27001 certification.
The Cyberfundamentals Framework is an excellent foundation for NIS2 compliance. The framework already contains many of the measures required by the NIS2 directive and can serve as a building block for your own security strategy. By implementing these measures, you are already preparing your organisation well for the requirements of NIS2.
The other option, ISO 27001, is an internationally recognised standard for information security. If your organisation is ISO 27001-certified, it meets high security standards. As a result, according to the CCB, you enjoy "a presumption of conformity to NIS2".
Management responsibility
The responsibility for compliance with NIS2 ultimately lies with management. They must ensure that these ten measures are implemented and remain in place. But even if your organisation is not covered by the regulations, implementing these measures will make your organisation more resilient against cyber attacks.
Keep up to date with the latest developments around NIS2
Want to know more about NIS2?