By the end of 2024, all EU member states must implement the new cybersecurity directive NIS2. Is your organisation an important or essential entity and are you at the starting point of the compliance journey? If so, time is running out. In fact, chances are that you need to implement one or more measures that will take a lot of time. These include implementing a Security Operations Center, ensuring a secure supply chain and creating appropriate policies.
Long time span, great efforts
By 17 October 2024, Belgium must have transposed the Network and Information Security Directive 2, better known as NIS2, into national legislation. Meanwhile, the Belgian version has already been approved by parliament. As we explained earlier, the directive has quite an impact on organisations. Due to the multitude of dimensions - technical, organisational, legal, human and strategic - becoming compliant is complex. Some tick boxes are relatively easy and quick to set, such as security awareness training. Other measures, on the other hand, require a long implementation period and quite some effort.
Long-term measures
Among others, the following measures generally take a long time to implement.
Technical cybersecurity measures
On a technical level, you can consider, for example, the implementation of:
- advanced threat and incident monitoring, detection and response;
- extended network segmentation;
- restricting access to networks and information systems through Identity & Access Management;
- a Zero Trust architecture, encryption of systems, unwritable backups.
Ensuring a secure supply chain
If your organisation is an important or essential entity according to NIS2, you also carry the responsibility to actively manage and mitigate cybersecurity risks in your supply chain. Ensuring digital security in the supply chain is complex. After all, it requires that third parties must also comply with strict security standards. And that requires a lot of time, work and financial resources. For you and your supply chain partners, multiple departments are as well involved in the compliance effort (such as IT, Legal and HR), which is an important, time-consuming factor.
As an organisation covered by the scope of NIS2, you should check the following, among other things, with your suppliers and partners:
- security practices and procedures that may affect your own digital security;
- unpatched or outdated software;
- authentication and authorisation processes;
- storage or communication of data;
- security awareness among employees;
- quality of the incident response plan.
The most evident means of ensuring third-party security are contractual agreements and audits. In contracts, for example, you can stipulate that your suppliers or partners have obligations. Such as meeting NIS2 technical and organisational requirements, adequate incident reporting, providing regular evidence of NIS2 compliance (e.g. via a security audit report) and addressing identified deficiencies as soon as possible. Certainly, ensuring security in the chain is an expensive business. But consider it a good investment: cyber threats within the supply chain are a real danger.
Even a big company like Microsoft has already fallen victim to this. Cyber criminals managed to hide malware in network monitoring software used not only by Microsoft, but also by the US government. This gave the criminals undetected access to all their systems for almost two years.
A solid framework
A good framework is crucial for effective security. If you read up on NIS2, it shows explicitly or implicitly that you must have policies, procedures and processes in many areas. You can document these in the following plans, among others:
- An incident response plan includes how you detect, report and address incidents, including communication about and recovery from the incident.
- A business continuity plan includes the strategies and procedures you need, to keep the business processes essential to the survival of your organisation operational when a cyber incident hits you.
- With a risk management plan and crisis management plan, you strengthen your organisation's resilience through proactive risk mitigation and effective response to unforeseen emergencies.
- To report cybersecurity incidents to the Centre for Cybersecurity Belgium (CCB) in a timely and effective manner and notify affected parties, an incident reporting plan is a good tool.
- Through a supply chain security plan, you describe how your organisation assesses and manages cybersecurity risks in the supply chain, including contractual requirements and audits.
- If you are affected by a cyber incident, a disaster recovery plan outlines the procedures for restoring systems, data and network functions to be operational again as soon as possible.
Creating and recording all those policies, procedures and processes requires a meticulous approach and the commitment of different departments (including IT, Legal, HR and Communications). This takes time - after all, you don't want to rush into things overnight.
Integration for acceleration
By integrating your compliance efforts regarding NIS2 with those for other European laws, you can become compliant faster and with a lower time investment. Do you see overlap of NIS2 with, for example, the GDPR (General Data Protection Regulation), DORA (Digital Operational Resilience Act), CER (Critical Entities Resilience Directive), CRA (Cyber Resilience Act) or the AI Act? Then you can fine-tune existing procedures and processes for NIS2 with minimal effort. Besides efficiency benefits, this also offers a holistic compliance approach. That way, you will face fewer risks.
Conclusion: (some) urgency is required
Many organisations still need to take the required steps to achieve NIS2 compliance. Implementing the measures we have described usually takes months rather than weeks. Collaboration is required: between departments, but also with organisations in your supply chain and with IT suppliers. And that puts extra pressure on. So our advice is: don't wait until the Belgian legislation is announced and you will know whether or not there will be a transitional arrangement. Start thinking about this today, so that you can take the first step tomorrow. Moreover, it will give you a competitive advantage. After all, your (potential) customers are also going to increasingly monitor the supply chain.
The first two phases
The path to compliance broadly includes the following stages:
- Understanding and awareness.
- Evaluation of current cybersecurity status and vulnerabilities.
- Roadmap and planning.
- Implementation of technical and organisational measures.
- Training programmes for employees.
- Documentation of all analyses, measures and processes.
- Continuous monitoring and improvement.
So for a kickstart, it is best to first gather comprehensive information on the implications of NIS2 for your organisation. Next, examine the current state of your cybersecurity practices and policies and conduct a risk analysis to identify vulnerable aspects.
Cheops' cybersecurity specialists can conduct a comprehensive audit and find out - partly based on the survey results - what you need to do to become NIS2-compliant.
Time to improve your cybersecurity approach?
Cheops makes sure your IT security is in perfect order so you don't have to worry about anything.