High-level checklist for compliance with NIS2

The EU’s NIS2 Directive (Network and Information Security Directive) imposes significant requirements on the cybersecurity of critical and essential infrastructures. Companies subject to this directive must implement several measures to ensure the security of their networks and information. This post describes the steps required to comply with NIS2 and provides some technical examples and recommendations.

Preparation and risk analysis

The first step is to identify the critical assets. This encompasses all systems, networks, and information that are vital to the company’s operations. An energy supplier, for instance, may consider the IT infrastructure for operating a substation a critical asset. It is, therefore, essential to conduct a thorough risk analysis to assess the threats and vulnerabilities of these systems. Using standard threat models such as STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) can help identify potential risks systematically.

Cybersecurity management system (CSMS)

Companies must develop and implement a comprehensive cybersecurity management system (CSMS). This can be an ISMS (information security management system) in line with ISO 27001. As part of the CSMS, security policies and procedures are established to provide employees with clear instructions on how to comply with cybersecurity requirements. For example, companies can establish guidelines for the secure configuration of servers, such as using multi-factor authentication (MFA) for access to critical systems.

Technical and organizational security measures

Implementing specific technical measures to safeguard networks is essential. Companies must deploy firewalls and intrusion detection systems (IDS) to deter unauthorized access to the network environment. For instance, an intrusion prevention system (IPS) can assist in blocking suspicious network traffic in real time. Another crucial element is system hardening, which entails regularly updating operating systems and applications while configuring them securely. This may involve utilizing CIS benchmarks for operating systems and databases.

Implementing strict access controls is also essential. We recommend a zero-trust approach, which authenticates and authorizes each access individually. For instance, VPNs can be used with an MFA requirement and regular access logs for a remote connection. It is vital to conduct regular backups to secure data, which should be stored separately from the production environment, ideally in securely isolated storage that can only be accessed with administrator rights.

Incident reporting and management

To comply with the NIS2 directive, it is essential to implement an effective incident response management strategy that enables the detection, reporting, and resolution of security incidents. Companies are responsible for creating an incident response plan for this purpose. One example is implementing a SIEM (security information and event management) system, such as Splunk or ArcSight, which centrally collects and analyzes security-related events to identify threats quickly. If a serious security incident occurs, companies must report this to the relevant national authority within 24 hours. Reporting procedures and communication channels to CERTs (computer emergency response teams) and other authorities should be established to support this process.

Training and awareness-raising

Employees must receive regular training and awareness-raising measures to foster a culture of security awareness and minimize the risk of phishing and other cyber threats. Cybersecurity training can include, for example, training on recognizing social engineering attacks. Organizations can use specialized training platforms like KnowBe4 and CybSafe to conduct regular simulated phishing campaigns and raise employee awareness in an emergency. These platforms improve organizations’ ability to respond to security incidents and identify weaknesses in emergency planning through simulations of security incidents and emergency tests.

Internal controls and audits

Implementing internal controls and regular audits ensures continuous compliance with security requirements. It is recommended that companies conduct independent security audits to verify the effectiveness of their security measures. They can do external pen tests, where ethical hackers attempt to uncover vulnerabilities in the infrastructure. One example is scanning systems with tools like Nessus or OpenVAS to spot security vulnerabilities systematically. The results of these tests should be documented and tracked, with action plans drawn up to address the identified vulnerabilities.

Security strategies and further development

Implementing a long-term cybersecurity strategy that incorporates regular reviews and updates of security measures is essential. This entails investing in new security measures and technologies, such as endpoint detection and response (EDR) solutions. Banks, for instance, which continually face novel threats, can consistently refine their cybersecurity strategy and integrate new protective mechanisms, such as AI-based anomaly detection. Furthermore, the plan should include adapting to regulatory changes to ensure compliance with NIS2 requirements.

Notification and reporting procedures

Regular reporting of the security status is essential to comply with the NIS2 directive. These reports should include details of any security incidents, identified vulnerabilities, and actions taken in response. A well-structured dashboard provides an overview of all security-related figures; it uses SIEM dashboards or business intelligence tools such as Power BI, for example. The reports should be forwarded to management and the relevant authorities if there is a significant incident.

Recovery planning and resilience

A comprehensive contingency plan is crucial to ensure business continuity in the event of a security incident. This should include regular backups and recovery plans for critical systems. For instance, a cloud-based backup solution can enable rapid recovery if local systems are damaged or compromised. Additionally, disaster recovery plans should be regularly tested and updated to ensure they are effective in the face of new threats. By conducting regular disaster recovery tests, companies can assess and optimize the resilience of their systems.

These measures address the fundamental requirements of the NIS2 directive, offering companies a comprehensive framework for achieving and maintaining cybersecurity. Compliance with NIS2 entails technical security measures, organizational discipline, and a commitment to investing in long-term security strategies.

To discuss this in more detail, feel free to contact Wolfgang Schwab.