NIS2 & risk management: Taming cyber risks now
Blog

NIS2 & Risk Management: Are cyber risks really manageable?

Asking when cyber risks are really manageable is like trying to square the circle. This is exactly what the EU's new NIS2 Directive aims to achieve. However, this cannot be achieved with just one constant, no matter how complex. However, there are indicators that show whether the right path has been taken.
4 minutes
April 02, 2024

Risk management according to NIS2

NIS2 is intended to protect network and information systems, their users and other persons within the EU from cyber threats. This includes all circumstances, events or actions that affect the availability, authenticity, integrity and/or confidentiality of data and services. These are the security objectives pursued by the NIS2 Directive.

The more exposed a company is, the more likely it is to be targeted by attackers. Attackers are increasingly reaching their actual victims via the supply chain. For this good reason, in addition to the sector reference and the now significantly lower threshold values for the number of employees and annual turnover or annual balance sheet total, NIS2 now also focuses on the supply chain. NIS2 looks at the impact of a cyber threat and only allows minimal impairment of the four security objectives mentioned.

Indicators for Effective Risk Management

The following key questions should be answered to ensure effective risk management in accordance with NIS2:

  • Are all network and information systems used considered in the risk analysis?
  • Is an explicit reference made to all four security objectives?
  • Is the influence of the supply chain sufficiently reviewed?
  • Has robust risk acceptance criteria been defined that is understood by different people and leads to comparable results?
  • Is it ensured that, at the end of the risk management process, impairments of the four safety objectives are limited to a reasonably justifiable level?
  • Does the risk analysis address context-related and actually relevant cyber threats instead of general threat lists?
  • Is risk management controlled by central specifications from a guideline or directive?
  • Are identified risks and their sources regularly reviewed?
  • Are the measures to address existing risks already operationally recorded and are they having the intended effect?
  • Can the effectiveness of the implemented measures be documented in a comprehensible manner?
  • Does such evidence explicitly include all processes involved?
  • Is the current state of the art consistently adhered to during implementation?

If you can answer all of these questions with a clear yes for your organization, you are one of the lucky few who are already well prepared for NIS2! However, if there are any doubts or uncertainties, you will most likely need specialist support. In this case, the SITS NIS2 assessment can help.

Heading into the new cyber age

As part of the NIS2 directive, security managers are faced with a lot of new vocabulary that they still need to get used to. Processes are now understood as “cyber security practice”. Measures, in turn, are used for “cyber security hygiene”.

In addition to risk management, NIS2-compliant processes also require emergency management, incident management, supply chain management and personnel management that are geared towards NIS2. Employees must also be explicitly made aware of cyber security. This includes managers as well as executive staff.

The measures, in turn, are primarily geared towards preventing data leakage. Measures are required for vulnerability and patch management, password management, system hardening, network segmentation, data backup and the prevention of threats to physical security as well as the supply of electricity and internet. You need to be prepared for human and technical errors and be able to recognize and, if possible, fend off malicious attacks.

In short: in the context of cyber security, there is a lot of work to be done by those responsible for security at affected organizations, and it has to be done within a short implementation period. And if an organization fails to do so, or fails to do so completely or accurately enough, it could face significantly higher administrative sanctions than under the previous guidelines and, under certain circumstances, even the dismissal of members of its management board.

What’s more: National legislators within the EU may tighten these regulations even further as part of their national implementation.

NIS2: Are you affected?

On the one hand, NIS2 therefore covers institutions that are now directly addressed due to their sector affiliation. Checking whether this is the case is quite challenging. We have prepared an Online Check for you that provides the relevant information. On the other hand, NIS2 also covers facilities that operate as part of the supply chain. And again, regardless of their size. Optimistic estimates assume at least a factor of 10 for newly obligated organizations and companies. The reality is likely to be significantly higher.

The Cyber Chronicle Newsroom
We keep you posted with the latest news, data & trend topics
Cloud Platform Security
Microsoft Entra: Porträt einer vielseitigen Produktfamilie
Learn more
Identity & Access Management
Identity meets Resilience
Learn more
NIS2
NIS2 & Penetration Tests: Getting Grip on NIS2-compliant Technology
Learn more
Identity & Access Management
Resilience by Identity
Learn more
Identity & Access Management
Identity & Access Management
Getting a Grip on Cryptography
Learn more
Microsoft Sentinel as Azure SIEM - Benefits & Costs
Learn more
AI
Fighting AI attacks: How to protect data and systems
Learn more
Assessment & Advisory
ISO 27001 Certification without delay
Learn more
Assessment & Advisory
Managed Services to counter the shortage of manpower
Learn more
Security & IT Solutions
Workload Security with SASE, this is how it works
Learn more
Cloud Platform Security
DevOps security: Stress test for culture and technology
Learn more
Identity & Access Management
Biometrics - better security without passwords?
Learn more
Cyber Defense
Threat Intelligence - Knowledge is power & security
Learn more
NIS2
NIS2 & ISO/IEC 27001:2022: New controls to fulfill both standards
Learn more
Identity & Access Management
How Privileged Access Management increases security
Learn more
Assessment & Advisory
vCISO - more IT Security through customizable support
Learn more
We’re here for you
Fill in the form and our experts will get in touch.

You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information