Risk management according to NIS2
NIS2 is intended to protect network and information systems, their users and other persons within the EU from cyber threats. This includes all circumstances, events or actions that affect the availability, authenticity, integrity and/or confidentiality of data and services. These are the security objectives pursued by the NIS2 Directive.
The more exposed a company is, the more likely it is to be targeted by attackers. Attackers are increasingly reaching their actual victims via the supply chain. For this good reason, in addition to the sector reference and the now significantly lower threshold values for the number of employees and annual turnover or annual balance sheet total, NIS2 now also focuses on the supply chain. NIS2 looks at the impact of a cyber threat and only allows minimal impairment of the four security objectives mentioned.
Indicators for Effective Risk Management
The following key questions should be answered to ensure effective risk management in accordance with NIS2:
- Are all network and information systems used considered in the risk analysis?
- Is an explicit reference made to all four security objectives?
- Is the influence of the supply chain sufficiently reviewed?
- Has robust risk acceptance criteria been defined that is understood by different people and leads to comparable results?
- Is it ensured that, at the end of the risk management process, impairments of the four safety objectives are limited to a reasonably justifiable level?
- Does the risk analysis address context-related and actually relevant cyber threats instead of general threat lists?
- Is risk management controlled by central specifications from a guideline or directive?
- Are identified risks and their sources regularly reviewed?
- Are the measures to address existing risks already operationally recorded and are they having the intended effect?
- Can the effectiveness of the implemented measures be documented in a comprehensible manner?
- Does such evidence explicitly include all processes involved?
- Is the current state of the art consistently adhered to during implementation?
If you can answer all of these questions with a clear yes for your organization, you are one of the lucky few who are already well prepared for NIS2! However, if there are any doubts or uncertainties, you will most likely need specialist support. In this case, the SITS NIS2 assessment can help.
Heading into the new cyber age
As part of the NIS2 directive, security managers are faced with a lot of new vocabulary that they still need to get used to. Processes are now understood as “cyber security practice”. Measures, in turn, are used for “cyber security hygiene”.
In addition to risk management, NIS2-compliant processes also require emergency management, incident management, supply chain management and personnel management that are geared towards NIS2. Employees must also be explicitly made aware of cyber security. This includes managers as well as executive staff.
The measures, in turn, are primarily geared towards preventing data leakage. Measures are required for vulnerability and patch management, password management, system hardening, network segmentation, data backup and the prevention of threats to physical security as well as the supply of electricity and internet. You need to be prepared for human and technical errors and be able to recognize and, if possible, fend off malicious attacks.
In short: in the context of cyber security, there is a lot of work to be done by those responsible for security at affected organizations, and it has to be done within a short implementation period. And if an organization fails to do so, or fails to do so completely or accurately enough, it could face significantly higher administrative sanctions than under the previous guidelines and, under certain circumstances, even the dismissal of members of its management board.
What’s more: National legislators within the EU may tighten these regulations even further as part of their national implementation.
NIS2: Are you affected?
On the one hand, NIS2 therefore covers institutions that are now directly addressed due to their sector affiliation. Checking whether this is the case is quite challenging. We have prepared an Online Check for you that provides the relevant information. On the other hand, NIS2 also covers facilities that operate as part of the supply chain. And again, regardless of their size. Optimistic estimates assume at least a factor of 10 for newly obligated organizations and companies. The reality is likely to be significantly higher.