NIS2 izertis
Manuel Estévez GRC Manager

Cibersecurity: How to prepare for NIS2

Frequently, news about the approval of regulatory frameworks within the European Union are perceived as the distant echo of what will someday come, either due to the sometimes slow transposition procedures into the legal systems of each country (when necessary), or due to the implementation and adaptation periods included in each new regulation. As Julius Caesar would say, "When we come to the river, we will cross the bridge". 

However, when these "future" regulatory frameworks respond to "present" situations, a dissonance is created that can only be corrected by addressing the adaptation processes early: identifying the security requirements included in the regulation (which will become increasingly strict), planning the necessary investments, and designing processes that allow for monitoring compliance, detecting inefficiencies, and responding to them with improvement actions. 

On November 10th, the European Commission approved version 2.0 of the NIS Directive, whose main objective is to lead member states towards a common strategy regarding the protection of critical organisations (public or private) in sectors such as energy, transportation, financial markets, healthcare, and supply and distribution of drinking water, among others. 

Member states must transpose the new elements of the directive into national legislation within a period of 21 months. 

How can we prepare for the NIS2 directive? 

A colleague in the same profession argues that, in this case as well, the most suitable strategy is to apply the proven methodology of "short steps, long view...and a bad attitude". 

Short steps involve taking things gradually, setting actions for each day, objectives for each quarter, and strategy for each cycle. Short steps, but one after the other, without stopping. The new regulatory framework aims to give prominence to people and processes, not just technology, and seeks to strengthen the security governance framework by introducing responsibilities for senior management. And steps must be taken that not only align with NIS2, but also, when applicable, maintain alignment with the Digital Operational Resilience Regulation (DORA) and the Critical Entities Resilience Directive (CER), all of which are closely related. 

The most suitable strategy is to apply the proven methodology of "short steps, long view...and a bad attitude"

Long view involves aligning the short steps of day-to-day work with a clear vision of business objectives, the main assets that need to be maintained, and the risks that can have a significant impact on business operations, reputation, or customer relationships. Long view involves having a model, a plan. 

NIS2 establishes technical criteria, formats, and procedures related to international standards, schemes, and protocols (such as the ISO 27000 series), offers general guidelines for risk management, and defines, hopefully for the last time, a taxonomy that aims to establish a common framework for the categorization of incidents. 

It also emphasizes, from several perspectives, that the entities included in its scope are responsible for those companies that participate in their supply chains, obliging them to consider the vulnerabilities introduced by each supplier. The directive does not clarify how to implement this obligation, but it is foreseeable that organizations that manage a significant number of suppliers will require certifications based on international standards such as ISO 27001, ENS or NIST, among others, performed by independent auditors who guarantee that the practices are carried out continuously. 

A bad attitude is the link that connects short steps and long view, identifying the opportunities that arise in the day and directing them towards strategic analysis. Protecting today as if there were no tomorrow is inefficient for organisations and demotivating for professionals. It is necessary to clearly identify the underlying objectives that make up that ambiguous concept of information security management system and, at the same time, take the correct steps day by day to bring us closer to them. 

When do we start? 

The sooner an organisation does it, the lower the economic cost of adaptation will be, and much lower the organisational stress to which it will have to subject itself to introduce the necessary changes. 

One of the most notable points of NIS2 is, subject to the corresponding transposition, that competent authorities will no longer notify entities that fall within the legislative scope. The responsibility for self-identifying as an essential or important entity will fall entirely on the organisations themselves. 

Another aspect to pay special attention to, as already mentioned, is the securing of the supply chain. It will require organisations to define procedures to evaluate whether their suppliers apply the correct security measures (and manage and continuously improve them), and will also involve reviewing contractual clauses with them, especially in areas such as liability, indicators of non-compliance with obligations, and possible associated penalties. 

Lastly, but not least, it should be noted the allocation of responsibilities to senior management, the requirement that they have the necessary capabilities for risk identification and security measures implemented in the organisation they lead and for which they will be held accountable in case of non-compliance with such obligations. 

At Izertis, we are already working on a framework that establishes appropriate security measures to achieve compliance with the directive in its various areas and in the different sectors that will be required to comply. Based on this framework, we have an agile, efficient, and cost-optimal methodology that allows us to design the security measures to be implemented for compliance, mechanisms to verify their operation and efficiency, and to complete the well-known cycle of continuous improvement that applies to all risk management systems today. 

All of this without losing sight of the main objective of organisations, which is not compliance but to have, in terms of security, the ability to analyse the risks that may disturb or impede business activities, anticipate them by implementing the necessary mechanisms, and improve... improve with a short step, a long-term view, and a bad attitude.