/1.%20Visuals/Website/Icons/RegulatoryCompliance_Visuals_Navigation%20(1).png?width=40&height=40&name=RegulatoryCompliance_Visuals_Navigation%20(1).png){kind=icon}
/1.%20Visuals/Website/Icons/Testing_Visuals_IconNavigation%20(1).png?width=40&height=40&name=Testing_Visuals_IconNavigation%20(1).png){kind=icon}
/1.%20Visuals/Website/Icons/CTG%20Academy.png?height=56&name=CTG%20Academy.png){kind=icon}
Global
Austria
Belgium
Denmark
Germany
Greece
Italy
Romania
Sweden
The Netherlands
United Kingdom
United States/6.%20Other/afbeelding.jpg?width=56&height=56&name=afbeelding.jpg)
Cyber resilience at the heart of NIS2
Increasing (high impact) cyberattacks, rising damage costs, growing impact on business continuity, etc.: everyone knows (and understands) the reasons behind NIS2.
The proactive cyber resilience concept is clearly at the heart of the directive, says Simon Gemoets, senior security advisor at Cegeka: "With cyber resilience, you not only focus on prevention and protection, but you also prepare your organization as well as possible for incidents that may occur. This anticipatory nature is well reflected in NIS2 requirements such as systematic risk management and continuous improvement of cyber resilience."
More than just resilience
The obligations arising from NIS2 largely align with the 'standard' requirements and best practices for cybersecurity and cyber resilience in frameworks such as ISO 27001 and NIST CSF. "But NIS2 is more far-reaching and stricter in some areas," says Remko Verdouw (senior security advisor at Cegeka Netherlands).
Stricter requirements
One of these stricter requirements is the reporting obligation, notes Remko. "Suppose you fall under NIS2 and face a serious incident. Then you must make three different reports to the supervisor within specific time frames. The initial report even within 24 hours."
Like the reporting obligation, the responsibility of top management for compliance with cybersecurity measures is also a much-discussed topic within the industry, notes Remko: "NIS2 implies that top managers must have sufficient awareness in the field of security and risk management. This can have far-reaching consequences. If the organization is not compliant, they can be held liable for the failure and face financial or legal sanctions, such as a fine or temporary suspension."
The requirements around supply chain management also go beyond those of ISO 27001 and NIST CSF. Remko: "NIS2 requires your organization to manage risks in your supply chain and ensure the security of suppliers. Suppliers of NIS2 organizations can therefore expect contracts with many security requirements. They will also be more or less forced to assess regularly. The directive thus impacts many more organizations than just the so-called essential and important ones."
Starting with assessments
The most logical – but not mandatory – first step towards NIS2-security compliance is an assessment, says Simon. "This way, you can discover possible gaps and vulnerabilities in your security landscape and determine your security posture. Once you have completed the assessments on the various components, you identify the gaps relative to the NIS2 requirements. Only then do you start drafting and implementing a roadmap."
Simon and Remko both work with Cegeka's Continuous Security Advisory Framework (CSAF). Simon: "With this integrated assessment and advisory framework, we help organizations determine and ultimately improve their maturity level. We also support the development of a future-proof security roadmap and the continuous strengthening of cyber resilience."
Remko emphasizes that customers do not necessarily have to turn to Cegeka for implementing the roadmap after a CSAF assessment. "Yet many customers choose to do so. Cegeka's services cover the entire chain: assess, prevent, detect & respond, and recover. We have expertise in all these areas."
Every roadmap for NIS2 is unique
There is no standard roadmap for security compliance; every organization must follow a unique path. That path is determined by factors such as the maturity starting level, available resources and budgets, the societal importance of the organization in question, and the amount of business-critical data.
An important NIS2 principle is that essential and important organizations must take 'proportional' security measures. Simon: "The measures you take must therefore be proportionate to the risks of your organization. This way, you can – and we always strive for this – avoid investing in expensive or unnecessary point solutions."
Lagging in policy
Simon and Remko have recently noticed that in many CSAF projects, the policy part of the NIS2 organization in question is lagging or even completely absent. Remko: "NIS2 requires you to have clear policy documentation on everything that has been implemented. This documentation helps you demonstrate how you manage risks and how you report incidents."
The reason these organizations are lagging in policy is often quite banal. "They want to, but simply do not have enough time or resources," says Remko.
Race against the clock
The deadline for member states to transpose into national legislation is set for October 2024. According to Remko, there is some leeway in practice. "In the Netherlands, for example, NIS2 – in the form of the Cybersecurity Act (Cbw) – will only come into effect in the course of 2025. Yet that is no reason to sit back. On the contrary. Make haste, especially if you still have to start. We cannot say it often enough. Maybe an open door, but it can be a lot of work to realize the roadmap. Especially if your security maturity is currently low."
Rapid changes, continuous assessments
Simon and Remko emphasize that organizations should not forget to look broader – and further ahead – in all the NIS2 commotion. Simon: "It is becoming a cliché, but the world of cybersecurity and resilience is really changing rapidly. Think of all the new – often sophisticated – attacks, the rapid rise of AI, the tsunami of (new) security technologies, and the IT and OT landscape that is becoming larger and more diverse."
The traditional approach where you assess as an organization once every few years is therefore no longer sustainable, according to Simon. "Continuous assessment and continuous security improvement are always key in our view."
Short intervals
Remko explains that 'continuous' is not for nothing the first word of CSAF. "It means that we perform different types of assessments at shorter intervals. The traditional, old way of assessing is thereby broken down into manageable chunks such as policy maturity."
According to Simon, assessing previously had mainly a one-time character (market-wide). "But within CSAF, an assessment transforms into a real program. With the new approach, we can view the security of our customers from certain perspectives, but also, for example, focus on one or more specific security capabilities."
This modular approach delivers more than just a complete security picture, says Remko. "It also offers the opportunity to start small. Or to focus exclusively on assessing certain aspects, such as technical security controls or documentation and policies."
Remko: "When you continuously assess, you are first and foremost better able to adapt your security to the latest threats and developments. Additionally, you prevent the attention to security from gradually waning, as we saw with assessments every few years. Finally, it is nice that you can better spread the time and capacity investments for an assessment."
NIS2-security compliance as a bonus prize
The path to NIS2-security compliance has its share of hurdles, challenges, and costs. But see it this way, says Simon: "At the finish, it turns out that cyber resilience is the main prize of your security compliance journey, with NIS2-security compliance as a bonus prize. This bonus prize helps you, among other things, gain the trust of suppliers, customers, and the general public."
/1.%20Visuals/Website/Icons/x-twitter.svg){kind=icon}
