Topics in this article

Cybersecurity isn’t limited to organizations’ own efforts to protect their data and applications. There are also broader regulatory requirements to consider, and these vary by country and region.

In Europe, one such requirement is the Network and Information Systems Directive 2 (NIS2). It’s an updated version of an existing directive, adopted in 2019, which aims to strengthen cybersecurity in the European Union by helping organizations protect themselves against cyberthreats.

NIS2 was officially published in January this year, and EU member states now have until 17 October 2024 to integrate its provisions into their local legislation.

But what exactly is NIS2, and which organizations are affected by it? In this blog, we’ll delve into the key aspects of the directive and explore how we can help you remain compliant.

The scope of compliance has expanded with NIS2

NIS2 is designed to enhance the cybersecurity posture of critical infrastructure and essential service providers by ensuring the security of their network and information systems.

Until now, the directive focused on seven sectors seen as essential: healthcare, transportation, energy, water supply, digital service providers, financial services and digital infrastructure.

Under NIS2, the scope of organizations that have to comply has expanded: NIS2 contains uniform rules for medium-sized and large organizations operating in “very critical” sectors (including energy, transportation, banking, drinking water and government) and “critical” sectors, such as postal and courier services, waste management, chemicals, food and manufacturing. Note that “direct suppliers” of affected sectors should prepare too.

Organizations categorized as “essential” or “important”

The size of your organization (in terms of number of employees and annual turnover) and the industry or sector in which you operate will determine your designation.

Some organizations will be deemed “essential”, regardless of their size, if a security breach affecting their digital infrastructure would have serious consequences.

Essential entities face the highest level of scrutiny, and noncompliance can result in hefty fines – up to EUR 10 million or 2% of the organization’s annual revenue.

How to comply with NIS2

Compliance with NIS2 involves three key aspects:

  1. Risk management: You have to conduct an annual supply-chain risk assessment, define roles and responsibilities, maintain a risk register and integrate a threat intelligence feed into your cybersecurity strategy. Threat intelligence is like subscribing to a news service for cyberthreats, and is essential to stay ahead of emerging threats. You also need to document all of your assets and network endpoints – laptops, mobile devices, IoT devices and more – which can be tricky to do. Business continuity measures such as backup management and disaster recovery, as well as crisis management, are also part of the obligations under NIS2.
  2. Security measures: Security awareness and training are paramount, as human error remains a significant cybersecurity concern. You also have to put technical security measures in place, governed by well-defined policies. Incident reporting is mandatory, with significant incidents requiring immediate notification within 24 hours – usually via a government website, with a follow-up requirement some weeks later.
  3. Technology deployment: Your underlying technology infrastructure needs to align with NIS2 requirements. This includes securing operational technology (OT) networks, implementing multifactor authentication and adopting a zero trust approach to user identities and credentials.

Are you ready? Ask these 5 questions

With only a year to prepare for NIS2 compliance, organizations must act urgently. However, the global shortage of cybersecurity professionals presents a challenge, and your in-house IT team may not be fully equipped to handle the preparations.

Ask yourself the following questions as part of your planning:

  1. Does my organization have a CISO? The specialist role of a Chief Information Security Officer (CISO) exists to manage an organization’s information security strategy and practices in order to protect data and systems from breaches. Lacking a CISO’s expertise can be a challenge during NIS2 preparations.
  2. When last did we conduct a formal and in-depth security assessment? Assessing the maturity of your security involves identifying gaps in your processes and technology, and it’s an essential first step on the road to compliance. This is not a standardized assessment: every industry and every organization is different. Some, such as banks and insurance providers, will already be mature in terms of their cybersecurity, while others may not, for reasons such as a lack of budgets or skilled people.
  3. Is my digital infrastructure architecture secure by design? This best-practice approach should be followed across all your technological domains, such as your network, OT, multicloud environment and applications.
  4. Do my employees undergo regular security awareness training? Human error is one of the biggest enemies of cybersecurity. Employees must be continually educated about cybersecurity risks and procedures.
  5. Have I tested my cybersecurity defenses? Regular penetration testing and red team services – which simulate real-world cyberattacks and other security threats to identify vulnerabilities in your defenses – help validate the effectiveness of your security controls.

How NTT can help

The good news is that NTT, as a global managed service provider with extensive experience in cybersecurity, offers a range of services to support you on your journey to NIS2 compliance.

If you don’t have a CISO, we can provide a cybersecurity expert to fill the role on a part-time basis, ensuring strategic oversight of your security efforts.

Our structured security maturity assessments lead to a clear and prioritized roadmap you can follow to achieve NIS2 compliance. We can  help you compile a full inventory of your digital infrastructure and secure it.

Then, we bring your employees up to speed with security through awareness and training programs, and we use techniques like penetration testing to ensure your security measures make the grade.

We’re ready to help your organization navigate the complex landscape of NIS2. Don’t wait until the last minute; start your compliance journey with us today.

WHAT TO DO NEXT

Read more about NTT's Cloud Security Services, which combine business objectives and security requirements to deliver resilience across your organization’s security lifecycle.