Getting Started

Develop a thorough analysis of whether or not your organisation is within the scope of the NIS 2 Directive. After this is done, you should follow the national discussion regarding the NIS 2 Directive to get a better picture of how it will be implemented into your national law.

If you have identified that your organisation is within the scope of the NIS 2 Directive, you should review and audit your vulnerability management program. Risk-based vulnerability management is a proactive approach to cybersecurity that considers the likelihood of a vulnerability being exploited and the potential impact of events when deciding which vulnerabilities to remediate.

Risk-based vulnerability management also includes detailed documentation and reporting of identified vulnerabilities, their associated risks, and the steps taken to address them. This information is critical for the incident reporting requirements of NIS 2.

As the deadline for transposing the NIS 2 Directive into national law approaches on October 17, 2024, organisations falling under its purview must proactively prepare for compliance. Unlike EU regulations, NIS 2, being a directive, is not directly binding, but sets a minimum standard. However, when your country implements national regulation attached to NIS 2, your organisation must take steps to be compliant to local law. Each country creates their own regulations attached to NIS 2 and these vary from country to country.

Following these five crucial steps to navigate the complexities and ensure a smooth transition:

1. Involve your top management. The success of any compliance initiative relies on the backing of your organisation’s leaders.

2. Understand the Scope. Figuring out the scope of NIS 2, your systems that fall under this scope, and the challenges in achieving compliance are the first steps to achieving NIS 2 compliance.

3. Study the NIS 2 security requirements. Familiarise yourself with Article 21 of the Directive, outlining the main NIS 2 requirements. Ensure your organisation addresses the ten security measures mandated by NIS 2, ranging from risk analysis to multi-factor authentication. These 10 requirements are covered in depth within this document.

4. Conduct gap analysis. Once you’ve identified the scope and requirements of NIS 2, you’re ready to compare them to the existing security measures implemented in your organisation. Gap analysis bridges any existing gaps between the current state of compliance and the desired one.

5. Allocate the necessary resources. Successful implementation of the NIS 2 Directive requirements involves allocating the resources needed, including money, people, and technology.