New security regulations such as NIS 2 aim to up-level the foundational cybersecurity protecting critical industries like the public sector, telecommunications, energy, transportation or financial services. This will help to reduce the likelihood of a cyber attack which could impact the general public. But while ensuring compliance with an EMEA-wide security framework may sound like a daunting task for many organizations, it isn’t something that board members should view as a threat, but rather an opportunity to reach new security standards.
With the new directive, IT security is now finally becoming a top management priority. Under NIS 2, the company leadership is made more responsible and can be held personally liable if the guidelines are ignored or their business is not compliant.
Despite these steep punishments, the updated regulations aren’t actually asking for a huge overhaul in security measures – it should be viewed as a process exercise. The directive is designed to pull those on the lowest rung of cyber hygiene up, rather than raise the security ceiling with a fresh batch of policies – a necessary investment to keep track with ever evolving velocity of cyber attacks. As such, this security evolution should be the next logical step in a journey that most businesses will have already been on for years.
But how do organizations on the start of their compliance journey begin to unpick the requirements of the extended NIS 2 regulations? We have created a six-step guide to help business leaders track progress and set in motion the necessary changes needed to reach compliance ahead of the pending deadline in October when NIS2 becomes law.
Step 1: Organizations have to register
Firstly, organizations have to evaluate whether they are affected by the new scope before they take action accordingly. The EU estimates that more than 160,000 companies and 15 sectors will have to comply with NIS 2 as they fall into the extended categories of organizations. All will be subject to “stricter requirements for risk management and incident reporting, wider coverage of sectors, and more hard-hitting penalties for non-compliance.” Building on the foundation laid by the original NIS Directive, NIS 2 not only widens the scope of entities covered but also introduces stricter compliance measures. The directive’s updated scope significantly broadens its application and introduces stringent requirements for both ‘essential’ and ‘important’ entities.
Based on the European directive, every company that falls into the scope of NIS 2 has to register proactively in a portal delivered by the country-specific authority. The process for registration will be slightly different in each country and unfortunately this registration portal is not yet in place in the majority of the EU members at this point of time. However, companies should already familiarize themselves with the EU directive, which will be the blueprint for all local regulations, in order to understand if they fall into the NIS 2 scope. If they have subsidiaries across the EU they have to ensure that they take those steps accordingly for all countries.
Once organizations have evaluated that they need to comply and registration has happened, a plan to enact the directive should be in place.
Step 2: How to organize the process to reach compliance
Once a company reaches a certain size, there is always a need to provide evidence to stakeholders that the topic of cyber security is being taken seriously. According to a recent study Zscaler conducted, the ISO 27001 certification is the most utilized framework across all sectors, followed by mandatory exercises such as NIS 2 or CIS.
If a company does not yet use certifications or frameworks in the area of cyber security, NIS 2 is a good starting point. However, this will trigger many activities for the first time and thus generate a lot of effort. If other cyber security frameworks are in place, the additional effort through NIS 2 should be limited, as many of the requirements are already known from the common frameworks.
Mapping the frameworks to each other is a good starting point to organize the compliance process. Such mappings are now publicly available or can be obtained from service providers.
Aligning to EMEA-level security frameworks isn’t something that the C-suite can delegate to the security team to handle alone. Being caught not in compliance can have serious repercussions for both the business and individuals on a financial level, with potential penalties for the most serious of offenders. Business leaders need to take the regulations seriously and deploy teams with the knowledge and experience to audit their current assets and policies with the necessary rigor and level of detail.
Step 3: Setting-up the NIS 2 team
The ownership of the overall NIS 2 process should fall within the office of the CISO who can delegate the appropriate steps to a broader project team, ensuring availability of subject matter experts from various teams within their organization. They need to reach out to functions beyond core security to cover for individual requirements, like the internal crisis management specified in NIS 2 chapter 4.2. Before building out any internal teams, a project lead should be assigned who can spearhead the audit and break down NIS2 documents to ensure best practice across all offices and third-party suppliers. Having one person in charge of the document review means the organization aligns to a singular interpretation of the framework, rather than multiple variations across regions.
According to the different sections of the NIS 2 directive, the project lead has to bring in subject matter experts to support the wider cyber security team – this would include the likes of risk & compliance and CERT experts, the IT architecture team, and the cloud & hosting team (e.g. to cover NIS 2 chapter 2.1), the identity & access management team for NIS 2 chapter 2.3, the network team, the facility team for physical security (required in NIS 2 chapter 2.5) next to the business resilience responsibilities both from IT and business perspective.
Many large companies will already have a specific division within their legal or security team that deals with certifications and audits, and this best practice approach should be adopted for NIS 2 compliance. These team members will have an in-depth understanding of the technological estate and will be able to identify areas of the business that are lacking in security rigor far more quickly.
For smaller companies who don’t have these sub-teams or the budget to build one, the best approach would be to create a joint task force to gather the right level of knowledge about what to look for during the audit.
Step 4: Review of inventory management to confirm the risk profile
One of the biggest effort drivers to any compliance audit comes from teams not having a full view of the technologies and assets within the organizational environment based on gaps in their inventory management. The more complex the IT infrastructure, the harder it is to map the risk footprint. If organizations don’t understand what they have to protect then they won’t know how to protect it.Understanding the blind spots in a security infrastructure set-up is going to be a priority for project leads before starting to address compliance concerns, hence the review of available assets is a prerequisite of the process.
Organizational complexity can add additional effort to the compliance process, e.g. when business divisions have their own independent IT governance processes. This is often the case when organizations have different responsibilities for IT and OT workloads, which both fall under the NIS 2 governance. The NIS 2 project team needs to align and understand the complete set of technologies in order to determine the full risk profile for the business.
Our recommendation is to use one central asset management system across all business and technology divisions. Several solutions are available on the market to speed up the process through smart scanning and AI-based data enhancement. As many organizations also grow through regular acquisitions, the new technology stacks will then also need to be added to the auditing and compliance process on the way.
Step 5: Save time by transferring existing audit results to NIS 2
As previously mentioned, many companies already have to align parts of their business with other regulations and directives to be compliant. Those results can be reused and should be applied to the respective NIS 2 areas. In the best case they map directly with the local NIS 2 requirements, otherwise they would require rework to fit the updated directive.
If organizations identify a significant gap between frameworks then the project team will need to plan out the most effective and quickest path to compliance in the remaining few months available. It might be worthwhile to cooperate with knowledgeable partners to understand which technology needs to be evolved and how requirements can be accomplished with the least amount of interference to the day-to-day business and with the least amount of complexity.
Step 6: Removing the infrastructure complexity
The prior compliance thought process was to buy new technology to tick the box, but that has left companies with a wealth of technological debt. This is going to be where most security teams will struggle with NIS 2 compliance. Many organizations are turning to leading cloud-based security platforms to simplify their technology complexity by creating a common connecting point for all offices and instilling a base layer of security hygiene that makes it easier to audit.
A consolidation of available technology stacks will swiftly reduce that complexity and make the compliance process a far smoother activity for the future. A proven best practice is the combination of the three to five most relevant large platforms to an overall IT ecosystem, covering the entirety of cyber security defense, detection, response, deception and incident management for workplace devices, on premise and cloud workloads. For the reduction of complexity it is of particular importance that those platforms integrate smoothly with each other, using pre-defined APIs.
For organizations with offices in multiple countries across Europe and other continents, NIS 2 compliance has another layer of complexity. Even if their business is centrally run from one location, each satellite site needs to be compliant with NIS 2 and aligned with the central headquarter from a security perspective.
Conclusion
While the audit process may seem like a long and daunting prospect, it is something that all organizations should invest in to better understand their risk profile and learn how vast their technology infrastructure currently is. Many businesses will be shocked by how many technology stacks they run and naturally become concerned by how complex their inner workings have become. With only a few months left before the NIS 2 directive comes into effect, now is the time to do the hard work and avoid a scramble at the end where things may be missed. The efforts are not in vain – as gaining visibility into all data streams might prove to be the foundation to future aspirations of an organization, whether it’s OT/IoT, 5G or any other hints to getting the infrastructure secure and future proof.
Christoph Schuhwerk
With more than 20 years experience across various industries, Christoph Schuhwerk currently holds the role of CISO EMEA at Zscaler. A senior enterprise architect, cloud, network, and cyber security expert, Christoph is also highly engaged in the field of sustainability, where he investigates applying zero trust principles to reduce energy consumption for IT infrastructure.
