Beyond Compliance: Leveraging NIS2 for Enhanced Cyber Resilience and Leadership Accountability

Missed the beginning of this series? Start with Part 1.

Organizations should view the Network and Information Security Directive (NIS2) as an extension of the principles and requirements already imposed by other regulations and standards. According to SANS Senior Instructor James Tarala, who has studied global regulations and standards for many years, NIS2 does not contain shocking new requirements. "If I were a CISO, I would eat my cybersecurity vegetables and be fine." 

The new regulation is not necessarily sexy and exciting or all that earth-shattering, said the cybersecurity risk assessment expert, but organizations must sort their cyber hygiene out to comply with NIS2. That being said, NIS2 will mean change and requires an effort from organizations to comply. “Indeed, the requirements in NIS2 are not new; they have been around for a long time. However, what NIS2 does is require organizations to do the things we have all known to be true for a long time. There are not many regulatory standards that require this today. That will change the scope for sure,” Tarala said.

Another notable NIS2 regulation specifically requires organizations to conduct regular risk assessments. "I think that concept is new. Even though cyber risk assessment has been around for many years, it's a good thing to see regulation pushing, requiring, and encouraging that behavior," Tarala said. "I am encouraged by this because I think whenever we can put this kind of information in front of executive leadership and organization and business stakeholders, it allows companies to have a conversation they might not have otherwise had." 

Baseline of Cybersecurity Standards

Tarala spends much of his time conducting cyber risk assessments. He also takes up cybersecurity research and education outside of that. His research focuses quite extensively on risk assessment. "I have worked with a team of people, including SANS, to release a risk engine model as well as aggregate safeguard libraries and similar research." As part of his research, Tarala has been doing a detailed analysis of over a hundred different standards and regulations worldwide. "What I've noticed when I process new regulations and overlay and map those into the research is that I rarely ever find a regulatory body asking for something new that I've never seen before." 

Risk Assessment

So, risk assessment isn't a new kid on the block either, and it has been theorized for many years in regulations and standards. However, NIS2 is definitely on the bandwagon in requiring organizations to perform those risk assessments regularly. "We do risk assessments for two reasons: one is to select what cybersecurity safeguards are appropriate for our organization to implement. And two is to look at the organization in light of those safeguards and validate that we've implemented them well. The focus in NIS2 and other compliance standards is on validation, as most organizations frankly don't have the resources or the expertise to understand how to choose which safeguards make the most sense,” said Tarala.  

To meet NIS2 risk assessment standards, organizations have multiple steps laid out ahead of them. First, they need to be clear on their target state. Tarala posed the question, "Do they clearly understand what cybersecurity safeguards they should implement into their business practices?" This may prove challenging, as the European Union (EU) hasn't specified what safeguards will be required for NIS2, much like they didn't specify the privacy safeguards in the GDPR. "The EU wants to leave it up to member states to have the opportunity to define cyber hygiene practices,” said Tarala. 

Quality Management Process

Once organizations understand what they believe they should do, as it relates to risk assessment, they must regularly practice to validate what they believe they should be doing. "The result of that validation process, of that risk assessment, then needs to be placed in front of leadership teams, the executive board, and business stakeholders. That information then enables them to form better decisions and ensure they're addressing the gaps that are identified," according to Tarala. "The idea of the cybersecurity risk assessment is a quality management process that needs to be implemented." The EU does not specify who should perform these assessments. It is assumed organizations will do an internal self-assessment, but the reality may be that some businesses will rely on third parties to do this for them.  

Liable Leadership

NIS2 requires executive leadership focus more on cybersecurity, as they are now liable for any significant incidents according to the new directive. "This means leadership needs to understand where they stand regarding cyber hygiene concepts. The expectation is that organizational leadership will sponsor, support, and fund these risk assessments and take the results seriously. In this way, NIS2 is trying to build a culture of organizational leadership owning cybersecurity issues and ensuring that they're addressed promptly," according to Tarala. "It does not mean that we're all going to be perfect because no organization adequately addresses these cybersecurity risks at any given time. But I think the liability aspect comes back to the fact that if an organization egregiously ignores best practices, there is no accountability for that leadership." 

Set Yourself Up for Compliance

Tarala advises risk assessors to continue looking for what they know to be important from other regulatory standards and map the specific NIS2 requirements of member states back to that core set of requirements. "Inherently, it doesn't change how you work; you need to be more aware of what other people are asking you and map that to the requirements to see if something new is outlined. And if that is the case, you must reconsider your safeguards and compliance. Regarding NIS2, if you eat your cybersecurity vegetables, you should be fine for now," he said. "You should do everything you probably have been doing for quite a few years already. Don't give yourself an excuse to skip those things because doing the right thing will help you be compliant. It may not always be in complete alignment, but doing the right thing in cybersecurity will make the compliance process easier." 

NIS2 Checklist

Asked for a checklist that CISOs and risk assessors can follow to ensure compliance, Tarala pointed to the list of ten bullet points published by the EU, (see the 10 Bullet Points from NIS2 section below). "There are some requirements at a high level that need to be included in national legislation. They comprise incident handling, business continuity, and cybersecurity hygiene best practices. Strikingly enough, they throw in a few technical things, like, multi factor authentication (MFA). So, if I were building a checklist, I would use those ten bullet points as my starting point and ensure I'm focused on those and customize according to national legislation." The SANS instructor stresses this doesn't mean an organization has to throw away existing programs or start from scratch. "Don't treat NIS2 as a new compliance requirement and change everything you do. Most requirements tend to be just different versions of the same thing." That being said, Tarala stressed he doesn’t want to be flippant about NIS2 or other new regulations. “They are important. It may not be all new in theory, but it still requires organizations to put in effort to optimize their security efforts and their compliance.”

Best Practices Provide Resilience

As a risk assessor himself, Tarala always asks organizations to look at regulatory requirements they know they are responsible for, the contractual requirements they've agreed to follow, and the cybersecurity best practices that are best for them. "Make sure all those areas are reflected in your safeguard libraries, where you document your intentions as an organization. You can then map the NIS2 requirements to the ones you already have in place and start improving. But don't make a whole new program or throw away what you've already done. Just use NIS2 as an extension of those principles that are already in place. Any organization that follows these best practices will be more resilient, giving them long-term business advantage." 

10 Bullet Points from NIS2

1. Policies on risk analysis and information system security
2. Incident handling
3. Business continuity, such as backup management and disaster recovery, and crisis management
4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies and procedures regarding the use of cryptography, and where appropriate, encryption
9. Human resources security, access control policies, and asset management
10. MFA or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

Which Organizations Are Essential or Important?

Essential entities: Large organizations operating in a sector from Annex 1 of the NIS2 Directive

Key entities: Medium-sized organizations operating in an Annex 1 sector and medium and large organizations operating in an Annex 2 sector.

An organization is considered large based on the following criteria:

• A minimum of 250 employees, or
• An annual turnover of €50 million or more and a balance sheet total of €43 million or more.

An organization is considered medium-sized based on the following criteria:

• 50 or more employees, or
• An annual turnover and balance sheet total of €10 million or more.

In this series on NIS2, we highlight the new directive from different angles so CISOs and their organizations can gain insight into how to deal with NIS2.

As you look towards achieving NIS2 compliance, remember that knowledge is power. SANS's extensive resource center offers everything from learning paths to certifications, all designed with your compliance needs in mind. Start exploring NIS2 with SANS today!

As SANS maps out industry preparedness for the new EU Commission's NIS2 Directive, your insights are invaluable. Please take a moment to complete the NIS2 survey to contribute to our research. Your feedback will help us provide the guidance and resources needed for this and future directives.

Continue reading in Part 3 of our NIS2 Compliance series here.