Security & Compliance
Get NIS2 compliant fast
Don't be the weakest link in the supply chain. Build out your security controls by re-thinking, re-using and re-implementing current controls.
You need to take NIS2 compliance seriously. But you don't need to start from scratch.
The Directive on the Security of Network and Information Systems (NIS2 Directive) represents a significant step forward in enhancing the overall cybersecurity posture within the European Union (EU). It updates and expands the scope of the original NIS Directive, aiming to address evolving cyber threats and to ensure a high common level of cybersecurity across the EU.
Becoming NIS2 compliant has many benefits, while failure to comply with the NIS2 directive could lead to fines and reputational impact.
An increased focus on supply chain security also means that NIS2 isn't just for very large companies. It could also impact how you do business and how your supply chain does business with you.
VENZO can help build out your current security controls, no matter your point of departure, by re-using and re-thinking current controls to help you get NIS2 compliant faster.
Our approach to NIS2 in a nutshell
Re-use. Re-think. Re-implement.
Define your maturity baseline
Establish the current maturity level and decide on what level of maturity you want your organisation to achieve.
Identify gaps
Based on the defined maturity level, identify the gaps and necessary steps to reaching the desired level.
Extend current controls
Build on your existing way of working and simply extend your current controls (e.g. from ISO 27001 or GDPR).
Remediate
Close identified gaps by creating or updating documentation and selected security measures.
Get people on board
Anchor updated policies, processes, and security measures in the organization, so employees are familiar with the rules and requirements.
Continuous improvement
Never stop monitoring, protecting against threats, and reporting. And consider improving MDR, supply chain management, identity security, and related areas.
Relevant sectors and industries
These are the essential and important entities, where compliance with NIS2 is a requirement. However, even companies outside of these sectors and categories can also be required to ensure compliance if they are part of a supply chain involving one of the entities in the overview.
There are also 10 additional categories of companies (i.e. Trust Service Providers and Public Communications Networks) that fall under NIS2, and the size of your business must also be taken into account.
Three important changes to the new NIS directive to keep in mind...
Expanded scope and stricter requirements
NIS2 broadens the range of sectors and types of companies that fall under its scope compared to its predecessor. This expansion means that more companies will be subject to compliance requirements. The directive also sets a higher bar for security and incident reporting. Companies must ensure they have comprehensive cybersecurity measures in place and are prepared to report incidents promptly to avoid penalties.
Enhanced enforcement and higher penalties
Penalties for non-compliance under NIS2 are more severe than under the original NIS Directive, with fines potentially reaching up to €10 million or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. This represents a substantial increase in potential financial risk for non-compliant companies, making it imperative to invest in both compliance and other relevant security measures.
Mandatory risk management and supply chain security
NIS2 places a strong emphasis on proactive risk management and the security of supply chains. Companies are required to adopt a wide range of technical and organizational measures to manage the risks posed to the security of network and information systems. This includes ensuring that their supply chains and service providers adhere to similar high standards of cybersecurity, recognizing that a chain is only as strong as its weakest link.
FREE DOWNLOAD
VENZO's NIS2 Check List
(NB. The Check List is in Danish)
Four main NIS2 requirements
Management is responsible for making sure that their organisation is NIS2 compliant. They can event be "held liable for infringements by the entities", which is one of the many reasons why they need to make sure the company lives up to the requirements in NIS2.
01
Risk management
You must implement a risk-based approach to assessments and implement "proportional" security measures.
02
Security measures
You must expand existing and/or implement new security measures based on policies and procedures (Multi-Factor Authentication, supply chain security, access control, etc.)
03
Reporting
You must implement reporting to the competent authorities (the "CSIRT", Computer Incident Response Teams) within specific "time boxed response times".
04
Supervision
You must implement continuous internal supervision of implementation and compliance. Also expect external supervision by a local supervisory authority (as with GDPR).
Don’t be the weakest link.
If you ask VENZO’s security specialists, most companies need to make sure that they are not the weakest link. For many companies, whether or not they are on the list of essential or important entities, NIS2 compliance will be their license to operate because of the supply chain they are part of.
Re-use, re-think, and re-implement the measures you already have in place. And let VENZO help you prioritise new ones.
Book a free 30-minute consultation with VENZO to learn more about our approach to NIS2 and what you need to do to get compliant.
VENZO’s security and compliance services offer our clients an end-to-end approach to advising, implementing and anchoring security and privacy initiatives.
Click the button, to find a day and time that suits you now.
