Call Us: +44 (20) 807-83811

A comprehensive guide to complying with directive EU 2022/2555-NIS2

We have prepared easy-to-understand suggestions with step-by-step instructions and associated costs on how to comply with Directive (EU) 2022/2555 NIS2.

Directive (EU) 2022/2555, or the NIS2 Directive, is a regulatory framework to strengthen and harmonize cybersecurity within the European Union (EU). The Directive requires companies like yours to implement specific measures to protect their information systems, services, and data. This comprehensive guide provides easy-to-understand suggestions and step-by-step instructions on complying with the NIS2 Directive and the costs associated with each meaningful change you would implement in your processes and technologies.

Keep in mind that restructuring your whole IT will take time. One of the most critical things to understand is that the project could take anywhere between six and twelve months. Six applies to you only if your IT department has the human and technological resources to spend 2 hours extra on cybersecurity alone every day for six months.

It is more realistic to plan for at least a year of arduous work if not more.

As an example of the complexity you might be looking at, here is a cybersecurity architecture diagram developed by Robert Campbell from Assured Control, which clearly depicts every element that needs to be a part of your company’s defensive posture for you to comply with the directive fully:

directive eu 2022 2555 nis2 example ESA Security Matrix ver 3_page-0001

The first thing to start working on is improving the strategic leadership in your company when it comes to cybersecurity.

Strengthening Organizational Cybersecurity

Step 1: Hire a cybersecurity coordinator or team

Designate an individual or a team responsible for developing, implementing, and maintaining the organization’s cybersecurity strategies and policies. This could be an external team, such as a Virtual CISO, or you could hire at least one full-time employee to serve as your CISO and employ the rest of the security team. Depending on the size of your organization, you will need approximately one cybersecurity employee per 100-150 full-time employees to have adequate defense resources. This depends a lot on your industry and threat landscape.

Cost: Depends on the salary and training expenses of the designated coordinator or team members. The average salary of a CISO in the EU is € 70 000 to € 200 000 per year. The cost of a cybersecurity engineer could be higher if they have a specialized set of skills, such as reverse engineering or digital forensics. You could extrapolate that to the cost of an entire team. For example: a 5 000 employee company could need a team of 10+ security experts to man its SOC team, 2+ experts to man the incident response team, a couple of security experts to manage other security products and solutions, and a CISO. Add to that the cost of hiring (the price of a head hunting service).

Step 2: Develop a comprehensive cybersecurity plan

Create a plan that includes the following:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Contingency Planning
  6. Identification and Authentication
  7. Incident Response
  8. Media Protection
  9. Personnel Security
  10. Physical and Environmental Protection
  11. Planning
  12. Program Management
  13. Risk Assessment and Risk Management
  14. Security Assessment and Authorization
  15. System and Communications Integrity
  16. System and Information Integrity
  17. System and Services Acquisition

A comprehensive cybersecurity plan would consist of at least 18 cybersecurity control categories per NIST 800-53 or ISO 27001.

Your cybersecurity plan should also include step-by-step instructions for implementing each security control category listed above. The document could span hundreds of pages for a large organization and at least 25-50 pages for a small, 10-50 employee company.

Cost: Time and resources needed for plan development, documentation, and maintenance.

Creating such a plan cannot happen without a prior comprehensive Information Security audit, which takes two weeks and a month, depending on the complexity of your IT infrastructure, the company headcount, and the threat landscape in your industry. A cybersecurity plan for a nuclear power plant would differ from one for a small 10-person startup.

Identifying and Assessing Risks

Step 1: Perform a risk analysis

Identify assets, threats, and vulnerabilities that could impact the organization’s information systems and services. Keep in mind that identifying those risks and vulnerabilities is a weekly process. If your team misses identifying a new vulnerability in your externally-facing systems, you could suffer a catastrophic security breach. Compliance with the (EU) 2022/2555 NIS2 directive is about making you secure in practice, not just compliant with the regulation.

Cost: Time and resources required for the risk analysis process may vary depending on the organization’s size and complexity.  Add to that the cost of a vulnerability management system, especially if it can proactively patch your vulnerable system components instead of just identifying their vulnerabilities.

Step 2: Conduct a risk assessment

Determine the likelihood and impact of various threats and calculate the overall risk for the organization.

Cost: Time and resources required for the risk assessment process, which may vary depending on the organization’s size and complexity.

Step 3: Develop risk management strategies

Create plans and measures to mitigate, prevent, or limit risks while considering the costs and benefits of these measures. Always include key stakeholders in the decision making process, or else you might end up implementing something which could negatively affect a single department or the entire business.

Cost: Time and resources required for strategy development, implementation, and maintenance, which may vary depending on the organization’s size and complexity.

Implementing Technical Security Measures

Step 1: Encrypt data

Use robust encryption algorithms to protect stored and transmitted data. Remember: encryption entails proper key management and access management. It also requires usability, as if it is complex to use, users will not follow the procedures and will bypass the encryption requirement.

Cost: Software licensing fees for encryption solutions and potential hardware upgrades to support encryption. Employee training and mistakes made during the initial phases are also part of the costs.

Step 2: Manage identification and access control

Develop policies and procedures for access control, ensuring only authorized users have access to information systems and resources. Identity and Access Management is not an easy task, you might require continuous improvement across your entire IT to achieve a good defensive posture.

directive eu 2022 2555 nis2 identity and access management
Image source: Assured Control, Robert Campbell

Cost: Software licensing fees for identity and access management solutions and the time and resources needed to develop and maintain policies and procedures.

Step 3: Implement antivirus and anti-malware protection

Use up-to-date antivirus and anti-malware software to protect information systems from malicious software and other threats.

Cost: Software licensing fees for antivirus and anti-malware solutions and potential hardware upgrades to support these solutions.

Step 4: Regularly update and patch vulnerabilities

Ensure software and operating systems are updated to prevent vulnerabilities that hackers and other malicious actors could exploit.

Cost: Time and resources required for regular updates and patches, as well as potential software licensing fees and hardware upgrades.

Developing Incident Management Procedures

You might think this is only about developing a set of digital forensics and incident response documents, but it is much more than that. We would say it is about creating an incident response capability in your company, which is to a document as ten years of martial arts training is to a martial arts brochure.

Step 1: Create an incident management plan

Define responsibilities and procedures for action in cybersecurity incidents, including identifying, classifying, recording, and reporting incidents.

Cost: Time and resources needed to develop, document, and maintain the incident management plan.

Step 2: Train staff

Provide training and guidance for staff on incident management procedures and create a security culture emphasizing cybersecurity’s importance.

Cost: Time and resources required for staff training and the development and maintenance of training materials.

Step 3: Test and exercise the incident management plan

Conduct regular tests and exercises to ensure the organization is prepared to handle cybersecurity incidents.

Cost: Time and resources required for conducting tests and exercises and potential costs for hiring external consultants or experts to assist with the process.

Collaborating and Sharing Information

Step 1: Engage with national cybersecurity authorities and other relevant institutions

Share information about threats, vulnerabilities, and incidents with national cybersecurity authorities and relevant institutions.

Cost: The time and resources needed to establish and maintain relationships with these institutions and share information.

Step 2: Participate in industry initiatives for information sharing and collaboration

Join relevant forums, associations, and information-sharing groups.

Cost: Membership fees for industry associations and forums and time and resources needed to participate in these initiatives actively.

Step 3: Adopt international standards and best practices

Follow recommendations from organizations such as ISO, NIST, and ENISA.

Cost: Time and resources required to research, adopt, and implement international standards and best practices, as well as potential fees for obtaining certifications or assessments from external auditors.

Monitoring and Reporting

Step 1: Monitor the cybersecurity landscape

Stay informed about emerging threats, vulnerabilities, cybersecurity trends, and regulatory developments.

Cost: Time, resources required for ongoing monitoring and analysis, and potential subscription fees for threat intelligence services or tools.

Step 2: Conduct regular security audits

Perform regular internal and external security audits to evaluate the effectiveness of implemented measures and identify areas for improvement.

Cost: Time and resources required for conducting audits and potential costs for hiring external auditors or consultants to assist with the process.

Step 3: Report incidents and compliance to relevant authorities

Adhere to the reporting requirements outlined in the NIS2 Directive, including regular updates on the organization’s cybersecurity status and reporting significant incidents to the appropriate authorities.

Cost: Time and resources required to prepare and submit reports and potential legal fees and penalties for non-compliance.

Enhancing Governance and Management of Cybersecurity

Step 1: Establish a cybersecurity governance framework

Create a governance framework that outlines the roles, responsibilities, and decision-making processes related to cybersecurity within the organization.

Cost: Time and resources needed to develop and maintain the governance framework and potential consulting fees for external assistance.

Step 2: Monitor and measure the effectiveness of cybersecurity measures

Implement key performance indicators (KPIs) and other metrics to track the effectiveness of cybersecurity policies, procedures, and controls.

Cost: Time and resources required to develop and maintain the KPIs and metrics and potential costs for software tools or platforms for monitoring and reporting.

Step 3: Implement a continuous improvement process

Establish a process for regularly reviewing and updating the organization’s cybersecurity strategies and measures based on the results of the monitoring and measurement efforts.

Cost: Time and resources required to conduct reviews, implement updates, and maintain the continuous improvement process.

Building Awareness and Training Staff

Step 1: Develop a comprehensive security awareness program

Create a security awareness program that educates employees on their role in protecting the organization’s information systems and services and the potential risks and consequences of cybersecurity incidents.

Cost: Time and resources required to develop and maintain the awareness program and potential costs for creating training materials or hiring external trainers.

Step 2: Tailor training to specific roles and responsibilities

Provide role-specific cybersecurity training for employees based on their job functions and access to sensitive information.

Cost: Time and resources required to develop and maintain role-specific training materials and potential costs for external trainers or training platforms.

Step 3: Conduct regular phishing and social engineering tests

Perform tests to evaluate employees’ ability to recognize and respond to phishing and social engineering attacks, which are common tactics used by cybercriminals to gain unauthorized access to information systems.

Cost: Time and resources required to conduct tests and analyze results, as well as potential costs for hiring external consultants or using testing platforms.

Implementing Advanced Security Measures

Step 1: Adopt multi-factor authentication (MFA)

Implement MFA to enhance the security of user authentication processes and reduce the risk of unauthorized access.

Cost: Software licensing fees for MFA solutions, as well as potential hardware upgrades or additional costs for deploying MFA-compatible devices.

Step 2: Establish network segmentation and security zones

Divide the organization’s network into separate security zones, isolating sensitive systems and data from potential threats.

Cost: Time and resources required for network redesign, as well as potential costs for additional network equipment, software, or consulting services.

Step 3: Implement intrusion detection and prevention systems (IDPS)

Deploy IDPS solutions to monitor network traffic, detect potential threats, and prevent intrusions in real time.

Cost: Software licensing fees for IDPS solutions and potential hardware upgrades to support these solutions.

Step 4: Employ Security Information and Event Management (SIEM) systems

Utilizing SIEM systems to collect, analyze, and correlate security events and alerts from various sources facilitates centralized and effective incident detection and response.

Cost: Software licensing fees for SIEM solutions and potential hardware upgrades to support these systems.

Step 5: Adopt a zero-trust security model

Implement a zero-trust security model, which assumes that all users, devices, and network traffic are untrusted by default and requires continuous verification and validation of access permissions and identities.

Cost: Time and resources required to develop and implement a zero-trust architecture, as well as potential costs for additional hardware, software, or consulting services.

Developing Incident Response and Business Continuity Plans

Step 1: Develop a comprehensive incident response plan

Create an incident response plan that outlines the steps to be taken during a cybersecurity incident, including roles and responsibilities, communication protocols, and procedures for containment, eradication, and recovery.

Cost: Time and resources required to develop and maintain the incident response plan and potential expenses for external assistance or training.

Step 2: Conduct regular incident response drills

Perform regular drills to test the effectiveness of the incident response plan and ensure that all stakeholders are familiar with their roles and responsibilities in the event of an incident.

Cost: Time and resources required to plan, execute, and analyze the results of drills, as well as potential costs for hiring external consultants or using simulation platforms.

Step 3: Establish a business continuity and disaster recovery plan

Develop a plan addressing the steps to restore critical business functions and services during a cybersecurity incident or other disruptive events.

Cost: Time and resources required to develop and maintain the business continuity and disaster recovery plan, as well as potential costs for external assistance, backup systems, or redundant infrastructure.

Step 4: Test and update the business continuity and disaster recovery plan

Regularly test the effectiveness of the business continuity and disaster recovery plan and update it as necessary to account for changes in the organization’s environment or potential threats.

Cost: Time and resources required to plan, execute, and analyze the results of tests, as well as potential costs for hiring external consultants or using simulation platforms.

Enhancing governance and management of cybersecurity involves a multi-faceted approach that addresses policy, awareness, advanced security measures, and incident response. While these steps may incur varying costs, investing in a robust cybersecurity strategy is essential to protect the organization’s assets and reputation and to ensure business continuity in the face of ever-evolving cyber threats.

Complying with Directive (EU) 2022/2555 NIS2 is essential for organizations operating within the European Union to ensure the security and resilience of their information systems, services, and data. By following the steps outlined in this comprehensive guide, organizations can implement robust cybersecurity measures while remaining compliant with the Directive. The costs associated with each stage will vary depending on the organization’s size and complexity, but investing in cybersecurity is crucial for protecting valuable assets, reducing potential damages from incidents, and maintaining trust with customers, partners, and regulators.

More To Explore

Contact Kloudwerk

drop us a line to Get keep in touch

WEBSITE SECURITY REPORT

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Add Your Heading Text Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.