NIS2 Directive: A Cybersecurity Checklist for CISOs

What you need to ask in your organization related to NIS2?

As organizations prepare for the impending NIS2 Directive, there are many areas to assess when you verify that your organization will comply the NIS2 requirements. The natural first question is whether or not your business falls within the scope of NIS2. Failure to acknowledge and understand the extent of the directive’s coverage may expose the organization that is required to comply the requirements to non-compliance, risks, and eventually penalties.

To assist in this important task, here are few key questions to ask within your organization.

1. Leadership and Accountability: Is the corporate leadership aware of and committed to their responsibilities and obligations under NIS2?

The question relates to the commitment and understanding of the organization’s leadership towards their responsibilities under the NIS2 Directive. A committed and aware leadership team is the key to fostering a culture of cybersecurity within the organization. Without leadership commitment the likelihood of ensuring appropriate resources to reach NIS2 compliance is slim.

2. Risk Assessment: Is a comprehensive cybersecurity risk assessment in place?

This question pertains to the organization’s understanding and management of cybersecurity risks. A comprehensive cybersecurity risk assessment identifies potential vulnerabilities, threats, and the potential impact of these threats. It serves as the foundation for developing appropriate cybersecurity measures and strategies. Without a thorough risk assessment, the organization is likely to fail addressing key risks.

3. Implementation of Security Measures: Are technical and organizational security measures up-to-date and compliant with NIS2 requirements?

The reason behind this question is to verify the organization’s ability to protect its digital infrastructure and data. Ensuring that technical and organizational security measures are up-to-date and in compliance with NIS2 requirements is crucial to prevent cybersecurity incidents and breaches. Outdated or non-compliant protective measures place the organization at risk of non-compliance penalties and exposed to devastating cyber-attacks.

4. Cooperation and Reporting: Is a procedure in place for cooperation with national cybersecurity authorities?

The organization’s ability to effectively communicate and collaborate with national security authorities in case of serious incidents is a requirement. A well-defined procedure for such cooperation is crucial for timely and efficient incident management. It is also a key requirement of NIS2. Lacking these procedures puts the organization at risk of non-compliance with NIS2 requirements, exposes it to reputational damage, and may lead to potentially severe cybersecurity breaches.

5. Training and Awareness: Is adequate training provided and security awareness fostered within the organization?

This question highlights the importance of the cybersecurity culture of the organization. Adequate training and awareness about cybersecurity ensures the staff understands the importance of cybersecurity and accepts their role in maintaining it. This not only helps in preventing potential cyber threats but also ensures that the staff can identify and respond appropriately to incidents.

6. Third-party Risk Management: Have cybersecurity risks associated with third parties - such as suppliers and subcontractors - been evaluated and managed?

This question pertains to how the organization manages cybersecurity risks associated with third parties. These external entities could potentially introduce cybersecurity vulnerabilities into the organization. Evaluating and managing this ensures that familiar outsiders and third parties do not compromise the overall cybersecurity of the organization.

7. Readiness and Recovery Plans: Are there plans and capabilities to respond and recover from cybersecurity incidents?

Question examines the preparedness of the organization to respond to and recover from incidents. Robust plans and capabilities for incident response and recovery are essential in minimizing the impacts of breaches, and to maintain business continuity. Without these plans and preparation, the organization may face extended downtime, data loss, reputational damage, and potential non-compliance with NIS2.

These questions will help you assess your organization’s readiness for the NIS2 Directive and identify gaps or areas for improvement. Should there be serious gaps in the aforementioned areas, the organization might fail to meet NIS2 requirements, leading to potential non-compliance risks and penalties.

There is still enough time to start the work and get ready. If you need any help, feel free to contact me: marko.leppanen[at]fujitsu.com.