These 13 cybersecurity requirements you will soon have to meet by law. And in these five steps, you will become and stay compliant.
you will know what 13 legal requirements your organization must meet by October 2024.
you will know the 5 steps to become and remain NIS2 compliant.
Organizations that are essential or important to society as well as their suppliers are required to secure systems and processes against cyber attacks. Think of health care, transportation and energy providers. But also government services, food organizations, water management companies and IT providers. The European Union has therefore drafted the Network and Information Systems Directive (NIS2). This directive obliges organizations to have their security measures in order and to demonstrate that they meet the set requirements. The directive is currently being transposed into Dutch legislation that is expected to take effect in October 2024. Although the requirements have not yet been formalized into national legislation, the direction is clear and the parallels with existing frameworks and good practices such as ISO 27001 are obvious.
We divide the NIS2 requirements into Training Duty (1), Duty of Care (2-12) and Reporting Duty (13).
1. Training board
Directors, commissioners and supervisors should undertake training that will give them sufficient knowledge and skills to recognize cybersecurity risks and assess their impact on the services the organization provides.
2. Periodic risk analysis
You must conduct periodic risk analyses with respect to cybersecurity and demonstrate that measures are taken based on the results to improve security.
This should be part of the overarching risk management process in which follow-up steps are determined to bring risks to acceptable levels appropriate to the organization and risk appetite.
3. Cyber Incident Follow-up Process
Your organization must have a process in place to appropriately follow up cyber incidents.
The cyber incident follow-up process (Incident Response Plan) aims to respond to an incident as quickly as possible and minimize its impact. The process includes detecting, analyzing and reporting incidents, as well as taking action to identify and remedy the cause of the incident.
4.Business Continuity Plans
Policies, procedures and measures that will ensure the continuity of your organization in the event of unforeseen circumstances or emergencies are required.
These include: identification of critical processes, maintenance and restoration of these processes with, for example, backup management, contingency facilities, incident response plans and testing of the plans in the event of an emergency.
5. Visibility of supplier cybersecurity
Visibility and tracking of the state and level of cybersecurity of your suppliers, is an important part of the NIS2 regulations. The process includes evaluating suppliers' cybersecurity, monitoring their activities and taking appropriate action to address any vulnerabilities.
6. Secure network and information systems
Ensure cybersecurity structurally in acquisition, development and maintenance of network and information systems. To ensure the confidentiality, integrity and availability of information and minimize the risks of cyber attacks, implement adequate security measures such as firewalls, intrusion detection and prevention systems, advanced authentication methods and monitoring the network and systems for potential threats.
7.Full visibility into attack surface (sub)domain names.
Your organization's ICT environment may be larger than you have visibility into. Often the Internet not only contains all kinds of information about the organization and employees but may also have forgotten IT assets accessible. Over time, for example, applications or systems may have been made temporarily accessible to employees, customers or suppliers. However, old systems have not been decommissioned, the remote environment is not securely configured, ports are open, or vulnerable software is not patched or not current. It is therefore required to gain and maintain full visibility into the IT environment.
8. Management process for vulnerabilities
Vulnerabilities or vulnerabilities are a weakness or flaw in software, network, application or ICT infrastructure that can be exploited by an attacker to gain unauthorized access or cause damage to the system. Vulnerabilities can come in various forms, including software flaws, design flaws, configuration flaws and weak authentication mechanisms. These vulnerabilities are one of the biggest causes of cyberattacks by hackers and can be exploited for ransomware, data theft or disrupting systems. To stay safe from vulnerabilities, organizations should use a combination of technical and operational measures designed to identify and mitigate vulnerabilities. This may include the use of vulnerability scanners, security audits, patch management and penetration testing.
Evaluation process of cyber security measures
An Information Security Management System (ISMS) is a structured and documented system that helps organizations manage their information for the purpose of assessing and improving the effectiveness of security measures. The ISMS includes evaluating the security measures based on the latest cybersecurity developments, testing the measures and taking steps to remedy any weaknesses.
Policy on encryption
An encryption policy ensures that all sensitive and confidential customer and employee information is properly protected. This is done by encrypting data during
transport and storage, using strong passwords and restricting access to sensitive information to only authorized individuals. The policy applies to all systems and devices used by an organization, including laptops and mobile devices. The purpose of the encryption policy is to ensure the privacy and security of sensitive information and to comply with legal data security requirements.
11. User Access Procedures
A logical access security procedure ensures that only authorized employees have access to systems, applications and data required for their work. This is done by assigning unique user names and strong passwords, restricting access to only that information needed to perform the work, and using multi-factor authentication where appropriate. The procedure applies to all systems and applications used by an organization, including the network and mobile devices.
12. Multifactor authentication process
The multifactor authentication process is an additional layer of security used to protect access to sensitive information. The process requires users to identify themselves with two or more different forms of authentication, such as a password combined with a token, biometrics or a smart card. The purpose of the multifactor authentication process is to ensure the confidentiality and integrity of sensitive information and prevent unauthorized access.
13. Incident reporting process to supervisors.
The reporting process to supervisors aims to ensure that any incidents or security breaches are reported to the appropriate supervisors as soon as possible. The process includes identifying the incidents to be reported, collecting the relevant information and submitting the reports to the relevant regulators.
