The new NIS2 Directive is a new playing field for cybersecurity and risk. Structure, management and system support will be crucial to future-proof your business. Here, Stratsys expert Per Gustavsson presents five steps to get your organization ready for the legislation.
In July 2023, the EU NIS2 Directive came into force. And the directive will be implemented in Swedish law in the form of the new Cybersecurity Act, probably by the end of 2025. The directive is a response to a rapidly changing threat landscape where cyberattacks are no longer just an IT problem. It has become a business-critical threat with potentially society-impacting consequences.
NIS2 - a Strategic Issue for Management
NIS2 differs from its predecessor, NIS, in several key ways. With requirements such as management accountability and rapid incident response, compliance with the new legislation is a business-critical issue. So how does it actually differ from previous legislation?
Per Gustavsson is CISO at Stratsys and a specialist in information security:
- NIS2 has a much broader scope than NIS. It covers both critical and important actors in everything from energy, water, transportation and healthcare to digital infrastructure and the public sector.
- Another difference is that many private companies will be covered. The criteria are no longer just based on area of activity but also size. Often it is a relevant sector, at least 50 employees and a turnover of over €10 million.
Per says this makes NIS2 a strategic issue. In large organizations, cybersecurity can no longer be seen as a matter for the IT department, but as a strategic responsibility for the entire management. Companies that fail to act not only risk regulatory action and penalties. They also risk losing the trust of customers, investors and society at large.
Per Gustavsson, CISO at Stratsys
Roadmap for Compliance
Although many organizations already have good security practices in place, NIS2 sets new requirements. Simply put, NIS2 raises the bar for information security efforts. It doesn't just require technical safeguards - it requires documented governance, clear accountability and traceable reporting. If your organization lacks a well-developed plan, there is a significant risk of missing crucial parts of the directive's requirements.
According to Per, a clear roadmap is business-critical to meet the requirements of the new legislation. He points to several reasons for this:
- Stricter requirements for management accountability. Boards and senior management are expected to understand the risks and be able to demonstrate compliance. Ignorance is no longer an excuse.
- Incident reporting within 24 hours. The organization must have processes in place to identify, analyze and report incidents in a timely and accurate manner.
- The supply chain is included. The requirements apply not only to the organization itself, but to suppliers and partners.
- Risk of penalties. The EU has opened the door to high fines - up to €10 million or 2% of global turnover for serious non-compliance.
In other words, the question is not whether it is a good idea to comply. It's a question of how fast and structured it can be done.
Five Steps to Compliance
A comprehensive regulatory framework such as NIS2 places great demands on the organization and its ability to operate effectively. So how should this be done?
- It's not least about finding an iterative and systematic way to implement the measures, says Per. Actions range from mapping, gap analysis and policies, to anchoring in management and assigning responsibilities. Not to mention continuous monitoring and improvement.
Per outlines the key steps for your roadmap - based on established GRC logic but adapted for NIS2:
- Map assets and systems
Identify which systems, services and information resources are most critical. Documentation must demonstrate a clear understanding of which assets need to be protected - and why. Involve the business early in the process - they know what is really business critical. - Conduct risk analysis and gap analysis
Identify where you are already compliant and where there are gaps. NIS2 lists ten specific security measures. A well-conducted gap analysis provides a clear list of priorities: what needs to be updated, what needs to be implemented and where new resources are needed. - Update policies and processes
Update policies on, for example, information security, incident management and supplier controls. Clarify reporting routes in case of incidents. Document procedures for control, follow-up and responsibilities. Remember that it is not just about having documents, but living by them. - Anchor in management and allocate responsibility
Management has an explicit responsibility. Board, CEO, CISO, CIO - everyone needs to understand their role in proactive cybersecurity. Ensure who is responsible for what - both strategically and operationally. Also ensure that management receives regular follow-up and risk reporting. - Implement continuous monitoring and improvement
NIS2 is an ongoing process. Therefore, you need to establish mechanisms for continuous monitoring and improvement. This could include management dashboards, regular policy reviews, internal audits, or documentation of actions, deviations and suggestions for improvement.
The Role of the Platform for Effective Governance
Excel lists, email threads and ad hoc interventions quickly become unworkable in a large organization. Therefore, a strong system support is not only a tool but a strategic enabler.
According to Per, a modern GRC platform enables, among other things, to:
- Gather all documentation in one place.
- Manage risk and gap analyses in a structured way.
- Automate reminders, reporting and follow-up
- Visualize status for management and supervision
- Simplify internal collaboration between CISO, IT, risk, operations and management.
Tip
The Stratsys GRC platform provides a complete structure to meet NIS2 - in terms of everything from risk assessment and governance to reporting and follow-up. All in one place, customized for your organization.
Future-Proof your Organization - Today
Building a roadmap for NIS2 is not just a way to meet legal requirements. It's an investment in long-term sustainability, security and credibility, according to Per:
- Those organizations that already today map their assets, set the right structure and use system support that simplifies compliance will be stronger. Not only to cope with supervision, but to meet the challenges of the future.