Introduction
The Network and Information Security Directive 2 (NIS2) is set to officially come into effect this week on October 17, 2024. This landmark EU cybersecurity regulation is designed to enhance the resilience of critical sectors across Europe by raising the bar for cybersecurity standards. As the compliance deadline approaches, it’s essential to ensure your organisation is prepared.
Table of contents
What Is NIS2?
NIS2 is the European Union's latest effort to strengthen cybersecurity across the region, replacing and expanding upon the original NIS Directive. It introduces updated legal measures to help organisations across the EU tackle the fast-evolving landscape of cyber threats.
This directive applies to a wide range of industries, focusing specifically on the protection of essential services (such as energy, transport, health, and finance) and critical infrastructure. The goal is to ensure that vital sectors remain secure and functional, even in the event of cyber incidents.
Key Focus Areas of NIS2
Essential and Important Sectors: The directive divides industries into Essential (High-Criticality) and Important (Other Critical Sectors) categories. This distinction reflects the level of societal impact these sectors have, and entities deemed "Essential" will be subject to stricter oversight and harsher penalties for non-compliance.
Incident Reporting: Organisations in these critical sectors are required to report cybersecurity incidents to relevant authorities as part of routine operations, ensuring timely response and mitigation.
Who Needs to Comply?
While NIS2 affects a broad range of industries, not every organisation is required to comply. The directive primarily targets medium and large-sized organisations operating in key sectors across EU Member States. However, even smaller entities could be included if they are critical to their sector, such as being the sole provider of a service in a particular country.
The sectors impacted include:
For a detailed breakdown of affected sectors and organisations, I recommend reviewing your specific region's guidelines on NIS2 compliance, as the exact implementation details can vary from country to country.
What You Should Do Now
With the compliance deadline just days away, now is the time to double-check your organisation’s cybersecurity readiness:
Review the NIS2 criteria: Ensure your organisation understands the obligations based on your industry and size. Are you classified as Essential or Important? Are your incident reporting mechanisms in place?
Strengthen cybersecurity practices: Even if your organisation falls outside the scope of NIS2, prioritising strong cybersecurity hygiene is always a good practice, especially given the rising cyber threat landscape.
Seek expert guidance: Since compliance guidelines and penalties may vary across different EU member states, it’s crucial to consult local experts to ensure your organisation meets all the necessary requirements.
Microsoft Compliance Manager
If you're looking to ensure compliance with NIS2, Microsoft Compliance Manager can be a powerful tool to guide you through the process. As I’ve discussed in previous post, this platform offers a comprehensive compliance solution by providing built-in assessments, templates, and control mappings.
For those specifically working to meet NIS2 requirements, Compliance Manager includes controls tailored to this directive, allowing you to assess your tenant against the necessary standards. This means you can track your organisation’s progress, identify gaps, and receive recommendations directly within your Microsoft 365 environment.
Creating an assessment in Compliance Manager
Creating an assessment in Compliance Manager is a simple process.
Step 1: Navigate to purview.microsoft.com > Solutions > Compliance Manager > Assessments, then click on Add assessment.
Step 2: In the Select regulation field, search for and select NIS2.
Step 3: Choose the NIS2 Directive, click Save, and then select Next.
Step 4: Name your assessment (you can use the default "NIS2 Directive (EU) 2022/2555 Assessment") and choose your assessment group, then click Next.
Step 5: Ensure Microsoft 365 is listed as the selected service, and click Next.
Step 6: Click Create assessment.
Once the assessment is created, it may take some time (up to 24–48 hours) for the automatically detected controls to appear in the portal.
Note: The NIS2 assessment for Microsoft 365 can be a bit generic, concentrating mainly on Microsoft's responsibilities and non-technical controls. For a more thorough view of your organisation's compliance, it’s advisable to include the ISO 27001, NIST, and, if you're based in the EU, the GDPR assessment templates, along with any other relevant industry- or country-specific assessments. This will provide a more well-rounded evaluation of your compliance posture.
These additional templates provide a broader overview and ensure that many technical controls are automatically detected, giving you a more complete assessment. At the Microsoft 365 E5 license level, there are 383 assessments available, but the regulations accessible by default will vary based on your licensing agreement. You can learn more about assessments in Compliance Manager here, and explore the full list of available regulations here.
Conclusion
October 17, 2024, is almost here, and with it comes the enforcement of NIS2. Whether you're in an Essential or Important sector, or even if you aren’t directly impacted, now is the time to ensure your cybersecurity defenses are robust. NIS2 is about securing the critical sectors that keep the EU running, and it’s vital that all organisations do their part to maintain the highest cybersecurity standards.
Don't wait - review your readiness today!
Reference links:
Comments