Page 60 - Cyber Defense eMagazine January 2024
P. 60
The new regulatory framework, will also deliver:
• Harmonisation of the implementation of the Directive across Europe, with more precise
regulations.
• Stronger overall security, with strict and proportional criteria depending on the categorisation of
the given organisation, between essential or important entities.
• Increased responsibility and powers of supervision, control, and sanction for the Member States
to ensure proper implementation of these measures.
• A delegation of this responsibility to businesses, who must manage their own risks.
The question businesses therefore now face is how to meet these compliance challenges quickly and
with minimal disruption.
This is frustrated by the fact that currently, no binding measures have yet been taken (other than
notification of contact persons, incident reporting procedures and the potential sharing of information).
The Member States are currently in the process of transposing the directive at national level.
However, there are elements that must be considered, based on NIS 1.
• A governance policy must be in place to ensure adequate risk management. This needs to include
audit, risk analysis, security indicators, accreditation, and mapping.
• The consideration of key protection elements in relation to security policies linked to the
architecture itself: this needs to account for administration, access, and maintenance.
• Appropriate and reinforced detection measures, as well as incident response and management
measures, must be in place to maintain business continuity in a crisis should a cyber attack occur.
NIS 2 considers these areas, but there is a delay for details at European and national level, particularly
in terms of integration with other legislation.
However, it is possible to translate these demands into a workable strategy to begin now. There are five
pillars to consider:
• Identifying and protecting the risks
• Protecting data and sensitive information
• Investing in or strengthening cybersecurity technologies
• Implementing incident management and CSIRT notification measures
• Training and awareness-raising for employees
Primarily, it is essential to develop, enhance or maintain complete visibility of the information system.
This means an inventory and mapping of all assets and user behaviours on the network.
Cyber Defense eMagazine – January 2024 Edition 60
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.