Learn about consistent risk management in compliance with NIS2
Explore your organisation’s cyber security information in one tool, but from multiple angles – information security, business continuity and data protection.
Manage dynamically through assessment, planning and analysis to effectively implement the requirements of the NIS2 Directive. In doing so, you will ensure a consistent approach to ICT risk management, in line with the principles required by the NIS2 Directive.
Pillars of the NIS2 Directive
RIG NIS supports you in meeting each of the mandatory pillars of the directive. In the tool, you will fully implement 4 areas of your responsibility and streamline the other 2.
FAQ
Who is affected by NIS2?
NIS2 expands the scope of regulated entities to include not only digital service providers, but also key and important entities in various sectors such as energy, transport, health and digital infrastructure.
What are the main responsibilities of an entity regulated by NIS2?
Entities must implement appropriate risk management measures that cover both technical and organisational aspects. This requires, among other things, conducting risk assessments, monitoring incidents and ensuring supply chain security.
Do you need to keep a register of ICT suppliers?
There is no formal obligation to maintain a register of ICT suppliers, but entities should document relationships with suppliers, particularly in the context of security and risk management.
What are the deadlines for implementing NIS2?
The NIS2 Directive entered into force on 16 January 2023, and Member States must implement it into their national legislation by 17 October 2024.
What documents can help with the NIS2 implementation?
Entities may use documents published by ENISA, such as the ‘Set of Good Practices for Supply Chain Security’, which offer practical guidance on supply chain risk management.
What are the best practices for conducting risk assessments in compliance with NIS2?
Carefully identify the IT assets that are critical to the organisation’s operations and the potential threats that may affect them. Apply risk analysis methods to determine the possibility of different types of incidents and their potential impact on business continuity. Create risk management plans that address different threat scenarios and appropriate security measures to minimise potential damage. Implement technical and organisational security measures proportional to the identified risks, such as access control mechanisms, systems monitoring and supply chain security. Carefully document all stages of your risk assessment, including security policies, incident response procedures and business continuity plans. This will help maintain NIS2 compliance and facilitate future audits.
Staff training. Conduct regular training of staff on security policies and incident response procedures to ensure they are aware of threats and know how to respond. Perform regular reviews of risk assessments and update them in response to changing threats and evolving IT infrastructure.
Cooperation with suppliers. Maintain a close relationship with your ICT service providers to ensure that they too have appropriate security measures in place and are aware of supply chain risks. Develop incident management procedures to enable quick identification, response and reporting of security incidents.
You can implement most of the cited risk assessment good practices with the RIG NIS tool. Consider using RIG NIS or other dedicated risk management tools that can help you automate your processes and make your risk assessment activities more efficient.
What is supplier relationship management according to NIS2?
Supplier relationship management in the context of NIS2 is a key element in ensuring supply chain security and mitigating information security risks. Here are the main aspects of this management:
- Entities should conduct detailed risk assessments related to ICT service providers. This includes analysis of security practices, product and service resilience and compliance with applicable standards. In particular, key and important entities should assess the overall quality and resilience of products and cyber security practices of suppliers.
- Appropriate cyber security risk management measures should be included in contracts with suppliers. This means that organisations must clearly define the security requirements that suppliers must meet.
- Organisations should monitor and audit suppliers on a regular basis to ensure that they comply with established security standards. This may include conducting security audits and assessing the effectiveness of implemented security measures.
- In the context of supplier relationships, entities should create business continuity plans that address potential supplier-related incidents. They should be prepared for situations where suppliers may not be able to provide services due to security incidents.
- Maintaining open communication with suppliers is crucial. Entities should regularly share information on threats, incidents and security best practice.
- All supplier relationship management activities should be carefully documented. This includes the results of risk assessments, audits and any security findings.