NIS2 implementation tool

Automate risk analysis and create action plans in accordance with the NIS2 directive.

Schedule a demo

How to implement NIS2?
9 simple steps with the helpful RIG NIS Module

Follow a proven NIS2 implementation plan using the RIG NIS tool. It acts as your organisation’s NIS2 compliance and security management hub. It will facilitate your actions in 9 steps, most of which will be implemented directly in RIG NIS.

STAGE 1

Supply chain risk assessment and planning

In RIG NIS you will perform automated analysis, estimation and action planning. You will assess the risks in your organisation and develop a risk action plan, allowing you to successfully implement NIS2 and start the Deming-PDCA cycle.

Supplier security assessment

Together with the RIG NIS, you will send ready-made surveys to suppliers. During the risk assessment, it is possible to start collecting surveys and to verify contracts with ICT suppliers.

Contracts with ICT suppliers

In this step, you draft addenda to contracts and negotiate them. In particular, you review contracts with those suppliers who provide business-critical services. In RIG NIS, you can keep a register of contracts to navigate your documentation better.

STAGE 2

Implementation of risk management plans

With the plans prepared in stage 1, you now begin to implement them, including implementing the appropriate safeguards and carrying out the relevant pentesting followed by training.

Implementation of an ICT incident assessment process

In RIG NIS, you prepare a register of incident information to assist you in reporting to the CSIRT.

Record keeping

In the RIG NIS repository, you create a complete file made up of contracts and tasks certifying supplier relationships. Using a single repository of supplier information is convenient for reporting to the CSIRT.

In RIG NIS, you record every document relevant to risk management.

With the plans prepared in the previous stage, it is easy for you to enforce strategy and plans tailored to your organisation’s needs, enabling effective implementation.

Stage 3

Information sharing

At RIG NIS, you can continuously develop your team’s competencies through training. You build the resilience of your organisation through risk management knowledge, which is transferred between different departments during NIS2 implementation. RIG NIS organises collaboration and information sharing.

Reporting

In RIG NIS, you can generate reports for the management board, the supervisory board and the CSIRT.

Gap analysis

You verify compliance based on the prepared processes in RIG NIS. You have repeatable processes stored in the tool, consisting of tasks derived from NIS2 directive requirements. You can see how gaps affect your risk assessment.

Learn about consistent risk management in compliance with NIS2

Explore your organisation’s cyber security information in one tool, but from multiple angles – information security, business continuity and data protection.



Manage dynamically through assessment, planning and analysis to effectively implement the requirements of the NIS2 Directive. In doing so, you will ensure a consistent approach to ICT risk management, in line with the principles required by the NIS2 Directive.

If you want to learn more about the product, details related to the subscription, price, access or have other questions, register!

Schedule a demo

Pillars of the NIS2 Directive

RIG NIS supports you in meeting each of the mandatory pillars of the directive. In the tool, you will fully implement 4 areas of your responsibility and streamline the other 2.

ICT risk management

In RIG, you can do everything with the help of automation:

  • Process mapping
  • Asset inventory
  • Risk assessment and analysis
  • Risk treatment

Supply chain suppliers

Use the pre-prepared surveys and registers to carry out tasks:

  • Supplier qualification
  • Supplier register
  • Supplier risk assessment

Serious incident reporting

Use the ready-made registers and conduct activities t.i.e:

  • Incident recording
  • Qualification
  • Reporting (in RIG this is automated).

Information sharing

Share information, show that you are fulfilling this duty in RIG.

  • RIG risk management training once a month for all users online live and permanent access to recordings of training delivered.
  • Q&A for users.

Operational digital resilience testing

By integrating RIG with resilience testing tools, you combine data from resilience tests with vulnerabilities. In this way, you realise the responsibilities of performing:

  • Penetration testing
  • Vulnerability scans.

You gain a detailed risk measurement.

Documentation

Develop a register of contracts in the RIG system. In addition, the RIG document archive can store:

  • Digital resilience strategy
  • A strategy to address risks from external suppliers in the supply chain
  • All policies and procedures.

Reporting

Internal and external reporting is very important, your goal is to be able to be accountable for compliance.
Generate in RIG NIS:

  • Analytical reports
  • Workflow – check the progress of work.
See how each of  the NIS2 pillars can be managed in the RIG NIS module
Schedule a demo

FAQ

Who is affected by NIS2?

NIS2 expands the scope of regulated entities to include not only digital service providers, but also key and important entities in various sectors such as energy, transport, health and digital infrastructure.

What are the main responsibilities of an entity regulated by NIS2?

Entities must implement appropriate risk management measures that cover both technical and organisational aspects. This requires, among other things, conducting risk assessments, monitoring incidents and ensuring supply chain security.

Do you need to keep a register of ICT suppliers?

There is no formal obligation to maintain a register of ICT suppliers, but entities should document relationships with suppliers, particularly in the context of security and risk management.

What are the deadlines for implementing NIS2?

The NIS2 Directive entered into force on 16 January 2023, and Member States must implement it into their national legislation by 17 October 2024.

What documents can help with the NIS2 implementation?

Entities may use documents published by ENISA, such as the ‘Set of Good Practices for Supply Chain Security’, which offer practical guidance on supply chain risk management.

What are the best practices for conducting risk assessments in compliance with NIS2?

Carefully identify the IT assets that are critical to the organisation’s operations and the potential threats that may affect them. Apply risk analysis methods to determine the possibility of different types of incidents and their potential impact on business continuity. Create risk management plans that address different threat scenarios and appropriate security measures to minimise potential damage. Implement technical and organisational security measures proportional to the identified risks, such as access control mechanisms, systems monitoring and supply chain security. Carefully document all stages of your risk assessment, including security policies, incident response procedures and business continuity plans. This will help maintain NIS2 compliance and facilitate future audits.


Staff training. Conduct regular training of staff on security policies and incident response procedures to ensure they are aware of threats and know how to respond. Perform regular reviews of risk assessments and update them in response to changing threats and evolving IT infrastructure.


Cooperation with suppliers. Maintain a close relationship with your ICT service providers to ensure that they too have appropriate security measures in place and are aware of supply chain risks. Develop incident management procedures to enable quick identification, response and reporting of security incidents.

You can implement most of the cited risk assessment good practices with the RIG NIS tool. Consider using RIG NIS or other dedicated risk management tools that can help you automate your processes and make your risk assessment activities more efficient.

What is supplier relationship management according to NIS2?

Supplier relationship management in the context of NIS2 is a key element in ensuring supply chain security and mitigating information security risks. Here are the main aspects of this management:

  • Entities should conduct detailed risk assessments related to ICT service providers. This includes analysis of security practices, product and service resilience and compliance with applicable standards. In particular, key and important entities should assess the overall quality and resilience of products and cyber security practices of suppliers.
  • Appropriate cyber security risk management measures should be included in contracts with suppliers. This means that organisations must clearly define the security requirements that suppliers must meet.
  • Organisations should monitor and audit suppliers on a regular basis to ensure that they comply with established security standards. This may include conducting security audits and assessing the effectiveness of implemented security measures.
  • In the context of supplier relationships, entities should create business continuity plans that address potential supplier-related incidents. They should be prepared for situations where suppliers may not be able to provide services due to security incidents.
  • Maintaining open communication with suppliers is crucial. Entities should regularly share information on threats, incidents and security best practice.
  • All supplier relationship management activities should be carefully documented. This includes the results of risk assessments, audits and any security findings.