NIS 2 Compliance
Work in progress! |
Directive (EU) 2022/2555 of European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, known as NIS 2 Directive for short, mandates sound cybersecurity practices for crucial organizations, such as public administration, energy, finance, healthcare, infrastructure and many others. Affected organizations are expected to establish risk management practices, implement business continuity measures, and report cybersecurity incidents. It is a part of broader cybersecurity initiative of European Union.
Being a legislative act, NIS 2 is not very specific when it comes to technical details. The only "technical" description in the normative part of the directive is article 21, which lists 10 points mentioning cybersecurity measures to implement:
-
policies on risk analysis and information system security;
-
incident handling;
-
business continuity, such as backup management and disaster recovery, and crisis management;
-
supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
-
security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
-
policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
-
basic cyber hygiene practices and cybersecurity training;
-
policies and procedures regarding the use of cryptography and, where appropriate, encryption;
-
human resources security, access control policies and asset management;
-
the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
The directive repeatedly refers to best practice and international standards. ISO/IEC 27000 series is explicitly mentioned in Recital 79.
Even though the normative part of NIS 2 Directive is technologically vague, there are some interesting details in the recitals. Recital 51 encourages use of innovative technologies, including AI. Recital 52 endorses use of open source technologies. Recital 89 explicitly mentions identity and access management (IAM).