Practical tips for midsized companies around NIS2 Compliance

ws_our_people_london_08_blue
Reading time: 5 min

    Published

  • 06/06/2024

WithSecure

Introduction

Midsized companies should take practical steps now to comply with the new NIS2 Directive by the deadline: 17 October 2024. NIS2 is an update to the old NIS legislation which aims to fortify the cyber resilience of the European Union by mandating specific security protocols for companies that are ‘essential’ or ‘important’.

One of the criticisms applied to the old NIS legislation was that it was broad in scope and vague in terms of identifying affected organizations. NIS2 addresses these problems: many previously-out-of-scope companies in the EU are now covered by NIS2. This includes many smaller and midsized companies, employing between 50 and 1,000 people. 

Some midsized companies may struggle to become compliant with the new regulations—many need to build an entire cyber security function by October, all while facing limited budgets and resources.

Click here to watch our webinar for details on the NIS2 Directive and its aims.

The Challenges Facing Midsized Companies

The overarching challenge facing midsized companies is that, for many of them, cyber security has never been a priority; they will need to make serious changes in a short time to comply with NIS2 by the October deadline. These changes will include investing in security products and services, hiring consultants and employees to affect change, and cultivating a security-conscious mindset across the organization. 

A new mindset

For many midsized companies, the biggest challenge is that no one currently employed within the company is focused on cyber security, so there will be no one driving the necessary changes. If there is no CISO or cyber security team, the hardest things will be driving change, gathering momentum, and understanding security best practices and how to navigate the new legislation.

Under NIS2, the ultimate responsibility for compliance lies with the company’s top management, which means that change will have to come from them. However, everyone working at the company will also need to participate in changes, whether that is just taking awareness training and adhering to new standards around, for example, password strength, or working with an expert to make organizational processes more secure.

Meeting NIS2’s minimum requirements

NIS2 comprises ten minimum requirements which outline the baseline practices considered necessary to make a company digitally secure. These include requirements around constant monitoring, incident response, cryptography and encryption, policies and procedures, and reporting.

None of these minimum requirements are particularly cutting-edge or unusual in cyber security; they are standard practices in organizations with mature security postures. Most of the requirements can be fulfilled with external products and services, therefore avoiding the potentially huge investment involved in setting up these capabilities in-house.

For example, to meet the requirement of 24/7 monitoring internally, a company would need to hire a large team of experts, some of whom would have to work weekends and holidays. There would need to be extra staff on hand to cover any gaps caused by illness, employee turnover, and holiday. Alternatively, companies can outsource the 24/7 monitoring task, which is the approach we recommend in most cases. 

Our Practical Advice

For most midsized companies, becoming compliant with NIS2 will involve a mixture of internal effort and investing in external products and services. The key is to identify which areas of change are achievable in-house, and where investments will lead to the most value.

Understand NIS2

The first step needs to be understanding the NIS2 Directive in full. Top management, who are responsible for compliance with NIS2, should either read the legislation themselves or engage with an expert to understand the nuances of the requirements and the ways in which compliance will be measured. 

Tip: To understand the requirements, watch our latest NIS2 Directive webinar. 

Gap analysis

Step 2 needs to be assessing your company’s current capabilities and practices against the requirements laid out in the NIS2 Directive. It is crucial that you understand what you are already doing and what you need to change to become compliant by the deadline.

Tip: Remember to assess whether you can provide evidence of your security practices during this step. If your company is audited against NIS2, you will need to prove that you are meeting requirements. For example, rolling out security awareness training across the business is not enough; you must be able to show that your employees have taken the training with up-to-date documentation. 

Assess risk profile

The next step is to understand your company's risk profile within the regulatory framework. Under NIS2, your security measures need to be proportional to the risks associated with your specific organization. High-risk organizations that are considered more important to society will need to invest more in security than organizations with a lower risk profile.

Incorrectly assessing your risk profile will lead to over- or under-investing in security and can mean that you are not actually compliant with NIS2, even though you think you are doing everything right. 

Tip: NIS2 distinguishes between ‘important’ and ‘essential’ entities, but beyond that, the assessment of the risk profile is subjective to each company. Some organizations may want to hire an expert to help them understand their risk profile, as this is such a crucial step in becoming adequately secure. 

Tip: Security practices and processes should not hinder normal work. If security measures hinder employees’ abilities to do effective and productive work, they should not be considered effective.

Evaluate options

With the results of your gap analysis, research products, services, and hiring options to fill in the gaps.

Tip: Many NIS2 requirements can be fulfilled with off-the shelf products and services, including the requirements which would take a significant financial investment to establish in house, such as establishing:

  • 24/7 capabilities to detect, handle and respond to incidents

  • capabilities to ensure business continuity during cyber security incidents

  • capabilities to ensure continuous vulnerability handling and disclosure 

  • basic cyber hygiene practises and cyber security training.

As well as those requirements which require more of a time-investment if handled in house, such as:

  • writing and maintaining policies and procedures

  • enabling multi-factor authentications

  • handling asset management.

Some requirements are harder to fulfil, such as the need to establish policies and capabilities for cryptography and encryption. It is much harder to find an out-of-the-box solution for this, and you may need to work with a security specialist to become compliant, especially if you are working with sensitive data and a high risk profile.

Tip: When investigating product and service offerings from security vendors, be very wary of anything that promises immediate compliance, 100% success rates, or catch-all solutions. There is no such thing as a true one-size-fits-all solution, so it's essential to understand the specific needs and risk profile of your company and find reputable vendors who are willing to build a relationship with you. We recommend prioritizing vendors with a proven track record and longevity in the market. Beware of newly established companies that may lack stability or credibility.

Summary

The NIS2 Directive does not aim to damage companies or cause hardship by imposing unnecessary standards. Rather, it aims to increase the resilience of our society. We believe that organizations across the EU should do their best to comply with NIS2 not because of the financial consequences of non-compliance, but because it is morally the right thing to do: better resilience will lead to improved outcomes for everyone.

While midsized companies may face some challenges meeting NIS2’s requirements, a proactive approach involving understanding, assessment, and strategic investment can pave the way for a more secure digital landscape for everyone.

 

For more information on NIS2, watch our on-demand webinar and click here to learn about our award-winning cloud-based security platform, WithSecure Elements.

Related content

NIS2 compliance - A practical guide without the fluff

In January 2023, the NIS2 Directive—a revision of the 2016 NIS Directive—came into force. Our webinar outlines the practical ways our technology and services can help you achieve compliance.

Read more

NIS2 – Enhancing cyber security in EU

The NIS2 deadline—October 17 2024—is approaching. Organizations need to act now to comply with new cyber security regulations. At WithSecure we envision a future where no one should experience the devastating impacts of cyber threats. We want to help you to achieve true security.

Read more