Resources to Guide Your NIS2 Work

Guidance on how your organisation can work with the NIS2 directive.

The NIS2 Directive is unlike most other cybersecurity rules because it gives a company's leadership (e.g., C-level executives, board members, and legal representatives) the responsibility for ensuring they comply.

And they can also be penalised if they don't meet the requirements. For instance, they can be temporarily banned from holding leadership positions.

In this article, we give you an overview of what NIS2 requires and some resources to support your work with NIS2. If you want to read more about NIS2, we have a blog post that goes into a lot of detail about who it applies to and some recommendations.

Technically, NIS2 applies as of October 18, 2024. In some countries, like Denmark, implementation of the directive is delayed. In Denmark, implementation is expected on March 1, 2025.

Here are some of the highlights.

There are 10 new minimum cybersecurity requirements

Policies on risk analysis and information system security
1. Your risk management should have an all-hazards approach, which means you should consider threats from the physical environment (e.g., floods, fires), telecommunications failure, and unauthorized access to, damage to, or interference with your information technology.
Incident handling
Business continuity, such as backup management and disaster recovery, and crisis management
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
1. For example, it is recommended to include cybersecurity risk management measures in your contracts with direct suppliers.
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk management measures
Basic cyber hygiene practices and cybersecurity training
1. Some examples could be:
  1. Having policies on software and hardware updates, changing passwords, managing new installations, restricting administrator level access accounts, and backing up data.
  2. Practices to adopt: zero trust, mandatory software updates, training staff and raising awareness of cyber threats, phishing, and social engineering techniques.

Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Human resources security, access control policies and asset management
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity – where appropriate

The EU published this draft initiative that covers cybersecurity risk management and reporting obligations for digital infrastructure providers and ICT service managers.

The annex has concrete guidance for, e.g., what to consider for risk management, what should be included in different security policies, how to approach supply chain security, and much more. Although the guidance is aimed at specific sectors, the information and recommendations within the annexes is largely applicable. It's a great place to start if you are unsure of what the security requirements mean in practice.

There are new reporting requirements

What kind of incident needs to be reported?

Incidents considered "significant" need to be reported using the new schedule below.

A significant incident is one that:

Has or could cause severe disruption of the services or financial loss for your organisation
Has or could affect people by causing considerable material or non-material damage

The new timeline for reporting

Within 24 hours of first becoming aware of an incident
Submit an early warning. Indicate whether you suspect illegal or malicious and whether it may have a cross-border impact.

Within 72 hours
Submit an update. You should provide an initial assessment of the incident’s severity, impact, and indicators of compromise.

Within 1 month
Submit a final report. This should have a detailed description of the incident, its severity and impact; what caused the incident; applied and ongoing mitigation measures; and impact across borders.

Resources to support your NIS2 work

External resources

Bestyrelsesforeningens Center for Cyberkompetencer has some comprehensive free resources for Danish companies.

For example, they have a ready-made checklist you can use to organise your security work.

CyberPilot resources

Here are some resources and the NIS2 requirements they can help you meet.

Requirement #1 - Policies on risk analysis and information system security

IT security policy template and guide on how to use it.
Risk analysis template and guide on how to use it.
Password policy template and guide on how to use it.

Requirement #3 - Business continuity and crisis management

Checklist for making an emergency response plan.

Requirement #6 - Assess the effectiveness of your risk management

Overview of the Plan-Do-Check-Act cycle and how to use it to continuously improve your security.

Requirement #7 - Basic cyber hygiene practices and cybersecurity training 

Our awareness training course catalogue filled with content to educate your employees.
Our security awareness posters.

Requirement #9 - Human resources security, access control, and asset management

Acceptable use policy template and guide on how to use it.
Overview of mobile device management.

Did you know we have a course about NIS2?

CyberPilot's NIS2 course for leadership

We offer a course for leadership to get started with NIS2. This course is meant to be taken by executives, board members, and management. It can also be taken by managers who will be supporting a company's NIS2 compliance work.

The course provides:

Key information about the NIS2 Directive
A guide to the 10 cybersecurity requirements in NIS2
Examples of how you can work with NIS2

It's a great way to introduce NIS2 and start working with it in your company.