What is NIS2?

NIS2 mandates that organisations implement effective processes for identifying, minimising and managing security risks to their information systems and establish and maintain an effective cyber security incident response plan to reduce the risk of a breach resulting from a cyber-attack.

Compliance, while mandatory, can be complex as the Directive does not mandate specific security controls but requires the implementation and ongoing maturity of a risk-driven information security management framework applicable to your business processes and the threat landscape of your industry. Customisation is the key.

Begin Your NIS2 Compliance Journey

How to Get Started
NIS 2 Consultant

NIS2 Directive Requirements

The goal of the new directive is to create cyber resilience and cultivate a shared understanding of cyber security threats. The NIS2 Directive’s new obligations embody key areas including risk management, corporate accountability, reporting obligations, business continuity and supply chain security.

Risk Management Review

To comply with NIS2, organisations must implement measures to minimise cyber risks and consequences. These include incident management, stronger supply chain security, network security, access control and encryption.

Incident Management

A business continuity plan is required to ensure incident management. An incident and crisis response team should be in place. Policies and procedures that cover system recovery, and emergency procedures must be included in the response plan.

Reporting Obligations

Similar to the GDPR, entities must promptly report any incident that significantly impacts their services to their Computer Security Incident Response Team, issue an early warning, incident notifications, intermediate reports and final reports.

Risk Ownership & Accountability

Management must oversee and approve cyber security risk-management measures. Data breaches could result in penalties for management, including liability and temporary removal from management roles.

Supply Chain

Risk in supply chains must be assessed and measures incorporated to strengthen supplier contractual arrangements. Due diligence is required in the selection of managed security providers.

Guarantee Your Business Complies

Risk Crew is a leading provider of GRC and assessment services. Our team will guide your organisation to reach NIS2 critical requirements.

The Requirement:

Risk Crew’s Compliance Solution:

Threat Landscape Assessment

Current cyber threat intelligence is gathered specifically for your organisation’s industry (finance, banking, healthcare energy, transportation, technology etc.) and provided to you.

We update the risk register with these threats and map to your existing controls to identify and fill any potential gaps in your current defences.

Risk Management Maturity Assessment

A review of the information security management system (ISMS) and its applicability for effectiveness against your threat landscape is assessed.

Controls implemented in your people, process, and technology are evaluated to ensure they meet or exceed ENISA-established best practices and your specific cyber security threats to identify vulnerabilities which should be remediated.

A review and assessment of your security controls within your: People, Processes and Technology.

people process technology controls

You’ll receive a benchmark of the maturity of your ISMS and provide a roadmap for improvement.

Incident Response Team Maturity Assessment

The maturity and effectiveness of your organisation’s current Computer Security Incident Response Team (CSIRT) capability are reviewed.

The review includes your Team’s skillset and tools to ensure that current plans and step-by-step procedures meet or exceed ENISA-established best practices, and that appropriate escalation and notification processes are up-to-date and applicable to local requirements.

You’ll receive a benchmark of the maturity of your CSIRT practices & procedures with a roadmap for continuous improvement.

Supply Chain Risk Management Maturity Assessment

Your organisation’s supply chain cyber security risk management policies, plans and procedures and their applicability and effectiveness against the cyber threat landscape in your industry are assessed and reviewed.

A review of your current cyber security controls is conducted to ensure they meet or exceed ENISA-established best practices and the specific cyber security threats facing your supply chain.

A benchmarked report will show the maturity of your supply chain cyber security risk management practices and procedures, providing a roadmap for continuous improvement.

You’ll receive a maturity report documenting your supply chain cyber security risk management practices and procedures and a roadmap for continuous improvement.

Internal NIS2 Security Audit

Ensure your organisation is prepared for compliance and has ‘best practice’ security controls in place, Risk Crew can also conduct your internal security audit – a requirement of the NIS2 Directive.

Schedule An Audit

Small Steps Now Can Result in Big Changes

The NIS2 Directive will become law on October 17, 2024. Prepare now for compliance and gain best practice security controls.
Not sure where to start? 

  • Check if your sector is regulated under the NIS2 Directive 
  • Evaluate critical processes and security measures to develop a scope of what’s needed for compliance
  • Evaluate critical processes and security measures to develop a scope of what’s needed for compliance
  • Integrate new security measures now to avoid delays. Begin with the programs that will take the most time to complete such as your incident management and supply chain security
  • Explore outsourcing to help with your compliance. If you wait too long, your best-fit consultancy firm, which fits into your budget, may not be available

Speak to an Expert

Clients Come to Us for Expertise & Stay for Exceptional Service

Find Out How
Risk Crew Can Help

Whether you need to kickstart your compliance with risk assessments and roadmap or help implementing the your program – we’re happy to help, it’s what we do.

You can also call us at +44 (0) 02 3653 1234 and one of our experts will guide you down your path to secure your information assets.

NIS-2 Consultancy Service

We Don’t Sell Products, We Sell Results.

✓ Competitive and Transparent Pricing

Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.

✓ Experienced Experts

Risk Crew has over 30 years of experience. Our information security experts hold CISSP, CISA, CRISC and CISM and CSX certifications.

✓ In-depth Reporting

Our comprehensive report details specific vulnerabilities identified on the platform, how they were identified, methods and tools used to identify them and visual evidence if applicable.

✓ 100% Satisfaction Guarantee

We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.

Frequently Asked Questions

Why has NIS2 changed?

The protection of our networks and systems is critically important, now more than ever. Attackers are increasingly sophisticated, and attacking with increasing frequency. NIS2 is a lot tougher than its predecessor. It’s more costly. More complex. But it’s also a smarter way to protect information assets, keeps what matters running, while raising cybersecurity standards across the board. Here’s why: the thing has teeth. Big ones.Unlike NIS1, NIS2 is armed with far heftier fines (and more compliance standards) than its predecessor. Entities within its scope must expect ad-hoc audits, expensive implementation costs and, if they don’t buckle up and comply, eye-watering fines of up to $10 million.

What is the NIS2 Directive timeline for compliance?

1. NIS2 Directive was published in the Official Journal of the European Union as Directive (EU) 2022/2555.

2. The timeframe for the transposition of NIS2 into the national laws of the 27 member states of the EU is the year 2024 (17 October).

3. This is the deadline for transposition into national law for member states, not the compliance date for entities subject to NIS2. As yet, the compliance date entities is unspecified. Follow our NIS2 Timeline blog post for updates.

4. The directive has only this to say on ‘registration’ etc:
‘Member States shall require entities referred to in paragraph 1 to submit the following information to the competent authorities by 17 January 2025:

(a)the name of the entity; (b)the relevant sector, subsector and type of entity referred to in Annex I or II, where applicable; (c)the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 26(3); (d)up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3);(e)the Member States where the entity provides services; and (f)the entity’s IP ranges.

Who must comply with NIS2?

Entities operating within the EU that fall under ‘Essential’ or ‘Important’ sectors are covered by NIS-2, with the exclusion of ‘small’ and ‘micro’ businesses. Essential sectors span a wide range, from energy and transport to banking, health, digital infrastructure, public administration and space. Meanwhile, important entities include postal and courier services, waste management, food production, manufacturing, digital providers and research organisations, among others.

What is the NIS2 Directive incident reporting?

Your incident response plan should include reporting notification procedures. Operators of essential services must notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the notifying party subject to increased liability. This initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) without delay and within 24 hours from when the entity became aware of a significant incident (updated from the “without undue delay” under NIS 1). This must be followed with a more robust incident notification without undue delay and within 72 hours. Entities must then submit a final report [no more than one month later]. Entities will also be required to notify affected users without undue delay, wherever appropriate.