Minimise risk & drive resilience across critical operations and infrastructure
NIS2 mandates that organisations implement effective processes for identifying, minimising and managing security risks to their information systems and establish and maintain an effectual cyber security incident response plan to reduce the risk of a breach resulting from a cyber-attack.
Compliance, while mandatory, can be complex as the Directive does not mandate specific security controls but requires the implementation and ongoing maturity of a risk-driven information security management framework applicable to your business processes and the threat landscape of your industry. Customisation is the key.
Begin Your NIS2 Compliance Journey & Supercharge Your Cyber Security Posture
The goal of the new directive is to create cyber resilience and cultivate a shared understanding of cyber security threats. The NIS2 Directive’s new obligations embody key areas including risk management, corporate accountability, reporting obligations, business continuity and supply chain security.
Risk Management Review
To comply with NIS2, organisations must implement measures to minimise cyber risks and consequences. These include incident management, stronger supply chain security, network security, access control and encryption.
Incident Management
A business continuity plan is required to ensure incident management. An incident and crisis response team should be in place. Policies and procedures that cover system recovery, and emergency procedures must be included in the response plan.
Reporting Obligations
Similar to the GDPR, entities must promptly report any incident that significantly impacts their services to their Computer Security Incident Response Team, issue an early warning, incident notifications, intermediate reports and final reports.
Risk Ownership & Accountability
Management must oversee and approve cyber security risk-management measures. Data breaches could result in penalties for management, including liability and temporary removal from management roles.
Supply Chain
Risk in supply chains must be assessed and measures incorporated to strengthen supplier contractual arrangements. Due diligence is required in the selection of managed security providers.
Guarantee Your Business Complies
Risk Crew is a leading provider of GRC and assessment services. Our team will guide your organisation to reach NIS2 critical requirements.
Current cyber threat intelligence is gathered specifically for your organisation’s industry (finance, banking, healthcare energy, transportation, technology etc.) and provided to you.
We update the risk registerwith these threats and map to your existing controls to identify and fill any potential gaps in your current defences.
Risk Management Maturity Assessment
A review of the information security management system (ISMS) and its applicability for effectiveness against your threat landscape is assessed.
Controls implemented in your people, process, and technology are evaluated to ensure they meet or exceed ENISA-established best practices and your specific cyber security threats to identify vulnerabilities which should be remediated.
A review and assessment of your security controlswithin your: People, Processes and Technology.
You’ll receive a benchmark of the maturity of your ISMS and provide a roadmap for improvement.
Incident Response Team Maturity Assessment
The maturity and effectiveness of your organisation’s current Computer Security Incident Response Team (CSIRT) capability are reviewed.
The review includes your Team’s skillset and toolsto ensure that current plans and step-by-step procedures meet or exceed ENISA-established best practices, and that appropriate escalation and notification processes are up-to-date and applicable to local requirements.
You’ll receive a benchmark of the maturity of your CSIRT practices & procedures with a roadmap for continuous improvement.
Supply Chain Risk Management Maturity Assessment
Your organisation’ssupply chain cyber security risk management policies, plans and procedures and their applicability and effectivenessagainst the cyber threat landscape in your industry are assessed and reviewed.
A review of your current cyber security controls is conducted to ensure they meet or exceed ENISA-established best practices and the specific cyber security threats facing your supply chain.
A benchmarked report will show the maturity of your supply chain cyber security risk management practices and procedures, providing a roadmap for continuous improvement.
You’ll receive a maturity report documenting your supply chain cyber security risk management practices and proceduresand a roadmap for continuous improvement.
Internal NIS2 Security Audit
Ensure your organisation is prepared for compliance and has ‘best practice’ security controls in place, Risk Crew can also conduct your internal security audit – a requirement of the NIS2 Directive.
The NIS2 Directive will become law on October 17, 2024. Prepare now for compliance and gain best practice security controls. Not sure where to start?
Check if your sector is regulated under the NIS2 Directive
Evaluate critical processes and security measures to develop a scope of what’s needed for compliance
Evaluate critical processes and security measures to develop a scope of what’s needed for compliance
Integrate new security measures now to avoid delays. Begin with the programs that will take the most time to complete such as your incident management and supply chain security
Explore outsourcing to help with your compliance. If you wait too long, your best-fit consultancy firm, which fits into your budget, may not be available
Clients Come to Us for Expertise & Stay for Exceptional Service
Find Out How Risk Crew Can Help
Whether you need to kickstart your compliance with risk assessments and roadmap or help implementing the your program – we’re happy to help, it’s what we do.
You can also call us at +44 (0) 02 3653 1234 and one of our experts will guide you down your path to secure your information assets.
We Don’t Sell Products, We Sell Results.
✓ Competitive and Transparent Pricing
Our service comes with fixed pricing with no unexpected added costs. Additionally, we offer a managed service to conduct penetration testing on a continual basis.
✓ Experienced Experts
Risk Crew has over 30 years of experience. Our information security experts hold CISSP, CISA, CRISC and CISM and CSX certifications.
✓ In-depth Reporting
Our comprehensive report details specific vulnerabilities identified on the platform, how they were identified, methods and tools used to identify them and visual evidence if applicable.
✓ 100% Satisfaction Guarantee
We think deeply, question assumptions, detect cause and effect and deliver measurable results. No one else does that. Our deliverables produce metrics you can use to monitor and manage real-world cyber risks.
The protection of our networks and systems is critically important, now more than ever. Attackers are increasingly sophisticated, and attacking with increasing frequency. NIS2 is a lot tougher than its predecessor. It’s more costly. More complex. But it’s also a smarter way to protect information assets, keeps what matters running, while raising cybersecurity standards across the board. Here’s why: the thing has teeth. Big ones.Unlike NIS1, NIS2 is armed with far heftier fines (and more compliance standards) than its predecessor. Entities within its scope must expect ad-hoc audits, expensive implementation costs and, if they don’t buckle up and comply, eye-watering fines of up to $10 million.
1. NIS2 Directive was published in the Official Journal of the European Union as Directive (EU) 2022/2555.
2. The timeframe for the transposition of NIS2 into the national laws of the 27 member states of the EU is the year 2024 (17 October).
3. This is the deadline for transposition into national law for member states, not the compliance date for entities subject to NIS2. As yet, the compliance date entities is unspecified. Follow our NIS2 Timeline blog post for updates.
4. The directive has only this to say on ‘registration’ etc: ‘Member States shall require entities referred to in paragraph 1 to submit the following information to the competent authorities by 17 January 2025:
(a)the name of the entity; (b)the relevant sector, subsector and type of entity referred to in Annex I or II, where applicable; (c)the address of the entity’s main establishment and its other legal establishments in the Union or, if not established in the Union, of its representative designated pursuant to Article 26(3); (d)up-to-date contact details, including email addresses and telephone numbers of the entity and, where applicable, its representative designated pursuant to Article 26(3);(e)the Member States where the entity provides services; and (f)the entity’s IP ranges.
APT threats are primarily associated with nation-state and sophisticated cyber-criminal organisations as they require a significant investment of resources and are fuelled by zero-day vulnerabilities. A zero-day vulnerability is a software vulnerability that is unknown (or unaddressed by the vendor) and therefore can be exploited without detection. Zero-day vulnerabilities are attained through research or purchase from the dark web and therefore require significant resources to obtain.
Entities operating within the EU that fall under ‘Essential’ or ‘Important’ sectors are covered by NIS-2, with the exclusion of ‘small’ and ‘micro’ businesses. Essential sectors span a wide range, from energy and transport to banking, health, digital infrastructure, public administration and space. Meanwhile, important entities include postal and courier services, waste management, food production, manufacturing, digital providers and research organisations, among others.
Your incident response plan should include reporting notification procedures. Operators of essential services must notify, without undue delay, the competent authority or the CSIRT of incidents having a significant impact on the continuity of the essential services they provide. Notifications shall include information enabling the competent authority or the CSIRT to determine any cross-border impact of the incident. Notification shall not make the notifying party subject to increased liability. This initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) without delay and within 24 hours from when the entity became aware of a significant incident (updated from the “without undue delay” under NIS 1). This must be followed with a more robust incident notification without undue delay and within 72 hours. Entities must then submit a final report [no more than one month later]. Entities will also be required to notify affected users without undue delay, wherever appropriate.
Welcome! We’re happy you are here and want you to know that we respect your privacy and your right to control how we collect your personal data. For additional information review our Privacy Notice.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
