In 2023, the EU has adopted the second iteration of the Network and Information Systems directive, NIS 2 in short.
💡 NIS 2 is a directive, while DORA and GDPR are regulations. The big difference is that a directive must first be translated to local legislation, while a regulation becomes active immediately.
NIS 2 aims to establish a higher level of cybersecurity for entities categorized as essential or important.
Essential entities
- Banking
- Digital infrastructure
- Financial markets
- Healthcare
- Transport
- Utilities (energy, water)
Important entities
- Digital providers
- Food
- Manufacturing
- Postal
- Research
- Waste management
Does NIS 2 impact you?
While NIS 2 primarily addresses large (over 250 employees) and medium (over 50 employees), smaller organizations can also be impacted. This happens if the member state identifies them as critical.
But even when you are not an essential or important entity, you may be part of their supply chain. For instance, SaaS, cloud or managed service providers delivering their services to critical entities may also receive the requirement to demonstrate their NIS 2 compliance.
Contents of NIS 2
The NIS 2 directive is a comprehensive piece of legislation, describing the responsibilities of EU member states, including jurisdiction and penalties for non-compliance.
Entities falling in scope of NIS 2 must also cooperate with local Computer Security Incident Response Teams (CSIRT) and the European Union Agency for Cybersecurity (ENISA ↗️).
Measures
Furthermore, and this is what most of the fuss is about, article 21 of NIS 2 contains a number of technical, operational and organizational measures that entities must implement, which conveniently map to ISO 27001:
| NIS 2 article 21 | ISO 27001:2022 |
|---|---|
| Policies on risk analysis and information system security | 5.2 Policy; 6.1.2 Information security risk assessment; 6.1.3 Information security risk treatment; A.5.1 Policies for information security |
| Incident handling | A.5.24 Information security incident management planning and preparation; A.5.25 Assessment and decision on information security events; A.5.26 Response to information security incidents; A.5.27 Learning from information security incidents |
| Business continuity, such as backup management and disaster recovery, and crisis management | A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity; A.8.13 Information backup; A.8.14 Redundancy of information processing facilities |
| Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers | A.5.19 Information security in supplier relationships; A.5.20 Addressing information security within supplier agreements; A.5.21 Managing information security in the ICT supply chain |
| Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure | A.5.19 Information security in supplier relationships; A.5.20 Addressing information security within supplier agreements |
| Policies and procedures to assess the effectiveness of cybersecurity risk-management measures | 9.1 Monitoring, measurement, analysis and evaluation; 9.2 Internal audit; 9.3 Management review; A.5.35 Independent review of information security; A.5.36 Compliance with policies and standards for information security |
| Basic cyber hygiene practices and cybersecurity training | A.5.1 Policies for information security; A.6.3 Information security awareness, education and training |
| Policies and procedures regarding the use of cryptography and, where appropriate, encryption | A.8.24 Use of cryptography |
| Human resources security, access control policies and asset management | A.5.15 Access control; A.5.16 Identity management; A.5.17 Authentication information; A.5.18 Access rights; A.5.9 Inventory of information and other associated assets; A.6.1-A.6.8 People controls |
| The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate | A.5.14 Information transfer; A.5.17 Authentication information; A.8.5 Secure authentication; A.8.20 Network controls; A.8.21 Security of network services |
Comply to NIS 2 by implementing ISO 27001
All of the requirements above can be covered when implementing an information security management system (ISMS) according to ISO 27001. Certification is not mandated by NIS 2, but it will certainly help entities when asked to prove their compliance.
Next to compliance to NIS 2, there are many more benefits in implementing ISO 27001!
We have written a whitepaper explaining how GDPR, NIS 2, and DORA are reshaping expectations across industries, why ISO 27001 offers the smartest foundation to meet them, and how Instant 27001 helps you get there faster, whether you’re regulated directly or simply part of the supply chain.
Download the whitepaper to see how you can turn compliance into a competitive advantage.
How can we help?
Instant 27001 is a pre-built ISO 27001 Information Security Management System. It enables organizations to implement and maintain ISO 27001 in a controlled, practical way, without consultancy-heavy projects or intrusive automation platforms.
Trusted by more than 2,500 organizations to reduce risk, strengthen security governance, and demonstrate information security maturity to customers, partners, and regulators.
Instant 27001 integrates naturally with Atlassian Confluence and Microsoft 365 so teams can implement and maintain ISO 27001 in the tools they already use.
One-time purchase from €2,495. Available in English, Dutch, and German.
You must be logged in to post a comment.