Abi Dakin
GRC Lead
Abi Dakin Linked In
These last few years have been a whirlwind of new legislation across the globe as we continue to address new risks and threats in a politically turbulent world. As we adopt these new laws, they bring new compliance requirements for businesses to assess, among other pressing priorities.
The NIS2 legislation, introduced by the European Union and currently being written into UK law, marks a significant shift in how cyber security is perceived and managed within organisations. No longer confined to the IT department, cyber security has become a critical issue that demands the attention and accountability of management bodies and the Board.
NIS2: elevating cyber security accountability
Gone are the days when cyber security was solely the responsibility of IT professionals. With the advent of NIS2, the EU has placed a spotlight on the role of management bodies in ensuring the security of their organisations. This legislation mandates that senior executives and board members take an active role in cyber security risk management, making them personally liable for any failures.
Management bodies: direct accountability
Under NIS2, management bodies are required to approve and oversee the implementation of cyber security risk management measures. This means that C-level executives can no longer hide behind their IT departments. They must be fully engaged in the process, ensuring their organisations are adequately protected against cyber security threats. Failure to do so could result in severe consequences, including personal liability for infringements and, in some cases, temporary bans from managerial duties.
Article 21: comprehensive cyber security measures
Article 21 of the NIS2 legislation outlines a comprehensive set of cyber security measures that organisations must implement. These measures include:
- Risk analysis and security policies: organisations must conduct thorough risk analyses and establish robust security policies to mitigate identified risks.
- Incident handling: effective incident handling procedures must be in place to ensure a swift and coordinated response to cyber security incidents.
- Business continuity and crisis management: organisations must develop and maintain business continuity and crisis management plans to ensure operational resilience in the face of cyber threats—and test them!
- Supply chain security: the security of the supply chain must be addressed, as vulnerabilities in third-party vendors can pose significant risks. Visibility, end-to-end, is required.
- Security in system development: security must be integrated into the system development lifecycle, with regular updates and patches to address emerging threats. Legacy systems and infrastructure must be phased out.
- Effectiveness assessment: continuous monitoring and assessment of cyber security measures are essential to ensure their effectiveness and to identify areas for improvement. Doing anything continuously is not a sustainable human activity - we must look to modernise our estates and deploy systems to help us.
In addition to these measures, NIS2 emphasises the importance of cyber hygiene training, multi-factor authentication, and coordinated vulnerability disclosure policies. These elements are crucial for creating a culture of cyber security awareness and resilience within organisations. The fact that we must legislate for the use of multi-factor authentication gives us a real insight into the risks that are exposed by not doing so.
Continuous monitoring and visibility
Continuous monitoring and visibility are critical components of an effective cyber security strategy. By leveraging advanced technologies such as Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR) and Managed eXtended Detection and Response (MXDR), with Governance, Risk, and Compliance (GRC) tools, organisations can gain real-time insights into their security posture. GRC tools provide essential overhead lift to organisations to enable them to manage the increase in workload for risk management and mitigation by providing a structured approach to multiple use cases across modern organisations.
Incident reporting: transparency and accountability
NIS2 mandates strict incident reporting requirements to ensure transparency and accountability. This means organisations must report cyber security incidents within specific timeframes:
- 24 hours: initial report to notify authorities of a potential incident.
- 72 hours: follow-up report with preliminary findings and actions taken.
- One month: a final report detailing the incident, its impact, and the measures implemented to prevent a reoccurrence.
Training for management bodies
To ensure that management bodies are equipped to fulfil their cyber security responsibilities, NIS2 requires them to undergo training. This training aims to enhance their understanding of cyber security risks and the impact of cyber security practices on their organisations. By fostering a culture of continuous learning and improvement, organisations can better prepare for and respond to cyber threats.
Conclusion
The NIS2 legislation represents a paradigm shift in cyber security governance, elevating it from an IT issue to a boardroom priority. By holding management bodies accountable for cyber security failures, the EU aims to create a more resilient and secure digital ecosystem. As organisations navigate this new landscape, it is essential to embrace continuous monitoring, decommission the legacy infrastructure, leverage advanced technologies, and foster a culture of cyber security awareness and accountability. In this brave new world of cyber security, ignorance is not bliss—it is a liability.
Get in touch with your Softcat Account Manager or our Sales team, and we can begin your transformation journey with everything from Business Impact Analysis to Board training, through Gap analysis to Managed Cyber Services and of course, everything in-between.
Stay vigilant and may your cyber security measures be ever robust.