Your trusted partner for NIS2 compliance

We’ll give you clarity and certainty of what you need to do to be compliant and we’ll help you get there.

 
 CONTEXT: WHAT THIS IS

NIS2 Article 21 directs EU member states to ensure risk is managed by robust systems, policies, and best practices.

The European Parliament’s NIS2 directive is an update to the original National Information Security Directive and will introduce additional security compliance requirements for EU member states. Each country will be required to create national laws that companies will be required to abide by.

NIS2 introduces more stringent cybersecurity and risk management requirements. Article 21 of NIS2 directs member states to ensure that companies in important and essential industries manage risk by implementing robust systems, policies, and best practices covering a wide range of cybersecurity measures and disciplines including:

  • Risk analysis and information system security.

  • Incident handling and reporting.

  • Business continuity, such as backup management and disaster recovery.

  • Crisis management.

  • Supply chain security.

  • Systems acquisition, development and maintenance security.

  • Basic cyber hygiene practices and cybersecurity training.

  • Cryptography and encryption technologies.

  • Human resources security, access control policies and asset management.

  • Zero Trust access (multifactor authentication, continuous authentication).

NIS2 Article 21

 The penalties for not complying with NIS2 mean this needs to be a priority now if you’re in an applicable industry.

Important Entities: Fines for non-compliance will be up to the greater of €7m or 1.4% of annual revenue | Essential Entities: Fines for non-compliance will be up to the greater of €10m or 2% of annual revenue | See the definition of important and essential entities here

Sectors affected by NIS2
 WHO NEEDS TO KNOW ABOUT THIS

Sectors affected by NIS2

NIS2 clearly defines the sectors that are in scope for the new directive. There are now more sectors in scope of the directive than there were under its original guise.

The directive identifies sectors in two categories; essential entities and important entities. The classification of whether an entity is in an essential or important industry determines the potential repercussions for non-compliance. Our diagram shows which sectors are assigned as essential and important entities.

ESSENTIAL COMPANIES

ENERGY

HEALTH

SPACE

TRANSPORTATION

DIGITAL INFRASTRUCTURE

PUBLIC ADMINSTRATION

FINANCE

WATER

IMPORTANT COMPANIES

POSTAL

FOOD

WASTE MANAGEMENT

ONLINE MARKETPLACES

CHEMICALS

PHARMACEUTICALS

OUR APPROACH: WHAT WE OFFER

Leaving nothing to chance. Your NIS2 compliance assured.

We use globally recognized information security frameworks like ISO27001 and NIST to prepare for NIS2, identify technology and process gaps, and scope out compliance efforts.

NIS2 Corresponding ISO27001 Annex
Incident handling and reporting A.16: Information security incident management
Business continuity A.17: Information security aspects of business continuity
Supply chain security A.15: Supplier relationships
Systems acquisition, development and maintenance security A.14: System acquisition, development, and maintenance
Cryptography and encryption technologies A.10: Cryptography
Human resources security A.7 Human resource security
Access control policies A.9: Access controlA.5: Information security policies
Asset management A.8: Asset management
Zero Trust security A.9: Access control
prepare for NIS2
PREPARE FOR NIS2: DEVERG 8 STEP PROCESS

Immediate steps to take to prepare for NIS2

Member states have until October 2024 to incorporate the NIS2 Directive into their national laws. There are concrete steps we can help you take today to prepare for NIS2 as member states flesh out their regulations.

1. Identify, assess and address your risks. Management bodies of essential entities must take appropriate and proportionate technical, operational, and organizational measures, using an all-hazards approach to manage the risks posed to the security of network and information systems and the physical environment.

2. Evaluate your security posture. A security assessment can help identify areas of weakness such as unmanaged passwords or misconfigured or dormant accounts that are susceptible to credential theft.

3. Take steps to safeguard privileged access. Adversaries can exploit privileged accounts to orchestrate attacks, take down critical infrastructure and disrupt essential services. NIS2 advises critical entities to limit access to administrator-level accounts and to regularly rotate administrative passwords.

4. Strengthen ransomware defenses. Costly and debilitating ransomware attacks are a major concern for EU regulators and one of the primary drivers of the NIS2 Directive. Introduce security solutions and best practices to proactively defend against ransomware. Use endpoint privilege security solutions to enforce the principle of least privilege, control applications and augment next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions.

5. Move to a Zero Trust architecture. Traditional perimeter-based security architectures, conceived to defend trusted enterprise network borders, aren’t suited for the world of cloud services and hybrid workforces. Adopt a Zero Trust approach, implementing several layers of defense such as least privilege access, continuous authentication and threat analytics to validate all access attempts.

6. Scrutinise your software supply chain. Supply chain attacks are a major concern for EU regulators and a prime motivator for the NIS2 Directive. Take a fresh look at your software supply chain and consider implementing a secrets management solution to mitigate risk.

7. Formalise your incident response plan. NIS2 calls for faster incident reporting, with the first report due within 24 hours of an incident. Make sure your organization is prepared. Review your event notification, information gathering, and reporting processes.

8. Educate your people. Cybersecurity and cyber hygiene training are fundamental to NIS2. Step up your efforts to improve cyber awareness and foster a security-first culture.

 ENSURE COMPLIANCE

Deverg services for ongoing NIS2 compliance

 
NIS2 HEALTHCHECK

NIS2 HEALTHCHECK

INCIDENT MANAGEMENT

INCIDENT MANAGEMENT

BUSINESS CONTINUITY AND DISASTER RECOVERY

BUSINESS CONTINUITY AND DISASTER RECOVERY

 
ASSESS YOUR READINESS FOR NIS2

Take our free NIS2 readiness assessment to help you plan your strategy and approach for compliance

 
BENEFITS OF PARTNERING WITH US FOR NIS2 COMPLIANCE

Our execution focused approach focuses on keeping you safe

  • We cut through ambiguity to give you clarity and certainty that you’re doing the right things to be compliant with the directive.

  • Minimise the risk of non compliance and facing sanctions.

  • Our 8 step process (listed in section 6) covers all bases of preparing for and implementing changes that will ensure your compliance.

  • Our proactive approach will assure you of compliance when you need it, not after it’s too late.

  • We focus on execution and work with you to take direct action on your compliance.

KNOWLEDGE

NIS2 resources

 

BRIEFING PAPER

A Deverg guide to becoming compliant with the NIS2 directive

EXPLORE

E-BOOK

Deverg’s e-book on what you need to know about NIS2 compliance

EXPLORE

NIS2 READINESS ASSESSMENT

Free NIS2 readiness assessment with personalised report straight to your inbox

EXPLORE

SUCCESS STORIES

Clients that trust us

CYBER SECURITY CASE STUDY

A cancer research organisation affected by ransomware

DOWNLOAD

CYBER SECURITY CASE STUDY

Cyber security compliance for a global oil, gas and renewables company

DOWNLOAD

 
 FIND OUT MORE

Contact us