Preparing for NIS2: 4 Essential Steps to Take Right Now

Reading Time: 2 minutes


Rosie Christos | Senior Cyber-risk and Data Protection Advisor
Alannah Carey Bates | Senior Cyber-risk and Data Protection Advisor

Date: 18 June 2024

With 4 months before NIS2 comes into force, here are 4 steps you can take now to ensure that you are best prepared.

NIS2 is EU-wide legislation which imposes new obligations on providers of critical infrastructure, defined in the act as ‘Important Entities’ or ‘Essential Entities’ (with the latter being subject to proactive supervision). Member States have until 17 October to transpose the Directive into national law, with the transposed obligations having the potential to take immediate effect (in October).  Here is a reminder of organisations that are under its scope.

*For more information on the different types of organisations affected by NIS2, see here.

Organisations failing to meet the requirements will face fines of up to €10million or >2% of worldwide turnover, or even suspensions.

If you come under these categories, there are steps that you can be taking now to ensure you are sufficiently prepared for the upcoming legislation.

Four simple steps to follow to prepare for NIS2:

Step 1: Gap analyses

Performing a gap analysis is a great step to see where your information security controls currently are versus where they need to be, and to identify any overlooked risks and omissions.  Whilst the specific requirements have yet to be published by member states, Article 21 of the Directive specifies areas that will be included. A good strategy for compliance would be to perform an assessment against a well-respected existing information security standard, such as NIST SP 800-53, or ISO27001.

Step 2: Implement an Information Security Risk Management Framework

Information Security Risk Management is a core focus of NIS2, which calls for a proportionate and appropriate approach taken to information security risk, overseen at a board level. Organisations should develop and implement a suitable information security risk management framework and information security policies, including core documentation such as an InfoSec risk management plan, risk register and risks assessments as well as business impact analyses and business continuity / disaster recovery plans.

Step 3: Incident Response

In addition to the strict reporting requirements which NIS2 imposes in relation to incident response, NIS2 also requires appropriate governance measures for incident response. Organisations should assess their current incident response policy and conduct testing to ensure they are sufficiently prepared.

Step 4: Staff training

NIS2 requires organisations to provide information security risk management training to board members as well as staff awareness training on cyber hygiene / information security practices. Organisations should develop training programmes to meet these requirements.

 Whilst the requirements for compliance with NIS2 may seem challenging, our data protection and cyber-risk service, have a wealth of experience in helping organisations prepare for regulatory change. We are currently assisting organisations in their NIS2 preparations, building upon our previous work with Operators of Essential Services subject to NIS1. We can design and implement an easy to follow NIS2 compliance roadmap for your organisation and be by your side to assist with all the necessary steps. If you would like to discuss our services for NIS2 compliance, please feel free to contact our advisers.

Related posts

Let's discuss your career