Key focus areas for NIS2 compliance

The current landscape pressures organizations to establish capabilities to prepare for and manage a cyber crisis effectively and efficiently. Between 2020 and 2021 we noticed that cyber-attacks increased by 45% worldwide to critical infrastructure, and up to +220% across EU Member States. Additionally, the conversion to remote work during the pandemic opened new vulnerabilities resulting in an 47% increase in individuals who fell for phishing attacks during 2020. With the current geopolitical situation, the threat of cyber-attacks has increased further, especially for operators of essential services that could be targets in hybrid warfare.

The EU Commission’s proposal for NIS2 has the goal of strengthening organizations’ security posture to address emerging cyber threats, and these changes could lead to a significant impact in the ways of working.

Depending on the maturity of your company and the current state of the market, we see the below activities as focus areas to protect critical infrastructure and maintain compliance with the NIS Directive:

• Training and awareness

• Streamlining incident reporting

• Focus on improving overall security posture

• Funding of cybersecurity

This will result in an enhanced cybersecurity posture of your company. We believe that with increasing controls from governments and regulators, there is a momentum for companies to pursue their security objectives.

Considerations for "operators of essential services"

If you are an entity that provides a service which is essential for the maintenance of critical societal and/or economic activities, for example an energy company – you are classified as an "operator of essential services". This puts pressure on your technical and organizational structure and capabilities. The following measures are included in NIS2 Directive:

- Risk analysis and information system security policies.
- Incident handling (prevention, detection, and response to incidents).
- Business continuity and crisis management.
- Supply chain security.
- Security in network and information systems.
- Policies and procedures for cybersecurity risk management measures.
- The use of cryptography and encryption.

Furthermore, management bodies will have a crucial and active role in the supervision and implementation of these measures. What could happen if an essential operator is non-compliant?

• Fines up to 10 million EUR or 2% of the total global annual turnover
• Management liability
• Temporary bans against managers
• Designation of a monitoring officer 

What are the next steps?

To effectively manage the evolving cyber risks, your board and senior-level management should define (if not already existing) or enhance your cybersecurity strategy to adapt, evolve and improve your organization’s cyber resilience capabilities. We have identified 3 areas where the key requirements of the NIS2 Directive must be addressed:

Cyber strategy/governance

• Information security management
• Awareness and training
• Cyber risk management and compliance

Detection and response

• Incident handling
• Incident reporting
• Business continuity and crisis management

Infrastructure and application security

• Infrastructure/network security
• Secure development practices
• Identity and access control
• Third party risk management

Learn more

Why has NIS2 been developed?

Since the start of the COVID-19 pandemic the cybersecurity landscape has evolved rapidly. The European Commission has acknowledged this and proposed a repeal of the EU Network and Information Security directive (NIS Directive) to align and enhance cybersecurity within all member states of the EU. The repeal of the NIS Directive will enter into force 2024 and is expected to impose stronger requirements to a broader scope of actors. The overall purpose of the legislation is to achieve a high common level of cybersecurity across all member states. NIS2 has three general objectives:

1. Increase level of cyber resilience of a comprehensive set of businesses operating in the European Union across all relevant sectors, which fulfill important and critical functions.
2. Reduce inconsistencies in resilience across the internal markets in sectors already covered by the directive, by further aligning cybersecurity capabilities.
3. Improve level of joint situational awareness and the collective capability to prepare and respond by 1) taking measures to increase the level of trust between 1) competent authorities; 2) by sharing more information; and 2) setting rules and procedures in the event of a large-scale incident or crisis.

Deloitte Capabilities
Deloitte has years of experience of assessing and implementing the security controls and capabilities which are required to stay compliant. We can help you with:

Cyber strategy
- Cyber strategy, transformation and assessments
- Cyber risk management and compliance
- Third party risk management

Application security
- Secure development practices
- DevSecOps
- Secure development training

Infrastructure security
- Designing threat and vulnerability management
- Increasing technical resilience

Detect & respond
- Monitoring and management
- Threat intelligence and analysis
- Incident response support