Cyber Security
NIS2 Compliance: A strategic approach to IT security and continuity
The Network and Information Security Directive 2 (NIS2) requires organizations to implement measures to ensure the security and continuity of their IT environments. The directive focuses on the resilience of digital infrastructure and demands auditability. Organizations that already adhere to security standards such as ISO 27001 and NIST often have a solid foundation, but NIS2 places additional emphasis on establishing a comprehensive ICT risk management framework.
This framework must cover the entire IT environment—from data to underlying processing systems and access control—with the goal of improving resilience against unexpected events. These include both cyber threats and IT disruptions. Special attention is given to legacy systems, which can have a greater impact on continuity than often assumed.
In addition, NIS2 highlights the importance of communication during disruptions and collaboration in information sharing, both of which are often lacking in existing processes. A key new element is accountability for the quality of service providers within the supply chain, which is now partly the responsibility of the contracting organization.
The complexity of modern IT environments
Modern IT environments are often hybrid, combining on-premises infrastructure with cloud solutions. The rise of Software as a Service (SaaS) adds complexity to the IT chain. Data is often stored across physically separated environments, raising the question of how the data owner can influence continuity and resilience. This requires a thorough review of continuity and resilience processes and procedures.
An analysis to identify gaps
The first step toward NIS2 compliance is an “as-is/to-be” (IST-SOLL) analysis to identify what is missing. It is essential to take an approach that provides clarity on priorities, impact, and timelines. This analysis should begin with processes and governance, and end with IT assets and infrastructure.
Key questions include:
-
What guarantees can already be given regarding IT continuity, particularly the security and availability of data and functionality?
-
To what extent is there sufficient visibility and control over data management across the IT supply chain?
-
What role do service partners play in the chain, and is there a clear set of agreements in place aligned with NIS2 requirements?
-
What processes and audit-ready outcomes are available for regularly testing IT solutions across the process chain?
-
How is communication structured in the event of incidents?
-
How are all of the above elements governed, monitored, and documented?
By placing processes and data at the center of the analysis, organizations can assess their current status and determine what needs to be added or adjusted. This approach offers quick insights into where the real challenges lie and what the priorities should be.
By embedding this within a risk management framework, organizations not only meet the requirements of NIS2, but also establish a reliable structure for ongoing compliance. A wide range of tools is available to support this process and facilitate documentation and reporting—an essential part of NIS2 compliance.
Let's talk IT security
Under NIS2, organizations are required to identify risks and implement mitigation strategies to ensure digital resilience, with a strong focus on data availability. This calls for a continuous process of risk assessment and management. Clear insight leads to greater control and enables organizations to act in accordance with regulatory requirements.
Let me know if I can assist in thoroughly mapping IT supply chains and related data, identifying potential risks, and providing tailored advice. With the use of standardized tools and methodologies I can advise on digital solutions that support oversight, governance, and reporting.
Learn more on NIS2
Enjoyed this insight?
Share it to your network.
Louis Joosse
Ready to start shaping the business of tomorrow?
[email]
