News and developments
How to implement the NIS 2 Directive? Brief overview of required policies
The provisions of the NIS 2 Directive alone provide no precise information as to what the implementation of adequate ‘cyber risk-management measures’ should look like. However, this does not mean that it is impossible to establish such measures. To this end, it is useful to refer to the requirements of the ISO/IEC 27000 series of standards (which are explicitly referred to in the NIS 2 Directive) and, by way of analogy, the provisions of the DORA Regulation, addressed to the financial market, which constitute lex specialis – more specific provisions – than the NIS 2 Directive.
The analysis of these acts shows that for the purpose of demonstrating compliance with the NIS 2 Directive, it may be helpful for an organisation to implement the following policies or procedures:
Authors: Agnieszka Wachowska, Piotr Konieczny
-
- risk analysis and management policy – to identify, analyse, assess and minimise cybersecurity risks;
- vulnerability management procedure – to manage vulnerabilities from the detection phase through to proactive handling and neutralisation of the threat;
- incident handling procedure – to manage the incident from the prevention phase, through detection and response, to identifying lessons and making improvements;
- incident reporting procedure – to implement the specific regulatory requirements for reporting incidents to the relevant state authorities;
- business continuity procedure – to restore the normal operation of the organisation and coordinate the way in which crises are managed;
- third-party supplier risk management policy – to ensure the safety of the organisation when using the products or services of third-party suppliers;
- access control policy – to regulate such aspects as physical access and security of human resources;
- cyber hygiene policy – to implement general cybersecurity policies, such as software updates, password management, making backups, using encryption (including multi-factor authentication), regular cybersecurity training, etc.
Authors: Agnieszka Wachowska, Piotr Konieczny