How to prepare your organization for the new NIS 2 Directive?

If (cyber)security was not the first topic on the agenda of the Board of your organization since 2016 (NIS 1), then it will be now. The NIS 2 (Network & Information Security 2) directive of the EU not only expands the scope of the legislation, but also the industries who need to take adequate measures to protect the European economy and society.

Where GDPR focuses on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, NIS targets operators of essential services and digital service providers across 18 sectors such as energy, finance, healthcare, and transportation. These sectors are required to invest in cybersecurity measurements, incident reporting, and supply chain security.

For the IT staff, article 21.1 of this regulation matters most. It states that your IT strategy will be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents. For this reason, all specialists recommend organizations to build a governance framework with remediation mechanisms to comply with this objective and with their own ambitions to protect and secure.

Prepare your organization for NIS 2

Focus Area



Organization of Information Security

  • Security Ownership
  • Security Roles and Responsibilities.
  • Risk Management Program

Asset Management

  • Asset Inventory
  • Asset Handling
Human Resources Security
  • Security Training

Physical and Environmental Security

  • Physical Access to Facilities
  • Physical Access to Components
  • Protection from Disruptions
  • Component Disposal

Communications and Operations Management

  •  Operational Policy
  • Data Recovery Procedures
  • Malicious Software
  • Data Beyond Boundaries
  • Event Logging

Access Control

  • Access Policy
  • Access Authorization Least
  • Privilege Integrity and Confidentiality
  • Authentication

Information Security Incident Management

  • Incident Response Process
  • Service Monitoring

Business Continuity Management

  • Emergency and contingency plans
  • Redundant storage and its procedures for recovering data