From Regulation to Reality: Preparing Your Business for NIS2

We continue our series of conversations with Michael Von Glasow, cybersecurity expert at CGI Lithuania. This time, we discuss the NIS2 directive and its implementation. In this interview, you will learn what NIS2 is, how to properly prepare for its requirements, and why it is extremely important for companies to pay attention to this now.

What is the European Union's NIS2 Directive?

NIS2 is the European Union (EU) Information Security Directive. It replaced the previous NIS Directive and was updated last year. NIS2 applies to companies and organizations whose activities are important for the functioning of society and the state.

How does NIS2 differ from the previous NIS version?

NIS2 has expanded its scope of application - additional organizations that were not previously covered by the regulation have been added to the list of regulated entities. The scope of requirements has also increased.

Which sectors are affected by NIS2?

The NIS2 Directive covers various sectors, such as transport, energy, health care, etc.

What are the consequences of non-compliance?

Severe sanctions may be imposed for non-compliance with NIS2 requirements. In cases of gross violations there are heavy fines. Details vary between member states. In Lithuania, for example, responsible managers may be removed from their positions and prohibited from holding management positions for a certain period of time.

What is important for managers to know?

The most important thing for managers to remember is that they are ultimately responsible. They are responsible for the implementation of all measures and for the possible consequences if security requirements are not met.

How can companies prepare for NIS2?

Generally, companies do not need to start from scratch, especially if they have already implemented an information security management system (ISMS). Such organizations have a significant advantage. The first step should be a gap analysis, which assesses what has already been implemented and identifies key gaps and risk areas.

Are there differences between the requirements for large and small companies?

Yes, there are differences. Organizations are divided into material and significant entities. Some requirements apply only to material entities, but not to significant ones. In addition, the principle of proportionality applies, which means that the requirements depend on the size of the company, the nature of its activities, its risk profile, its financial capabilities, and the extent to which security measures could affect the company's operations.

What should a good security management system look like according to NIS2?

A proper security management system should include an information system security policy and a risk analysis policy, as well as incident management procedures and a business continuity plan. Attention should be paid to supply chain security and the security of system procurement, development, and maintenance. Measures and procedures for evaluating the effectiveness of security solutions are also necessary.

A basic level of cyber hygiene is also important – employees must be trained to use secure passwords, recognize phishing emails and understand the threats of social engineering. If necessary, a cryptography policy must be developed, human resource security ensured, clear access control, asset management, multi-factor authentication, and secure communication solutions. All of this constitutes what is often referred to as the "ten commandments" of cybersecurity.

What are the biggest practical challenges for organizations?

The biggest challenges often arise for international companies, as each EU country implements the directive slightly differently. This means that organizations need to think in advance about how to comply with the national requirements of several countries. In addition, some companies may fall not only within the scope of NIS2, but also within the scope of the DORA regulation. In such cases, the requirements of both legal regimes must be harmonized and implemented.

How can CGI help organizations?

CGI can help in all phases of preparation and implementation. Starting with a gap analysis, we can then help develop the necessary policies, procedures, and plans, as well as implement practical measures, develop technical solutions, deploy systems, and ensure their maintenance. We are ready to contribute at both the strategic and operational levels – from planning to ongoing monitoring.