NIS2: Prepare for the new cybersecurity directive

19/09/2024

—

What can you do now to prepare for NIS2 - the Network and Information Security 2 Directive.

What is NIS2?

NIS2, or the Network and Information Security 2 Directive, is new legislation developed in response to growing cyber threats and increasing dependence on digital systems. It aims to strengthen and modernize cybersecurity across the EU.

Who does NIS2 apply to?

NIS2 directive will apply to all entities seen as “essential” and “important”. The exact list of entities that fall into these categories will be published by each EU member state by April 2025. 

Does that mean there’s nothing to worry about until you see your organization on the list? Far from it. The obligations of the NIS2 cybersecurity act will directly apply to all listed organizations as soon as the law comes into effect.

Now is the time to prepare, especially if your organization operates in sectors such as healthcare, energy, transport, finance, or IT services. These are sure to fall under the “essential” and “important” categories.

What are the requirements for NIS2 compliance?

By mid-2025, all EU Member States must adopt and publish the measures necessary to comply with the NIS2 directive. This will establish the requirements and responsibilities that your organization must follow.

What can you do now to prepare for compliance with NIS 2?

The governments advise organizations not to wait until the regulations are fully clarified. After all, the cybersecurity risks are already present.

Organizations that take action now will not only protect themselves against the current risks but will also be better prepared for compliance with the upcoming legislation.

So what steps can you take now?

1. Assess the risk

Start with a risk assessment that identifies potential threats and assesses your organization’s current resilience. With this information, you can make well-informed decisions on how to address and mitigate the threats.

Start by answering the following questions:

• What is the most critical data that needs to be protected?

• What are the threats to that data?

• What measures do you currently have in place to protect your data?

• Which third parties have access to your data?Which data do you share with third parties?

Did you know?

If your organization uses Google Drive, where file sharing and collaboration are common, answering these questions can be challenging.

Fortunately, tools like Florbs File Security for Google Drive can help. With Florbs, you know exactly who has access to your company’s data. You can detect unauthorized access in minutes, and remove sharing to maintain compliance.

2. Establish security policies necessary to protect your data

A good starting point is to apply the minimum basic measures recommended by the European Commission:

• policies on risk analysis and information system security

• incident handlingbusiness continuitysupply chain security

• security in network and information systems acquisition, development and maintenance

• policies and procedures to assess the effectiveness of cybersecurity risk-management measures

• basic cyber hygiene practices and cybersecurity training

• policies and procedures regarding the use of cryptography and, where appropriate, encryption

• human resources security, access control policies and asset management

• the use of multi-factor authentication or continuous authentication solutions.

Start by answering these questions:

• Are your current security policies sufficient to guarantee the safety of your data?

• Which improvements are necessary?

• Which additional policies do you need to establish?

Did you know?

With Florbs, you can set up security policies for Google Drive that automatically monitor for unauthorized access.

The policies perform regular checks and remove access that doesn’t comply with your organization’s security standards, helping you maintain data protection without manual oversight.

3. Establish incident response procedures

Besides preventing incidents, it’s important to have procedures for detecting, monitoring, resolving, and reporting them. Under NIS2 legislation, organizations will have to report incidents to the national or sectoral CSIRT and the supervisory authority if there are service disruptions or if many people are affected.

Make sure these reporting requirements are part of your business processes. A response plan is crucial: you need to know how to act in case of a cybersecurity incident.

Did you know?

If you discover that your company’s files have been shared with unauthorized individuals, you can instantly remove sharing for hundreds of thousands of files at once with Florbs.

Check the security tools market and invest in specialized tools

Default software security settings of the tools that organizations use are often insufficient to meet the standards of complex cybersecurity regulations, such as NIS 2. In addition, investing in security tools demonstrates your organization’s effort to compliance and data protection.

Explore the security tools market and choose solutions tailored to the specific software your organization uses. For instance, if your company relies on Google Drive for data storage and collaboration, Florbs offers a specialized tool for file security and access auditing.

Florbs helps safeguard your data by preventing unauthorized access, managing data classification, and providing reporting capabilities.

Data classification: Implement a clear data classification policy for Google Drive files to better protect sensitive information.

Access control: Prevent unauthorized access, enforce a zero-trust policy, unshare sensitive files following the principle of least privilege.

Cyber hygiene: Apply just-in-time access, ensuring file access is removed as soon as it’s no longer needed.

Supply chain security: Share only essential files with partners and revoke access when it’s no longer necessary.

Risk analysis: Gain full visibility into who has access to your organization’s files.

Compliance reporting: Generate detailed reports on your access management efforts to meet compliance requirements for Google Drive.

By investing in the right tools, your organization can ensure it stays compliant while maintaining strong data protection practices.