22 October 2024
The new EU Network and Information Security Directive, or NIS-2, requires entities operating in critical sectors to implement appropriate security measures in order to minimize risks to their systems. Failure to comply with these requirements carries a variety of negative consequences, among them financial penalties, cybersecurity risks, and problems in business relations. TÜV SÜD helps organizations to achieve NIS-2 compliance and develop strategic, tailored, and continuous cybersecurity programs. Even companies which do not fall under the provisions of NIS-2 can improve their cyber-resilience.
“NIS-2 is the most pressing cybersecurity topic of the year. But it is not always easy to ascertain whether an organization meets the requirements,” warns Sudhir Ethiraj, Global Head of Cybersecurity Office (CSO) and CEO Business Unit Cybersecurity Services at TÜV SÜD. “As an independent and impartial partner, TÜV SÜD helps organizations to understand and implement the provisions of the Directive. Entities seeking to improve their overall cyber-resilience as well as achieve NIS-2 compliance can benefit from our support in four areas.“
Risk assessments and gap analyses to establish the status quo
Risk assessments and gap analyses reveal weaknesses in cybersecurity measures that are already present, paying special attention to the areas of incident response, general risk management, and supply chain security, all of which are accorded particular relevance under NIS-2. Organizations can apply these tools to assess their level of cyber-risk.
Development of guidelines and processes
Definition of relevant organization-specific guidelines serves as the basis for all further actions, including development of emergency plans and measures for securing supply chains that allow fast, effective response in the event of an incident, all under constant consideration of the necessary financial, HR, and technical resources.
Internal audits
Internal audits enable actions to be regularly monitored once implemented, including supply-chain-related impacts. Gaps and vulnerabilities discovered during audits and incident reviews need to be remedied immediately and the resulting feedback used to implement improvements to organization-specific guidelines and processes and drive continuous improvement amid a constantly evolving landscape of cyber threats.
Training
Human error has been identified as the main gateway for cybercriminals. Given this, it is vital to ensure employees receive ongoing training including with respect to the organization’s own guidelines developed to achieve NIS-2 compliance. Offers of regular training are also a way of bringing supply chain partners on board. In addition, NIS-2 requires management level employees to familiarize themselves with risk management in the area of IT security.
More information:
- NIS-2 risk assessments and gap analyses
- Training offering TÜV SÜD Academy
- NIS-2 training for management level (website only available in German)
Press-contact: Laura Albrecht
