Systematic & risk-based = proactive cyber defense
When analyzing the key purpose of NIS and NIS2, you will soon understand that a proactive cyber defense is important. This is not exclusive to NIS. Looking at other regulations and compliance, like the NIST framework and ISO 27001, systematic and risk-based cyber defense is vital.
A systematic and risk-based cyber defense equals a proactive cyber defense, and this is where organizations must strive to be today; to prevent incidents before they even happen by minimizing attack surface and vulnerabilities.
Risk management – an essential component of NIS2
Accordingly, risk management is an essential component of NIS and NIS2 compliance, providing a systematic and structured approach to identifying, analyzing, and managing risks associated with IT infrastructure. The European Union Agency for Cybersecurity (ENISA) specifically mentions vulnerability management as one of the ways to improve cyber security in the EU member states.
Article 21: cyber security risk management measures
Cyber Security Risk Management Measures Article 21 of the NIS2 Directive focuses on cyber security risk management measures that essential and important entities must implement. These measures are designed to manage risks to the security of network and information systems and to minimize the impact of incidents.
Key points of Article 21
Entities must take "appropriate and proportionate" technical, operational, and organizational measures to manage the risks to their network and information systems. These measures should ensure a level of security appropriate to the risks posed and should take into account the state-of-the-art, relevant standards and the cost of implementation.
Specific measures:
- Policies on risk analysis and information system security
Implement policies for regular risk analysis and maintaining information system security.
- Incident handling
Develop and maintain incident handling processes.
- Business continuity and crisis management
Ensure plans for backup management, disaster recovery, and crisis management.
- Supply chain security
Address security-related aspects in relationships with direct suppliers and service providers.
- System acquisition, development, and maintenance
Implement secure development procedures and vulnerability handling.
- Effectiveness assessment
Regularly assess the effectiveness of cyber security risk management measures.
- Basic cyber hygiene and training
Promote basic cyber hygiene practices and provide cyber security training.
- Cryptography
Use cryptography and encryption where appropriate.
- Human resources security
Implement access control policies and manage assets securely. - Multi-factor authentication
Use multi-factor authentication and secure communication methods within the entity.
This is how we help your organization comply with NIS2
Download our NIS2 reference guide
Stefan Thelberg
Founder and CEO of Holm Security. Stefan is one of Sweden's most prominent cyber security entrepreneurs. With nearly 25 years of experience, he is a seasoned professional.