Back to all posts
How vulnerability management helps comply with NIS2

Systematic & risk-based = proactive cyber defense  

When analyzing the key purpose of NIS and NIS2, you will soon understand that a proactive cyber defense is important. This is not exclusive to NIS. Looking at other regulations and compliance, like the NIST framework and ISO 27001, systematic and risk-based cyber defense is vital. 

A systematic and risk-based cyber defense equals a proactive cyber defense, and this is where organizations must strive to be today; to prevent incidents before they even happen by minimizing attack surface and vulnerabilities. 

Risk management – an essential component of NIS2 

Accordingly, risk management is an essential component of NIS and NIS2 compliance, providing a systematic and structured approach to identifying, analyzing, and managing risks associated with IT infrastructure. The European Union Agency for Cybersecurity (ENISA) specifically mentions vulnerability management as one of the ways to improve cyber security in the EU member states.  

Article 21: cyber security risk management measures  

Cyber Security Risk Management Measures Article 21 of the NIS2 Directive focuses on cyber security risk management measures that essential and important entities must implement. These measures are designed to manage risks to the security of network and information systems and to minimize the impact of incidents.

Key points of Article 21 

Entities must take "appropriate and proportionate" technical, operational, and organizational measures to manage the risks to their network and information systems. These measures should ensure a level of security appropriate to the risks posed and should take into account the state-of-the-art, relevant standards and the cost of implementation. 

Specific measures: 

  • Policies on risk analysis and information system security
    Implement policies for regular risk analysis and maintaining information system security. 
  • Incident handling
    Develop and maintain incident handling processes. 
  • Business continuity and crisis management
    Ensure plans for backup management, disaster recovery, and crisis management. 
  • Supply chain security
    Address security-related aspects in relationships with direct suppliers and service providers. 
  • System acquisition, development, and maintenance
    Implement secure development procedures and vulnerability handling. 
  • Effectiveness assessment
    Regularly assess the effectiveness of cyber security risk management measures. 
  • Basic cyber hygiene and training
    Promote basic cyber hygiene practices and provide cyber security training. 
  • Cryptography
    Use cryptography and encryption where appropriate. 
  • Human resources security
    Implement access control policies and manage assets securely. 

  • Multi-factor authentication
    Use multi-factor authentication and secure communication methods within the entity. 

This is how we help your organization comply with NIS2

NIS 2

 

Download our NIS2 reference guide