When analyzing the key purpose of NIS and NIS2, you will soon understand that a proactive cyber defense is important. This is not exclusive to NIS. Looking at other regulations and compliance, like the NIST framework and ISO 27001, systematic and risk-based cyber defense is vital.
A systematic and risk-based cyber defense equals a proactive cyber defense, and this is where organizations must strive to be today; prevent incidents before they even happen by minimizing attack surface and vulnerabilities.
Accordingly, risk management is an essential component of NIS and NIS2 compliance, providing a systematic and structured approach to identifying, analyzing, and managing risks associated with IT infrastructure. The European Union Agency for Cybersecurity (ENISA) specifically mentions vulnerability management as one of the ways to improve cyber security in the EU member states.
Cyber Security Risk Management Measures Article 21 of the NIS2 Directive focuses on cybersecurity risk-management measures that essential and important entities must implement. These measures are designed to manage risks to the security of network and information systems and to minimize the impact of incidents.
Key points of Article 21
Entities must take appropriate and proportionate technical, operational, and organizational measures to manage the risks to their network and information systems. These measures should ensure a level of security appropriate to the risks posed and should take into account the state-of-the-art, relevant standards and the cost of implementation.
Specific measures: