New research: Getting NIS2 ready
The European wide directive Network and Information Security 2 (NIS2) comes into effect on 17 October, with the aim of strengthening Europe’s ability to collectively defend against cyber-attacks and protect the region’s critical infrastructure.
This new directive will impact upwards of 180,000 organizations, from healthcare and transport, to manufacturing and supply chain. Most organizations are aware of NIS2 and what it aims to achieve (as well as the costs), but research from IDC has shown that only 14% of organizations are fully ready for NIS2. The majority, at 77%, are partially there.
With so few organizations across the NIS2 finish line and the official deadline for compliance fast approaching, I wanted to share some of the findings from this research, and how you can move your organization’s transformation efforts forward.
NIS2 Capable
IDC has found that over 90% of organizations impacted by NIS2 are aware of it and have taken first steps in taking action to align with the directive.
About one in five (17%) are categorized as IDC as being NIS2 ‘capable.’
Organizations at this level of readiness have a long way to go however, with the need for many to implement all necessary compliance procedures and policies.
Let’s take incident handling as an example, which is a key requirement of NIS2. With large organizations often being the target of multiple, complex cyberattacks, the rapid co-ordination of multiple stakeholders and timely reporting of incidents is what allows for quicker response and recovery, as well as minimizing the impact on essential services and the wider economy. Having robust technical protection will clearly help but organizations also need to think through the complete response to a security incident.
Technologies like Microsoft Defender and Microsoft Sentinel will help security teams handle incidents with a real time, comprehensive view of security issues. But the work on becoming NIS2 ready relies on an organization’s ability to create a fully robust set of compliance procedures and policies that engage the board and wider organization. This is what ensures that everyone is on board with how to respond to a security incident and how to keep the business going with a minimal impact on operations.
NIS2 Equipped
The next level of readiness IDC identified was NIS2 ‘equipped.’ About one-third (33%) of organizations fall into this category, and are characterized as being able to address most NIS2 requirements.
The way to move beyond this level of readiness is to conduct a gap analysis of your security measures, and also what’s needed to meet NIS2 requirements or security standards such as ISO 27001.
Let’s consider supply chain security as an example, which is another key NIS2 requirement. When organizations enhance the security and resilience of their own organizations, cyber-criminals will look for other routes to compromise security via weaknesses in an organization’s supply chain.
Addressing supply chain vulnerabilities is key to ensuring your own assets remain secure. Microsoft tools like Compliance Monitoring, Security Posture Management and Conditional Access Policies can help you control and manage the external access of organizational assets and customer tenants, but your security will still be dependent on your ability to identify gaps and challenges in your security posture.
All organizations impacted by NIS2 should be in the process of identifying the challenges they have and develop action plans now.
Are you NIS2 ready?
According to the IDC, organizations at the ready level for NIS2 (14%) exhibit the highest degree of preparedness for incident handling, have business continuity measures in place and deploy robust technology to ensure supply chain security and advanced encryption or cryptography.
At Microsoft, we stand ready to help organizations of all kinds use NIS2 as an opportunity to advance their cybersecurity posture. Our unique perspective in the security market and comprehensive suite of secure cloud-based solutions can help you identify, prevent, and mitigate against the cyberthreats we are facing today and in the future.
Source: IDC Infobrief, Sponsored by Microsoft, NIS2 Readiness: A Guide for Organizations in Europe, #EUR252440224, July 2024