What’s Going Wrong with NIS 2 Compliance, and How to Put It Right

A “one and done” mindset is not the right fit for regulatory compliance—quite the reverse. Most global regulations require continuous improvement, monitoring, and regular audits and assessments. The EU’s NIS 2 directive is no different.

That’s why many CISOs and compliance leaders will find the latest report from the EU Security Agency (ENISA) interesting reading. ENISA NIS360 2024 outlines six sectors struggling with compliance and points out why, while highlighting how more mature organisations are leading the way. The good news is that organisations already certified to ISO 27001 will find that closing the gaps to NIS 2 compliance is relatively straightforward.

What’s New in NIS 2

NIS 2 is the EU’s attempt to update its flagship digital resilience law for the modern era. Its efforts focus on:

• Expanding the number of sectors covered by the directive
• Introducing more concrete baseline cybersecurity requirements
• Reducing inconsistencies in levels of resilience between different sectors
• Improving information sharing, incident response and supply chain risk management
• Holding senior management accountable for any egregious failings

UK organisations will get their own updated version of the original Network and Information Systems (NIS) Directive when the Cyber Security and Resilience Bill finally makes its way into law. However, many provide services to European citizens and/or operate on the continent, meaning they fall within the remit of NIS 2. For these organisations, NIS360 may be a useful read.

Which Sectors Are Struggling?

Of the 22 sectors and sub-sectors studied in the report, six are said to be in the “risk zone” for compliance – that is, the maturity of their risk posture isn’t keeping pace with their criticality. They are:

ICT service management: Although it supports organisations in a similar way to other digital infrastructure, the sector’s maturity is lower. ENISA points out its “lack of standardised processes, consistency and resources” to stay on top of the increasingly complex digital operations it must support. Poor collaboration between cross-border players compounds the problem, as does the “unfamiliarity” of competent authorities (CAs) with the sector.

ENISA urges closer cooperation between CAs and harmonised cross-border supervision, among other things.

Space: The sector is increasingly critical in facilitating a range of services, including phone and internet access, satellite TV and radio broadcasts, land and water resource monitoring, precision farming, remote sensing, management of remote infrastructure, and logistics package tracking. However, as a newly regulated sector, the report notes that it is still in the early stages of aligning with NIS 2’s requirements. A heavy reliance on commercial off-the-shelf (COTS) products, limited investment in cybersecurity and a relatively immature information-sharing posture add to the challenges.

ENISA urges a bigger focus on raising security awareness, improving guidelines for testing of COTS components before deployment, and promoting collaboration within the sector and with other verticals like telecoms.

Public administrations: This is one of the least mature sectors despite its vital role in delivering public services. According to ENISA, there’s no real understanding of the cyber risks and threats it faces or even what is in scope for NIS 2. However, it remains a major target for hacktivists and state-backed threat actors.

ENISA recommends a shared service model with other public entities to optimise resources and enhance security capabilities. It also encourages public administrations to modernise legacy systems, invest in training and use the EU Cyber Solidarity Act to obtain financial support for improving detection, response and remediation.

Maritime: Essential to the economy (it manages 68% of freight) and heavily reliant on technology, the sector is challenged by outdated tech, especially OT.

ENISA claims it could benefit from tailored guidance for implementing robust cybersecurity risk management controls – prioritising secure-by-design principles and proactive vulnerability management in maritime OT. It calls for an EU-level cybersecurity exercise to enhance multi-modal crisis response.

Health: The sector is vital, accounting for 7% of businesses and 8% of employment in the EU. The sensitivity of patient data and the potentially fatal impact of cyber threats mean incident response is critical. However, the diverse range of organisations, devices and technologies within the sector, resource gaps, and outdated practices mean many providers struggle to get beyond basic security. Complex supply chains and legacy IT/OT compound the problem.

ENISA wants to see more guidelines on secure procurement and best practice security, staff training and awareness programmes, and more engagement with collaboration frameworks to build threat detection and response.

Gas: The sector is vulnerable to attack thanks to its reliance on IT systems for control and interconnectivity with other industries like electricity and manufacturing. ENISA says that incident preparedness and response are particularly poor, especially compared to electricity sector peers.

The sector should develop robust, regularly tested incident response plans and improve collaboration with electricity and manufacturing sectors on coordinated cyber defence, shared best practices, and joint exercises.

What Are the Leaders Doing Right?

According to ENISA, the sectors with the highest maturity levels are notable for several reasons:

• More substantial cybersecurity guidance, potentially including sector-specific legislation or standards
• Stronger oversight and support from EU authorities familiar with the sector and its challenges
• Deeper understanding of risk and more effective risk management
• Stronger collaboration and information sharing among entities and authorities at a national and EU level
• More mature operational preparedness through well-tested plans

How to Succeed with NIS 2 Compliance

It should be remembered that no two organisations in a specific sector are the same. However, the report’s findings are instructive. And while some of the burden for improving compliance falls on the shoulders of CAs – to improve oversight, guidance and support – a big part of it is about taking a risk-based approach to cyber. This is where standards like ISO 27001 come into their own, adding detail that NIS 2 may lack, according to Jamie Boote, associate principal software security consultant at Black Duck:

“NIS 2 was written at a high level because it had to apply to a broad range of companies and industries, and as such, couldn’t include tailored, prescriptive guidance beyond informing companies of what they had to comply with,” he explains to ISMS.online.

“While NIS 2 tells companies that they must have ‘incident handling’ or ‘basic cyber-hygiene practices and cybersecurity training’, it doesn’t tell them how to build those programmes, write the policy, train personnel, and provide adequate tooling. Bringing in frameworks that go into detail about how to do incident handling, or supply chain security is vitally helpful when unpacking those policy statements into all the elements that make up the people, processes and technology of a cybersecurity programme.”

Chris Henderson, senior director of threat operations at Huntress, agrees there’s a significant overlap between NIS 2 and ISO 27001.

“ISO27001 covers many of the same governance, risk management and reporting obligations required under NIS 2. If an organisation already has obtained their ISO 27001 standard, they are well positioned to cover the NIS2 controls as well,” he tells ISMS.online. “One area they will need to enhance is crisis management, as there is no equivalent ISO 27001 control. The reporting obligations for NIS 2 also have specific requirements which will not be immediately met through the implementation of ISO 27001.”

He urges organisations to start by testing out mandatory policy elements from NIS 2 and mapping them to the controls of their chosen framework/standard (e.g. ISO 27001).

“It’s also important to understand gaps in a framework itself because not every framework may provide full coverage of a regulation, and if there are any unmapped regulatory statements left, an additional framework may need to be added,” he adds.

That said, compliance can be a major undertaking.

“Compliance frameworks like NIS 2 and ISO 27001 are large and require a significant amount of work to achieve, Henderson says. “If you are building a security program from the ground up, it is easy to get analysis paralysis trying to understand where to start.”

This is where third-party solutions, which have already done the mapping work to produce a NIS 2-ready compliance guide, can help.

Morten Mjels, CEO of Green Raven Limited, estimates that ISO 27001 compliance will get organisations about 75% of the way to alignment with NIS 2 requirements.

“Compliance is an ongoing battle with a giant (the regulator) that never tires, never gives up and never gives in,” he tells ISMS.online. “This is why larger companies have entire departments dedicated to ensuring compliance across the board. If your company is not in that position, it is worth consulting with one.”

Check out this webinar to learn more about how ISO 27001 can practically help with NIS 2 compliance.