Cybersecurity is a critical strategic requirement for both large and small organizations, and with the implementation of the NIS2 directive in October 2024, the requirements for cybersecurity have increased significantly. CIS18 can serve as a practical framework to structure cybersecurity efforts and help your organization meet several key requirements of the directive.
It is important to be aware of that even organizations not directly covered by NIS2 can be affected by the requirements - for example, as a supplier to companies that must comply with the directive.
The interaction between CIS18 and NIS2
What does CIS18 mean?
CIS18 was developed by the Center for Internet Security (CIS) and consists of 18 controls that address the most common cybersecurity threats. The framework builds on expertise from multiple sectors and is designed to address a wide range of security threats.
CIS18 is a voluntary standard that serves as recommendations for organizations looking to strengthen cybersecurity. With its 18 controls, the framework offers a systematic approach to reducing the risk of cyberattacks. The controls span a range of areas, including access control, monitoring, incident management, and data management, and provide a clear guide on how to identify, prioritize, and implement effective security measures.
What does NIS2 mean?
The NIS2 Directive is an updated version of the EU's original NIS Directive and its purpose is to strengthen cybersecurity across member states. The directive targets organizations in critical sectors such as energy, health, transport and finance and requires them to address a wide range of threats to network and information systems.
The directive focuses on governance and compliance and requires the implementation of technical, organizational and operational security measures, including risk management, incident management, supply chain security and continuous monitoring. NIS2 thus ensures a systematic approach to protecting both critical functions and data from complex cyber threats.
This is how CIS18 supports NIS2 compliance
CIS18 serves as a practical framework to help your organization implement some of the technical measures needed to meet the requirements of the NIS2 directive. While NIS2 describes what organizations need in order to ensure compliance, CIS18 offers a structured approach on how to strengthen cybersecurity in the field.
The 18 controls in CIS18 cover a broad range of areas such as access control, network monitoring and incident management. The controls can be integrated into your organization's processes to improve security and support key requirements of NIS2. In addition, CIS18 is particularly valuable for strengthening the operational foundation for compliance as it offers a scalable and efficient approach to the implementation of technical security measures.
However, it is important to point out that NIS2's requirements extend beyond the technical level to include organizational, legal and strategic elements. In order to build a bridge between the technical controls of CIS18 and the more comprehensive requirements of NIS2, standards such as ISO 27001 can complement the work. ISO 27001 provides a framework for information security management that focuses on governance and risk management, among other things, which supports a holistic approach to NIS2 compliance.
Integrating CIS18 and NIS2 in practice
In order to optimize cybersecurity and work towards NIS2 compliance, organizations can take the steps below. Bear in mind, that NIS2 includes requirements for management accountability, legal reporting and compliance documentation, which go beyond the technical focus of CIS18. As a result, CIS18 works best as a complement to a broader strategy that also includes legal and organizational elements.
1) Conduct a maturity assessment
Before your organization starts using CIS18 to work with NIS2, it's important to understand the current level of cybersecurity. A maturity assessment involves:
- Surveying existing security measures and identifying gaps in relation to NIS2 requirements.
- Evaluating the organization's implementation of CIS18 controls, including technical, operational and organizational measures.
- Prioritizing areas to address based on the risks and requirements most relevant to the organization's industry, size and critical functions.
2) Implement CIS18 as a framework
CIS18 can act as a technical framework for strengthening cybersecurity, but should be integrated into a broader strategy. Implementing CIS18 involves:
- Selecting the most relevant controls from CIS18 supporting the organization's needs. For instance, controls for access restriction, network monitoring and incident management can be prioritized in the early phases
- Integrating CIS18 controls into the organization's workflows and technology infrastructure so that they not only support regulatory compliance but also improve daily security.
- Applying CIS18 as an ongoing process where security controls are continuously refined and adapted in response to emerging threats.
3) Monitor and adapt
Cybersecurity and compliance with NIS2 is a dynamic process and therefore organizations should initiate:
- Establish monitoring mechanisms that continuously evaluate the effectiveness of security measures. This can include automated systems to monitor network traffic or periodic security audits.
- Ongoing risk assessments to identify new threats or vulnerabilities and update security measures accordingly.
- Documentation of updates and adjustments to ensure that the organization can always demonstrate compliance to regulators.
4) Integrate compliance into governance
A long-term and sustainable cybersecurity strategy must be integrated into the organization's governance structure through:
- Management involvement in the cybersecurity strategy, with the board and senior management regularly informed of the status and progress.
- Developing clear policies and procedures that link NIS2's compliance requirements to the organization's overall business objectives.
- Promoting a cybersecurity culture within the organization through education and awareness so that employees at all levels understand their role in maintaining security.
Holistic cybersecurity
Cybersecurity is an issue affecting all organizations - large or small. The synergy between CIS18's practical tools and NIS2's regulatory requirements can result in a strategy that both protects against threats and strengthens internal and external collaboration.
Making cybersecurity part of your company's DNA increases both resilience to threats and trust from customers and partners. As a result, cybersecurity becomes more than just compliance - it becomes a strategic advantage that strengthens the organization's competitiveness.
