NIS2, a directive that aims to increase cybersecurity across EU member states, comes into effect on 17 October 2024. This means that many European companies will be subject to new European legislation on cyber and information security next year. Companies that supply to the EU might also be indirectly affected. ISO 27001, an international standard, helps companies to fulfil the requirements of the NIS2.
If your company already has an ISO 27001 certification, NIS2 compliance is within reach. If it does not have an ISMS, it may be resourceful to get a head start. It is also important to realise that even if your organisation is not directly subject to NIS2, it may still be indirectly affected by the legislation, e.g. as a supplier to organisations covered by the directive. Compliance may therefore be necessary. This point is especially relevant to companies that supply to the EU from the outside, such as British or American companies.
Understanding the connection between NIS2 and ISO 27001 entails facilitated compliance with the requirements. In addition, it ensures that futures demands can competently be met.
The Interplay Between NIS2 and ISO 27001
For many organisations and companies, NIS2 brings with it a new way of working with risk management, security incident reporting, information sharing and auditing, as well as new requirements for information security policies and risk analysis. ISO 27001 can help your organisation get the necessary overview, and with an ISO 27001 certification, you will already have achieved compliance with several of the new requirements in NIS2.
In short, NIS2 sets the framework for what your organisation needs to do, while ISO 27001 provides the tools and processes needed to meet the requirements. At the same time, ISO 27001 allows organisations that are not directly subject to NIS2 to prepare for future requirements and expectations from customers and partners. In addition, an ISO 27001 certification is valid internationally, and as such improves even the parts of the organisation that are not related to the EU.
ISO 27001 certification does not automatically ensure compliance with the NIS2. But it does mean that your organisation is well on its way.
Compliance with the NIS2 directive
Becoming NIS2 compliant may feel like a daunting task. But an ISO 27001 certification smooths out the transition process. To start the transition process, there are a couple of steps your organisation can take.
First and foremost, your organisation needs a maturity assessment to determine its current state. Which aspects require a complete restructuring, and which may serve as a stabile foundation in the future? The assessment can also clarify what resources and competences are needed to complete the implementation.
Next, you need to implement a cyber and information security management system, and this is where the strength of ISO 27001 becomes apparent. The standard offers an effective governance framework for establishing an ISMS for cyber and information security. Also, both the standard and NIS2 emphasise management-led governance.
It’s important to keep in mind that you won’t achieve compliance overnight. It's a long process, which is why it's recommended to start now so that you're ready when the directive comes into force. Finally, it is also essential to remember that one of the main points of NIS2 is that cybersecurity is an ever-changing entity, and therefore the risk landscape will continue to change - meaning that organisations need to regularly review processes and policies to ensure they remain relevant.