The NIS2 Framework is here: What is it? Do you need it? And how will it improve your cyber posture?

Written By Kai Neophytou
NIS2 Framework - What is it? Do you need it? And how will it improve your Cyber Posture

Governance Frameworks - Why are they important? 

Governance is the glue that holds your whole organisation together. Technical controls and processes alone are not enough; without well-defined policies and procedures, they could easily fall apart. Governance frameworks improve organisations' cyber posture, bring new clients to your business and speed up due diligence processes. Although there are many governance frameworks available, it is crucial to focus on those that are sector-specific and mandatory for compliance. 

What is NIS2?

The Network and Information Security Directive (NIS) is European Union (EU) legislation that outlines the legal cyber security framework for essential infrastructure. First introduced in May 2018, the framework has been updated for 2024 to include stricter security requirements and a larger scope of organisations. The NIS regulation requires organisations in scope to ensure that the main requirements are followed and that an annual self-assessment is conducted and provided to the relevant authority.

Organisations are grouped into important and essential organisations: 

Important organisations: 

  • Postal 

  • Waste management 

  • Chemical products 

  • Foods 

  • Production 

  • Digital providers 

  • Research 

Essential organisations: 

  • Energy 

  • Transport 

  • Finance 

  • Health 

  • Drinking and wastewater 

  • Digital infrastructure 

  • Public administration 

As of 17th of October 2024, EU Organisations that fall under these categories must comply with NIS2 requirements. UK organisations aren’t required to comply unless you have an entity based within the EU. 

 There are 4 main requirements for the NIS2 framework: 

  1. Risk management 

  2. Corporate accountability 

  3. Reporting obligations 

  4. Business continuity 

The table below compares the compliancy coverage of Cyber Essentials, IASME and ISO27001. Any business that is already IASME or ISO27100 compliant will have already covered a large portion of the NIS2 framework requirements:

NIS2 Framework Compliancy Chart

To implement NIS2, adopting IASME Cyber Assured would provide a solid foundation for these measures. However, it is important to note that these are not directly equivalent and additional work will need to be done. PureCyber’s subscription services can help with these areas by guiding your business through IASME Cyber assured and mapping that across to NIS2.

Implementing IASME Cyber Assured will cover risk management, incident management, business continuity, and security policies, meaning a large portion of NIS2 requirements are already accounted for. Working towards IASME Cyber Assured to achieve NIS2 is very feasible and a good path to take towards implementation.

What is CAF Framework? 

In the UK, organisations are to be guided by the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) but are not required to be assessed against it. CAF framework was developed to help support the implementation of the NIS framework.

CAF framework includes 4 main objectives:

  1. Managing security risk 

  2. Protecting against cyber attack 

  3. Detecting cyber security events 

  4. Minimising the impact of cyber security incidents

From the 4 main objectives, these are split into 14 principles which need to be met in order to gain compliance: (see table below)

CAF Framework Compliancy Chart

Implementation 

PureCyber, as a long-standing certification body for both the Cyber Essentials Standard, Cyber Essentials Plus, IASME Cyber Assurance accreditation, with consultants qualified as ISO27001 Lead Auditors and ISO27001 Lead Implementers, has a history of working closely with customers to help them achieve various governance standards. For any help or guidance needed to achieve NIS2 feel free to get in touch with info@purecyber.com. 

How can PureCyber Help?

Our dedicated team of cyber security and compliance experts are available to help secure your organisation and provide a bespoke, tailor-made cyber security service. Our service subscriptions offer a range of cyber security solutions for organisations of all sizes and scopes.

PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about your organisation’s standings today and gain an insight into the services We can offer, from advising on Cyber Essentials to ISO27001, FISMA, SOC1 and SOC2 standards.

Need a refresh? No matter what level of cyber security knowledge you have, it is always valuable to refresh your understanding of terms, topics and techniques. Our PureCyber glossary of terms is the perfect place to brush up on your understanding.

Kai Neophytou
Previous

The Fine Line Between Caution and Fear: When Does Vigilance Become Paranoia?
Next

Cyber Security Awareness Month - Why is it important to keep your “Cyber Hygiene” in check?