What does NIS2 introduce
Directive (EU) 2022/2555, also known as "NIS Directive 2”, published last December in the official bulletin of the European Union, entered into force on 17 January 2023.
The public and private bodies involved will have to adapt their organizational structure and processes to comply with the new safety requirements imposed by the directive.
The NIS Directive 2 evolves from Directive (EU) 2016/1148, known as "NIS Directive”, which was integrated into Italian law through Legislative Decree n. 65/2018. The latter represented a first step in the context of European legislation on Cyber Security. The most innovative element of NIS Directive2 lies in its field of application: in addition to the sectors already covered by NIS Directive1, the new regulations also extend to a greater number of companies previously not included.
Scope of
The most innovative aspect of NIS Directive2 it's about its scope. In addition to the sectors already covered by NIS Directive1, such as energy, telecommunications, transport, banking and finance, healthcare, etc., the new regulations also extend to several other categories of companies not previously included. These include, among others:
- Digital service providers, such as cloud computing platforms, data centers, content delivery network providers, electronic communications services and electronic communications networks;
- Operators in the healthcare industry, which includes pharmaceutical companies, medical device manufacturers and healthcare providers;
- Companies engaged in the production, processing and distribution of food, including large retailers.
The updated regulatory text also provides details on the size of the companies involved. Therefore, the NIS Directive2 it applies to medium and large enterprises in the sectors mentioned, but could also include small and micro enterprises if they operate in sectors crucial to society. Furthermore, regardless of size, providers of electronic communications services and electronic communications networks, among others, fall within its scope.
The main obligations
- risk analysis and information system security policy;
- incident management systems;
- business continuity systems, such as backup management and disaster recovery, and crisis management;
- supply chain security management measures;
- security in the acquisition, development and maintenance of network and information systems, including the management and disclosure of vulnerabilities;
- basic cyber hygiene practices [ie, basic rules for ensuring cyber security] and cyber security training;
- policies and procedures to evaluate the effectiveness of cybersecurity risk management measures;
- policies and procedures relating to the use of encryption and, where applicable, encryption encryption;
- human resource security measures, access control policies and asset management;
- the use of multifactor authentication [ie., multifactor authentication] solutions or continuous authentication, secure voice, video and text communications and secure emergency communication systems within the entity, where appropriate .
The various steps
Our Nis2 Compliance checklist will help your organization to successfully implement an information security management system towards all the actors involved, to create a climate of shared responsibility towards risk management and the adoption of the necessary preventive measures and remediation of cyber attacks:
- Develop a roadmap for the successful implementation of compliance requirements;
- Analyze and evaluate the security risks of information systems with cyber security assessment, penetration test and web application penetration test operations;
- Manage IT security incidents with a continuous monitoring and incident response plan and activity;
- Adopt a business continuity and crisis management plan;
- Ensure the security of the supply chains, checking that its suppliers have adequate requirements in terms of security;
- Regularly test the security of the IT infrastructure and the effectiveness of the risk management measures adopted;
- Launch a cyber training plan to mitigate the risks related to the human factor;
- Implementation of policies and procedures related to the confidentiality of information with encryption tools;
- Initiate access control policies and corporate asset management;
- Introduction of secure authentication methods using MFA
Our methodology
Safecore has developed a holistic approach which consists in the periodic analysis of the risks coming from the three fundamental components within an organization such as the PEOPLE, the PROCESSES and TECHNOLOGIES.
implement security policies to protect all personnel, internal and external, involved in the provision of services
inclusion of security principles in all company processes in compliance with "Security by design"
verify the security of all the technologies adopted within the organization with particular reference to those dedicated to the provision of services
Why should you choose Safecore
The team Safecore is made up of people who have always been passionate about challenges, especially those related to IT security. The numerous experiences faced in important contexts such as banking and insurance, the heterogeneity and the strong bond of the team makes Safecore an excellent preventive weapon.
Over time, high problem solving skills and a method of thinking outside the box (“Think Outside The Box”) have been acquired, which has proved to be vital for achieving excellent results.
The team Safecore is highly qualified and boasts various certifications recognized at company level, including:
- OSCP (Offensive Security Certified Professional)
- oswe extension (Offensive Security Web Expert)
- eWPT (eLearnSecurity Web application Penetration Tester)
- eMAPT (eLearnSecurity Mobile Application Penetration Tester)
- eJPT (eLearnSecurity Junior Penetration Tester)
- eCDFP (eLearnSecurity Certified Digital Forensics Professional)
- ISO 27001 Lead Auditor
- ISO 22301 Lead Auditor
The journey through time with Safecore
Safecore it also offers a consultancy service in the subsequent phases, for updating personnel and maintaining the necessary requirements over time.
In particular, the services of Safecore They include:
- continuous vulnerability assessment services;
- gap analysis and definition of the intervention plan;
- review of the incident response plan and disaster recovery plan;
- continuous consultancy for adaptation to the Nis2 directive;
- drafting of the documentary apparatus;
- risk assessment support for internal and external audits;
- training;
We also assist companies in the revisions of their organization or corporate objectives, following the issue of new versions of the standard, or in the adoption of new standards dedicated to specific sectors. Last but not least, we provide support for achieving compliance such as ISO 27001 and I 22301.