To help achieve a higher level of cybersecurity for network and information systems in organizations, the European Parliament established the Network and Information Systems Directive (NIS) in July 2016.
The directive laid a framework for cybersecurity capabilities across member states, building important safeguards into the operations of vital services. Unfortunately, many of the participating nations implemented those safeguards in different ways, or to varying degrees. With the rapidly changing cybersecurity landscape it became apparent that more was needed.
Enter NIS2.
NIS2 was introduced in 2020 and comes into effect on January 16, 2024. It expands the original scope from seven essential services to include three more, as well as seven important entities alongside them. It tightens expectations, removing some of the original ambiguity around application, and gives the directive teeth in the form of significant fines and sanctions.
Impacted organizations have until October 17, 2024, to comply with the directive.
Industries and entities impacted by NIS2
To safeguard the most vital operations of the European Union against malicious technological threats, under essential services the NIS2 Directive now includes:
- Transport
- Banking
- Energy
- Financial markets
- Healthcare
- Digital infrastructure
- Drinking water
- Public administration
- Space
- Wastewater
Added to this are important entities, whose reporting and monitoring conditions are more self-governing, but no less stringent:
- Digital providers
- Research
- Food production, processing, and distribution
- Chemicals manufacture, production, and distribution
- Post and couriers
- Manufacturing
- Waste management
This list isn’t the full extent of NIS2’s impact. Part of the obligation on affected industries and services is the security of their supply chain. That means suppliers and contractors providing resources to those essential operations also have obligations to meet minimum cybersecurity measures, or they risk losing business.
Even those who aren’t directly engaged in essential and important industries will need to make improvements related to their risk management in order to maintain market share.
Taking the first steps
Risk management and compliance shouldn’t be anything new to businesses operating in today’s environment. While NIS2 sets a high bar for effective cybersecurity, the approach any organization takes should be a familiar one. It starts with identifying risks and establishing mitigations where possible. At its heart, this is a process exercise and the kind of challenge that the Nintex Process Platform is designed to meet.
By mapping and documenting your key cybersecurity processes, and the business practices most exposed to risks in that area, you can immediately identify where there may be compliance issues. This could relate to suppliers, internal systems, or existing procedures. With the processes clearly laid out, those risks can be documented and acted upon.
Of course, not every risk can be eliminated. Something as simple as a human operator in a process can introduce risk, from susceptibility to phishing attacks to deliberate acts of sabotage. Risk management is about controlling those risks. Alongside the processes that govern key activities should be risk management checkpoints to ensure compliance at every step.
With the Nintex Process Platform, RPA workflows can automate these processes, providing data validation or triggering signoff requests as procedures are executed. This creates both a compliant paper trail of actions, as well as safety checks and balances for essential activities.
Ongoing vigilance
Recent years have shown us that cyber-activity is becoming ever more sophisticated. Even the largest organizations aren’t immune to breaches or breakdowns instigated by digital disruptors.
Implementing risk management processes is essential under NIS2, but businesses also need to incorporate rapid reporting when things go awry. Essential and important services are expected to give initial reports of any incident with ‘significant impact’ within 24 hours, and a full notification report within 72 hours of the event.
Reporting processes should be clear and easy to access for all major risk activities and areas. A feature of the Nintex Process Platform is the ability to link processes to one another, ensuring reporting procedures, documentation, and key reference materials are embedded and readily available within any related process.
Should a breakdown or exception occur, the information about what to do is right on hand, allowing key stakeholders to quickly identify actions to be taken. Teams are directed to the appropriate steps and proper protocols that mitigate the impact as much as possible, and the alarm is sounded with the appropriate people.
Risk management processes also incorporate regular signoffs to ensure that the measures in place remain up to date and effective. When those signoffs come due, stakeholders and the nominated risk managers are contacted directly with links to the relevant process documentation, allowing them to be proactive in keeping controls up to date.
Let Nintex Process Manager set your team up for NSI2 success
While effective businesses will already have a risk management plan in place, the requirements of NIS2 make it essential for all organizations to prioritize compliance. Identifying the key areas of exposure as outlined in the directive, and establishing effective processes to manage and mitigate those risks, can be a time consuming and challenging task.
Nintex Process Manager has the capability to manage and centralize policies, processes and procedures. It identifies clear roles and responsibilities regarding overall governance responsibility, down to ownership of standard operation procedures.
- Process Manager presents not only an easy-to-understand process map, focusing on the expected outcome – it brings all the required information together to be a centralized one-stop-shop, accessible by everyone. This includes documents, videos, screenshots, and links to other resources.
- A real-time notification to all involved stakeholders is key. Process Manager ensures that stakeholders are informed of changes as they occur. This is supported by a change log and reporting to match audit requirements.
- Process Manager delivers the single source of truth for all employees (also available via a mobile app) and is a reliable base line to raise awareness and train teams on standardized, repeatable processes. This will ensure that all employees are well informed of all relevant security processes.
- The availability of the risk and improvement modules in Process Manager makes a strong handshake between operational process management and risk and compliance management. All identified risk and compliance requirements can be linked to an activity within the process. This will adjudicate the process user, and links the risk and compliance manager to the specific process as a stakeholder. These risk and compliance requirements can be assigned to people in the organization for regular signoff, giving leadership teams the confidence that risk and compliance scenarios are identified and mitigated. (The Process Manager risk module is based on ISO 31000.)
- If incidents need to be addressed, the improvement module can help to manage these and guide them through the build-in-action generated workflow. Process Manager has a built-in database to record the details, including APIs for seamless reporting.
- Basic cyber hygiene practices and cybersecurity training can be managed in the Process Manager training module. Sessions can be scheduled for those roles that need training, with the option to schedule training as a reoccurring event. Related training evidence like certificates can also be stored and managed within Process Manager.
Your organization can reduce the burden of NIS2 compliance by employing a purpose-built tool like the Nintex Process Platform to incorporate dynamic risk management and reporting with your business processes. By making risk management part of your commitment to process excellence, you’ll be ready for October 2024 and the everchanging digital landscape.