NIS 2: 5 Challenges Your Organisation Must Overcome to Achieve Compliance

Every organisation striving for NIS 2 compliance will have its own journey based on its current cybersecurity maturity level, risk management, and what constitutes “appropriate and proportionate” for their specific business model.

With that said, some areas of the Directive are likely to pose challenges for the majority of affected organisations, regardless of their current level of cybersecurity maturity and use of best practice frameworks. 

Keep reading to learn more about the most common “heavy lifts” for NIS 2 compliance and examine how your organisation might overcome them.

For more on the impact of NIS 2 on your business, download our full guide.

1. Leadership

NIS 2 includes requirements that go far beyond “IT stuff” to span the entire organisation, including HR, procurement, legal, and more. It’s likely that personnel in these non-security, non-IT departments will not be accustomed to being heavily affected by a piece of cybersecurity legislation.

There are at least three ways an organisation’s leadership can help facilitate the process of reaching and maintaining compliance with NIS 2:

Understand That Nobody Will Focus on Compliance Without an Incentive

A typical employee already has more work than they can realistically do. If employees haven’t historically been involved with compliance initiatives, they will likely see NIS 2 as beyond the scope of their role.

Identifying and consistently applying incentives is crucial to obtaining engagement from those employees and departments that will be joining your compliance initiative for the first time. Further, the establishment of a “tone at the top” by senior management will help reinforce the importance and organisational need for risk management, which should lead to greater employee engagement.

Listen to Feedback

It’s easy to imagine that the compliance process will follow a simple and uninterrupted path… but that’s almost never the case. Every organisation has its own way of doing things, and the approaches and policies prescribed by best practice frameworks (e.g., ISO 27001) may not fit perfectly into your organisation's context.

In almost all cases, this issue can be overcome by adapting controls, policies, and processes to fit your organisation. However, for this to be possible, leaders must be willing to solicit feedback from across the organisation and consider it. A collaborative approach is crucial to any organisation’s ability to reach NIS 2 compliance ahead of the enforcement date—and trying to force departments into approaches that don’t make sense in your business context is a recipe for disaster.

Consider a Risk Amnesty

The risk management requirements of NIS 2 are likely to be among the heaviest lifts for many organisations. Given the Directive’s influence on business functions that haven’t historically been involved with cybersecurity compliance, new and previously unexplored risks are likely to be unearthed.

Coming forward with newly identified security risks is never an enjoyable experience. Many employees have been conditioned to keep quiet about risks for fear of reprisal. If this is allowed to continue, there is a good chance that your organisation will ultimately fall foul of NIS 2 and face the prospect of serious sanctions.

To avoid this, leaders might consider a risk amnesty, where employees can highlight risks in their area of responsibility without fear of reprisal.

2. Risk Management

NIS 2 requires affected organisations to implement risk analysis and assess the effectiveness of risk management measures in the context of the organisation’s security.

Implementing a comprehensive and provable risk management framework is a significant undertaking. It will require organisations to implement a range of risk management policies, identify risk owners, define nomenclature, and ensure consistency in risk definition, analysis, and reporting.

Getting this right requires a best practice approach—as recommended by ISO—but it also requires input from across the entire organisation. While CROs and risk teams are the experts in risk measurement and management, they aren’t always the experts in what constitutes a risk.

Realistically, risks can only be identified by members of the department or function they relate to. As a result, while an organisation’s risk management function will naturally be led by its risk experts, it will need to engage with the entire organisation to identify, understand, and assess the full range of security risks as required by NIS 2. For example, these could include risks in areas such as:

• Procurement of new IT systems or technologies.

• HR and hiring processes and their interaction with access provision.

• Business continuity planning and disaster recovery.

To achieve this, the risk team and/or CRO must educate personnel from all relevant parts of the organisation to ensure consistent application of terminology, scoring methods, and taxonomy.

3. Reporting

Don’t be fooled by the seemingly simple nature of NIS 2’s reporting requirements. Providing meaningful incident reports within 24 and 72 hours is far from easy. It requires excellent and repeatable internal processes and governance to achieve reliably and consistently—and failing to meet these requirements could result in serious sanctions against your organisation.

If your organisation cannot currently report incidents within the timeline specified by NIS 2, achieving this capability will be among the heaviest lifts required to reach NIS 2 compliance. At a minimum, your organisation will need to be able to:

• Detect incidents in a timely manner.

• Determine if they meet the NIS 2 threshold of a significant incident.

• Understand enough about an incident to provide a meaningful early warning report.

• Analyse the incident in detail to provide an initial assessment within 72 hours.

• Comprehensively understand and resolve the incident, implement any additional controls required, and produce a thorough final report within 30 days.

Regardless of how mature your organisation’s cybersecurity program currently is, it’s likely that achieving these capabilities will be a tough task. Carrying out simulations of incident reporting processes is a good way to identify any gaps present within your organisation.

4. Supply Chain Security

Supply chain security has been the darling of cybersecurity regulators in recent years—and for good reason. Many of the high profile breaches making headlines were caused or exacerbated by supply chain attacks.

The NIS Directive made no direct reference to supply chain security, and beyond the basics, it’s not an area of security that’s typically done well. There are several reasons for this:

• It’s hard to do well.

• It spans multiple departments and can’t be handled by IT and security teams in isolation.

• It requires adjustments to long-established processes like procurement and joint ventures.

If your organisation currently has no formal supply chain security function, achieving this part of NIS 2 compliance will likely be arduous and time consuming. There are several well-regarded standards for supply chain security that you might consider using, including ISO 27036 and Compliance Forge’s Cybersecurity Supply Chain Risk Management (C-SCRM) framework.

5. Technical Controls

NIS 2 specifically calls out multi-factor authentication (MFA) and cryptography as technical measures, with the caveat that all controls should be appropriate and proportionate to your situation. While most organisations with a somewhat mature cybersecurity function are likely to be experienced in implementing new technical controls, it can take time to do so properly.

Book a demo with our team and see how Drata’s continuous compliance platform can help you achieve NIS 2 compliance while reducing operational overheads.