NIS2 preparation, GDPR and cybersecurity compliance

NIS2 is a European directive that tightens the requirements for cyber resilience for a broad group of organisations in essential and important sectors. Among other things, it requires risk-based security measures, incident reporting, continuity measures, supply chain security and board involvement. NIS2 replaces and broadens the earlier NIS directive.

Not automatically, but ISO 27001 covers a large part of the NIS2 duty of care, because both revolve around risk-based information security. In addition, NIS2 specifically requires attention to the reporting obligation for incidents, board accountability and supply chain security. An ISMS is therefore a strong foundation, but not a full guarantee.

NIS2 applies to medium-sized and large organisations in designated essential and important sectors, such as energy, transport, healthcare, digital infrastructure, drinking water and government, plus their important suppliers. The precise scope depends on sector and size; seek advice on whether your organisation falls under it.

The duty of care requires organisations to take appropriate technical and organisational measures to manage risks to their network and information systems. Think of risk management, access security, incident handling, backups, continuity and supply chain security. The measures must be proportionate to the risks.

Organisations must report significant incidents to the supervisory authority within short deadlines, typically with an initial report within 24 hours and more detailed reporting afterwards. A pre-established reporting process, with clear roles and escalation, is essential in order to meet those deadlines.

NIS2 focuses on cyber resilience and the security of network and information systems; the GDPR focuses on the protection of personal data. They overlap in the area of security measures and incident reporting. An integrated approach — for example ISO 27001 with ISO 27701 — helps you comply with both efficiently.

Supply chain security is about managing risks that come in via suppliers and service providers. NIS2 explicitly requires organisations to assess the security within their supply chain. You do this through, among other things, supplier assessments, contractual requirements and second-party audits.

Start by determining whether NIS2 applies, followed by a risk-based baseline assessment of your current security, incident response and supplier management. Set up the reporting process, assign accountability to the board and make targeted improvements to the gaps identified. An ISO 27001 approach provides a proven framework for this.