10min

NIS 2: prerequisites, recommendations and tips for relevant entities

The NIS 2 (Network and Information Security) Directive, published in the Official Journal of the European Union in December 2022, marks an expansion of cybersecurity objectives and protection to deal with increasingly malicious and effective threat actors. EU Member States are therefore required to strengthen their cooperation and protection mechanisms against threats that increasingly target protected entities. 
Cybersecurity Platform

To help organizations and governments achieve this standard, the European Union Agency for Cybersecurity (ENISA) has published a guide for entities affected by the NIS 2 Directive. The guide contains extensive technical and methodological recommendations for cybersecurity risk management, to be adapted for each industry. 

Not everyone has time to browse 170 pages spanning 13 sections, so we’ve done it for you. Here you’ll find examples, validation techniques, and practical advice straight from the official blueprint, “NIS 2 Technical Implementation Guidance”. 

1. Information systems and network security

This section of the guide refers to: 

  • Policy on the security of network and information systems 
  • Roles, responsibilities, and authorities 

Relevant entities shall provide network and information systems policy updated over time (at least once a year), ensure  at employees and providers acknowledge it, and confirm that they are aware of their responsibilities. 

The policy must cover a risk assessment and treatment plan, industry best practices, and compliance monitoring. 

Any stakeholder must be aware of their own roles and responsibilities, as well as be aware of the security roles and points of contact. 

2. Risk management policy

This section of the guide refers to: 

  • Risk Management framework 
  • Compliance monitoring 
  • Independent review of information and network security 


The relevant entities – and their suppliers – must establish a risk management framework maintained over time to identify, assess, manage, and mitigate cybersecurity risks, and a risk treatment plan regarding business and strategic objectives, stakeholder expectations, regulatory requirements, organizational culture, and so on. This document can be reviewed based on changes in the information system, audits, post-incident findings, cybersecurity context evolution, etc. 

Organizations shall also ensure compliance with the help of reports and key metrics, and define actions to take such as software updates, access control encryption, and more. 

The risk management policy may include risk acceptance criteria, e.g. acceptable downtime, tolerance for data loss, accepted risks considered as low severity… and assess the level of risk regarding assets (threats, vulnerabilities, impact analysis, etc.). 

3. Incident handling

This section of the guide refers to: 

  • Incident handling policy 
  • Monitoring and logging 
  • Event assessment and qualification 
  • Incident response 
  • Post-incident reviews 

Relevant entities shall provide incident handling policies and best practices tested and reviewed over time, and they must also ensure compliance with industry standards and regulations. Policies must be aligned with business continuity and a disaster recovery plan, including incident categorization to prioritize them properly (type of attack, data involved, criticality of systems affected, likelihood of recovery, etc.).  

The response procedures plan must be documented, including the communication plan, and must be continuously updated. Security teams must also conduct root cause analysis in the event of an incident to improve network and information system security. 

ENISA recommends setting up procedures and using tools to monitor and detect threats and anomalies, ensure incident response support, monitor network health, protect against data loss… and more precisely: 

“Consider deploying SIEM, EDR, XDR, or a similar system that will allow and facilitate the correlation and analysis of data.” 

ENISA also recommends that tools meet criteria such as: 

All of them make HarfangLab a strong asset in complying with the NIS 2 directive! 

4. Business continuity and crisis management

This section of the guide refers to: 

  • Business continuity and disaster recovery plan 
  • Backup and redundancy management 
  • Crisis management 

Relevant entities shall define disasters that could affect them – from natural causes to human errors – and plan business continuity and disaster recovery, test their plans, update them, and keep logs of plan activation to improve over time. 

Crisis management plans must include recovery plans, and organizations shall provide copies, redundancy and failover mechanisms, backups, and restore procedures applied to data, facilities, and networks in consideration of the 3-2-1 rule: keep 3 copies of the data on 2 different types of storage media with 1 copy stored offsite. 

They shall also verify third party availability and train staff in the event of an incident, and set up objectives for recovery time, service delivery, maximum acceptable outages, for example. 

5. Supply chain 

This section of the guide refers to: 

  • Supply chain security policy 
  • Registry of suppliers and service providers 


Entities shall establish, implement and apply a supply chain security policy based on industry standards that must determine the selection of suppliers. They must be challenged over time to ensure the product remains aligned with recommendations and standards. 

For example, consider these criteria: 

  • Legal jurisdiction of the supplier or service provider 
  • Compliance statements from the supplier in relation to the NIS 2 Directive 
  • Corporate ownership of the supplier or service provider 
  • Ability to ensure supply 
  • Cybersecurity practices of the supplier or service provider 

You should also expect from your cybersecurity solution supplier: 

  • Clear and complete description of products and services 
  • Information about locations where the products are to be produced and services are to be provided
  • Where data is to be processed, including the storage location and the requirement for the supplier and service provider to notify the entity in advance in the event the location will change
  • Regular updates and code review 
  • Security testing 
  • Clear documentation and policies for using free and open-source components 
  • And much more 

Feel free to challenge HarfangLab against these criteria. It’s a 100% European and sovereign platform, recognized for the quality of its support, and certified by ANSSI (French Cybersecurity Agency)! 

6. Security in network and information systems acquisition, development, and maintenance

This section of the guide refers to: 

  • Security in acquisition of services or products 
  • Secure development lifecycle 
  • Configuration management 
  • Change management, repairs, and maintenance 
  • Security patch management 
  • Network security and segmentation 
  • Protection against malicious and unauthorized software 
  • Vulnerability handling and disclosure 

 Cybersecurity must be integrated as a permanent component of the product or service purchase process, and security requirements must be applied to any services and products throughout their complete life cycle. It implies that providers must also be equipped with intrusion detection systems such as EDR, XDR, or SIEM and assess their own security. 

Entities shall take measures to establish, document, implement, and monitor the purchased solutions configuration, including security configurations of hardware, software, services, and networks, following standards and evolving them regularly. Any change must be logged whether it’s due to a shift in best practices , to contain risk, or even to address an emergency. 

As planned in the global security management policy, vulnerability management is necessary, which includes patches being applied on time from reliable sources. 

Mechanisms such as EDR or EPP must be deployed to detect and protect against malicious and unauthorized software, code, or devices carrying malicious files. 

Vulnerabilities must be shared through appropriate channels and announced to CSIRTs and relevant authorities. 

7. Cybersecurity risk management measures

This section of the guide refers to: 

  • Policies and procedures to assess the effectiveness of cybersecurity risk management measures 

Entities shall assess whether the cybersecurity risk management measures are effectively implemented and maintained, referring to industry standards and KPIs such as cost of implementation and maintenance (e.g. capital expenditure (CAPEX) / operational expenditure (OPEX), rate of cybersecurity employee training, number of vulnerabilities detected, time to remediation, incident response times, number of incidents, etc.).

8. Basic cyber hygiene practices and security training

This section of the guide refers to: 

  • Promoting awareness and basic cyber hygiene practices 
  • Security training 

Relevant entities shall ensure that their employees are aware of cybersecurity risks and informed of the importance of cybersecurity, that they apply cyber hygiene best practices, and that they proceed to security trainings to ensure appropriate skills and expertise regarding their roles. 

9. Cryptography

The relevant entities shall implement procedures related to cryptography (digital signatures, hashes…) and update them regularly to protect assets and data confidentiality, authenticity, and integrity. 

Procedures must include: 

  • Protection of cryptographic keys against modification and loss 
  • Protection of secret and private keys against unauthorized use and disclosure 
  • Authenticity of public keys 
  • Protection of equipment used to generate, store, and archive keys 
  • And more
     

10. Human resources security

This section of the guide refers to: 

  • Training 
  • Background verification 
  • Termination or change of employment procedures 
  • Disciplinary process 

Clear security roles and responsibilities for employees must be defined, providing onboarding and continuous education programs, as well as disciplinary process for handling violations of network and information system security policies – even after termination or change of employment. Background verification can be added in the hiring process for roles involved in data or security management.  

Suppliers’ and service providers’ roles and responsibilities regarding cybersecurity must also be defined, including the identification of responsible contacts for cybersecurity. 

11. Access control

This section of the guide refers to: 

  • Access control policy 
  • Management of access rights 
  • Privileged accounts and system administration accounts 
  • Administration systems 
  • Identification 
  • Authentication / MFA 

Entities shall implement physical access control policies for access to their network and information systems based on business, network, and information system requirements, including: 

  • Digital and physical access restrictions for staff, visitors, and external entities (suppliers and service providers) 
  • Users adequately authenticated, based on a mapping that follows principles of need-to-know, least privilege, and separation of duties 
  • Stronger authentication process for privileged accounts and restricted access to administration systems
  • Regular update of policies and management access rights (past incident, when a person leaves a team or the organization, etc.) 
  • State-of-the-art authentication procedures and technologies (password-based authentication, passkeys, two-factor authentication / MFA, biometric authentication, token-based authentication, one-time passcode, smart cards, Fast Identity Online 2 security keys, certificate-based authentication, SSO, OpenID Connect, etc.)
     

12. Asset Management 

This section of the guide refers to: 

  • Asset classification 
  • Handling of assets 
  • Removable date policy 
  • Asset inventory 
  • Deposit, return, or deletion of assets upon termination of employment 

Entities must classify asset protection requirements according to sensitivity, criticality, risk, and business value, based on confidentiality, integrity, authenticity, and availability needs. 

Anyone who uses these assets must be informed of the policy on their proper handling over their life cycle, including instructions on the safe use, storage, transport, and irretrievable deletion and destruction of the assets.  

Entities shall set up a complete, accurate, up-to-date, and consistent inventory of their assets and log any change. After employees leave, the assets, network, and information systems must be made inaccessible to the former employee. 

Entities shall also implement and apply a policy on the management of removable storage media and communicate it to employees and third parties. A device control tool will help in this regard, such as HarfangLab EPP’s Device Control feature – which enables USB ports activity monitoring, security alerts, and filtering, and blocking rules for an entire computer park, for specific endpoints, or groups of endpoints. 

13. Environmental and physical security

This section of the guide refers to: 

  • Supporting utilities 
  • Protection against physical and environment threats 
  • Perimeter and phyical access control 

Entities shall prevent loss, damage, or compromise of network and information systems, or interruption to their operations due to the failure and disruption of supporting utilities. 

They must protect facilities from power failures and other disruptions, consider the use of redundancy in utility services, and prevent and monitor unauthorized physical access, damage, and interference to their network and information systems. They must also protect utility services for electricity and telecommunications, monitor the utility services, and ensure continuous effectiveness. 

Compliance with NIS 2 requires numerous security measures and policies, from the definition of policies for information system users to technologies designed to protect the workspace. 


Learn more about the HarfangLab platform and how it can help you meet
NIS 2 requirements, and discover our complete range of solutions:


All about HarfangLab's plans

More articles

GDPR Cybersecurity

GDPR: what are your cybersecurity obligations?

GDPR requires companies to protect personal data. But what exactly does this regulation mean for your organization?

Read more
4min
Regulation