The European NIS2 Directive, adopted on December 14, 2022, represents a significant step forward in improving cybersecurity risk management  across critical sectors. But can something like vulnerability scanning, a common practice for detecting weaknesses in IT systems, be enough to ensure NIS2 compliance? In this article, we dive deeper into the NIS2 Directive and explore what is required for organizations to comply with the regulation. We highlight the role vulnerability scanning plays in information security and why compliance involves more than just technical measures.

NIS2: not just measures, but also implementation

It is important to understand that the NIS2 Directive goes beyond just technical measures. While many articles focus on improving the security of network and information systems, other articles are more about the implementation of the directive within EU member states. This means that compliance involves not only the security of systems but also the way the directive is embedded into national legislation. The end goal of this legislation is to achieve business continuity in the face of increased cyber threats to critical infrastructure within the European Union.

Examples of implementation-focused articles:

  • Article 1: Scope – Defines which sectors are covered by the directive and how each EU country should apply it.
  • Article 5: Supervisory authorities – Requires member states to appoint a competent authority to oversee compliance with the directive.

These articles are crucial for the implementation of the NIS2 Directive, but they are less about specific security measures like vulnerability scanning. Nonetheless, vulnerability scanning plays an important role in compliance, particularly in identifying and managing security risks.

Directors’ obligations: culture, risk assessment, and incident response

Beyond technical measures like vulnerability scanning, the NIS2 Directive places responsibilities on the directors of organizations, particularly concerning culture, risk assessment, and incident response. Below, we explain these topics and provide a step-by-step guide to help you get started.

1. Cybersecurity culture

The NIS2 Directive emphasizes that promoting a culture of cybersecurity within the organization is essential. Leadership must be actively involved in cybersecurity strategies and ensure that employees at all levels are aware of their responsibilities.

Step-by-step guide to promoting a cybersecurity culture:

  1. Training and awareness: Provide regular training and awareness sessions for all employees.
  2. Leadership: Directors should lead by example by being actively involved in security decisions.
  3. Communication: Create open communication channels so that employees can report security incidents and risks without fear.

2. Risk assessment

A critical component of NIS2 compliance is conducting regular risk assessments. This means organizations should not only scan for vulnerabilities but also identify and prioritize broader risks, including operational and strategic risks.

Step-by-step guide for risk assessment:

  1. Risk identification: Identify potential threats, both internal and external, such as cyberattacks, human error, or system failures.
  2. Evaluation: Assess the likelihood and impact of each risk based on the specific business context.
  3. Mitigation plan: Develop a plan to address the most critical risks, including technical and organizational measures.

3. Incident response

Under NIS2, organizations must have incident response procedures in place. This involves more than just reacting to incidents; it requires organizations to have a well-defined plan to respond quickly and mitigate damage.

Step-by-step guide for an effective incident response plan:

  1. Incident detection: Ensure systems are in place to detect incidents promptly, such as advanced monitoring tools.
  2. Incident reporting: Determine who is responsible for reporting incidents to the supervisory authority and internally.
  3. Recovery and reporting: Have processes for recovering affected systems and reporting incidents in compliance with legal requirements.

The role of vulnerability scanning in NIS2 compliance

Now that the broader context is clear, the question remains: can vulnerability scanning alone ensure NIS2 compliance? The short answer is no. Vulnerability scanning is a crucial part of risk assessment, helping identify technical weaknesses. However, it is just one aspect of what is required to comply with the NIS2 Directive.

Why vulnerability scanning is important:

  • It helps identify weaknesses in systems early, preventing potential incidents.
  • It supports continuous monitoring and improvement of security.

But NIS2 requires more:

  • It also requires a strong organizational culture around cybersecurity.
  • Directors must be actively involved in implementing security measures and risk assessments.
  • Organizations need to have well-prepared incident response plans.

Conclusion

Vulnerability scanning can help detect technical vulnerabilities to mitigate cyber threats and certainly contributes to NIS2 compliance, but it’s not enough. The directive calls for a broader approach, involving both technical and organizational measures. Technical endeavors like asset management, access control and vulnerability management are merely subsets of risk management, and risk management in itself is essential to strengthen business continuity. Directors therefore have significant responsibilities in promoting a culture of cybersecurity, conducting regular risk assessments, and ensuring solid incident response plans are in place. Compliance with the NIS2 Directive thus requires a comprehensive approach, with vulnerability scanning being just one piece of the puzzle.