In the fields of information- and cyber security and continuity management, the cryptic acronyms in the heading are now being used on every channel, just as GDPR and information protection were a few years ago. What you need to know about them and, in particular, what do you need to do?

Let’s take a deep breath and say: at least there’s no need to panic. In short, it’s about good practices and methodologies for more holistic and risk-based management of an organisation’s continuity management and information- and cyber security.

In an increasingly highly digitalised world, the aim is to protect each and every one of us on the one hand, and to enable resilient business in a secure society on the other. Ensuring the critical functions of any industry can no longer be done without investing in the functionality and security of the digital infrastructure.

Many of the elements required for the systematic management of information- or cyber security may already be in place in your organisation. These practices or processes are very likely to have already been implemented, for example through the development of the General Data Protection Regulation (GDPR), from which they can be further refined.

The key objective should be to move from thinking about technical security to the basics: managing business with planned and risk-based information security. Information security, like all other aspects of security, needs training, guidance and the creation, enforcement and implementation of good practices. 

NIS2 is an important step towards better information security and network security in the European Union. It reflects the demands of the digital age and the need to protect society and the economy from online and information security threats.

But what do these acronyms actually mean?

NIS2, the Network and Information Security Directive 2, is a European Union directive that aims to ensure a high level of information security in the digital environment. It focuses on online and information security and affects various organisations and key digital service providers. The directive sets requirements for security measures and requires serious security breaches to be reported to national authorities. It aims to improve EU-wide information security and the preparedness for potential cyber threats. The national application of the NIS2 directive will enter into force in October 2024.

CER, the Critical Entities Resilience Directive, is also a European Union directive that aims to improve the resilience of critical services in society. The key is to understand the scope of each organisation’s threat- and disruption landscape and to strengthen proactive work to reduce the duration and mitigate the impact of potential disruptions – in other words, to implement continuity management. Critical operators must carry out risk assessments and take technical and organisational steps to improve their resilience and to report disruptions. Like NIS2, the application of the CER directive will enter into force in October 2024.

ISO/IEC 27001 is the standard for information security management and governance. The first version was published in 2005 and the latest in 2022. This standard describes a risk-based and therefore proactive management approach to respond to threats to the confidentiality, integrity or availability of information assets and to meet security requirements. As an international standard, ISO/IEC 27001 is recognised worldwide and certificates can be issued against it as proof of compliance with its requirements.

How are the three interlinked?

As described above, NIS2 requires, among other things, risk-based information security management, a rapid response to serious security incidents and notification to the authorities. These are the same things that the ISO/IEC 27001 information security management system directly includes.

CER, which requires continuity management from critical operators, has direct support from, for example: NIS2 information- and cybersecurity incident management requirements and the ISO/IEC 27001 management model for managing and maintaining information security.

And all of these are linked by risk management embedded in processes, decision-making and management.

Who is covered by the CER directive on resilience?

The CER Directive covers 11 sectors, for which each EU Member State must identify the critical operators by 17 July 2026.

Who is covered by the NIS2 directive on information security? 

The requirements of the NIS2 directive apply to operators critical to the security and continuity of society, divided into 15 different sectors.

The directive differs between sectors, for example in terms of reporting and sanctions, but the obligations are the same for all. In addition, criteria have been defined for companies in terms of their number of employees, turnover and balance sheet total. 

NIS2 affects a wide range of organisations that are essential to the functioning and security of the European Union’s digital infrastructure. These organisations include: 

• Online service providers: includes service providers that offer digital services such as online shops, social media platforms, cloud services, etc. 
• Energy companies: covers electricity producers, distribution companies and other energy operators whose activities are critical to the functioning of society. 
• Financial institutions: banks, insurance companies and other organisations providing financial services where security is essential to the financial security of their customers. 
• Critical digital services: for example, organisations providing health, transport, water or other essential services where operational capability and information security are critical. 

How to move towards compliance with the NIS2 directive? 

The best way to start is to familiarise yourself with the ISO/IEC 27001 information security management system standard. It incorporates a significant part of the requirements of NIS2 and provides a systematic and holistic approach to the management and governance of information security. Their importance will be further enhanced by the binding NIS2 directive. 

Help is at hand! Kiwa offers a wide range of services for managing and developing information security:  

• general and tailor-made training for all staff and management of an organisation 
• consultancy and advisory support, from building governance models through the implementation of information security policies to the planning and execution of internal audits 
• a concrete tool for compliance management and the support of certification, Kiwa Comply™
• a mobile reporting application for collecting and analysing security observations Kiwa Impact ™

Contact us to arrange a free 30-minute needs assessment meeting, where we can plan an approach that is right for your organisation.