Cyber threats are becoming increasingly complex, and the growing dependence on information systems and critical infrastructure means that any incident can have serious consequences for organizations and even entire countries.
On October 17, 2024, the NIS2 directive came into effect in the European Union—a new regulation that significantly strengthens cybersecurity requirements for companies that ensure the operation of critical infrastructure. NIS2 is a continuation and expansion of the previous NIS directive, adopted in 2016. At that time, NIS was developed as the first of its kind regulatory document that required organizations in the European Union to take specific measures to enhance cyber resilience. Its main objective was to improve the ability to respond to cyber incidents in key sectors such as energy, transport, banking, and healthcare.
The new regulation increases the coverage of critical sectors, expanding their number from 7 to 15. The list now includes the financial sector, telecommunications, the supply of digital services, and others that ensure the stability of public and governmental services. From now on, all these organizations must ensure effective protection of their networks, processes, and data.
The new directive introduces expanded cybersecurity requirements that include, but are not limited to, the following aspects:
Information Security Policies: The presence of approved regulatory and governing documents within an organization indicates a conscious approach to implementing cybersecurity measures, distributing responsibilities, and being able to monitor the effectiveness of their execution.
Risk Management Process: Organizations must assess risk levels, analyze the impact of potential attacks on key assets, and create security policies for timely response. This proactive approach emphasizes systematic risk analysis and monitoring of network vulnerabilities.
Incident Prevention, Detection, and Response: Organizations are required to develop and regularly test incident response plans to have ready procedures for preventing attacks and timely detecting potential threats.
Business Continuity and Crisis Management: NIS2 also requires organizations to create plans that ensure operational support during cyber incidents and allow for rapid recovery. This also includes data backup in the cloud.
Supply Chain Security: The directive obliges organizations to assess the cybersecurity of their suppliers and service providers to have a clear understanding of associated risks and enhance the overall security of their supply chains.
Vulnerability Disclosure: NIS2 mandates a transparent policy for managing vulnerabilities and developing mechanisms for reporting vulnerabilities and responding promptly to identified weaknesses in the network. This transparency is an important step in combating cybercrime.
Incident Reporting: Companies are now obligated to notify relevant authorities of incidents within clearly defined timeframes: initial notification within 24 hours of the incident, a full report within 72 hours, and a final report within one month.
ISO 27001, the international standard for information security management, can be a key tool for companies striving to comply with the new NIS2 requirements. It provides a structured approach to cybersecurity, helping organizations build protective systems that meet the strictest standards.
ISO 27001 includes principles of systematic risk assessment and incident management and requires documentation of all security policies and procedures. This not only enhances the organization's preparedness for cyber threats but also ensures an adequate level of monitoring and improvement of cybersecurity measures.
Key benefits of the Information Security Management System (ISMS) based on ISO 27001 for NIS2 compliance include:
Risk Identification and Management: ISO 27001 provides a framework for risk assessment and management, which is a key component for NIS2.
Regulatory Compliance: Companies that are certified or building their ISMS based on ISO 27001 already have built-in mechanisms for monitoring compliance and enhancing security measures, significantly simplifying adherence to NIS2 requirements.
Proactive Cybersecurity Approach: The standard helps companies develop a proactive cybersecurity approach, reducing the likelihood of incidents and enabling swift responses to potential threats.
Improved Reputation and Customer Trust: Organizations that adhere to high cybersecurity standards earn greater trust from customers and partners, which is a crucial element of sustainable business development.
While NIS2 targets EU countries, the experience and best practices of its implementation will also benefit organizations in similar sectors in Ukraine. In the face of continually rising cyber threats, ensuring robust protection of critical infrastructure and readiness for potential incidents is critically important. The Ukrainian government is already taking active steps in this direction by collaborating with the European Union within joint programs and initiatives. In June, a joint workshop was held with the EU Agency for Cybersecurity (ENISA), during which practical aspects of implementing the NIS2 directive were discussed.
Implementing NIS2 in Ukraine could be an important step towards increasing cyber resilience. As in the EU, compliance with the new directive will allow Ukrainian companies to establish a reliable protection system, assess risks, and develop necessary procedures to prevent incidents.
Given the rapid growth of cyber threats and new requirements, it is critical for organizations not to postpone cybersecurity issues. Implementing the ISO 27001 standard will not only help meet new regulatory norms but also create a foundation for systematic security management, minimizing risks and enhancing trust from customers and partners.
If your organization is not yet certified or has just begun to build its ISMS based on ISO 27001, now is the best time to seek advice and assistance from professionals. The ALESTA team is ready to provide professional support at every stage—from risk assessment to implementing all necessary processes, controls, and relevant procedures and documentation. Our experts will help select and implement necessary and effective cybersecurity solutions that ensure reliable protection of your IT infrastructure, which is a key factor for business resilience in today's digital world.
Contact marketing@alesta.net.ua or fill out the form below for more information on implementing the ISO 27001 standard.