The provisions of the NIS 2 Directive alone provide no precise information as to what the implementation of adequate ‘cyber risk-management measures’ should look like. However, this does not mean that it is impossible to establish such measures. To this end, it is useful to refer to the requirements of the ISO/IEC 27000 series of standards (which are explicitly referred to in the NIS 2 Directive) and, by way of analogy, the provisions of the DORA Regulation, addressed to the financial market, which constitute lex specialis – more specific provisions – than the NIS 2 Directive.
The analysis of these acts shows that for the purpose of demonstrating compliance with the NIS 2 Directive, it may be helpful for an organisation to implement the following policies or procedures:
1. risk analysis and management policy – to identify, analyse, assess and minimise cybersecurity risks;
2. vulnerability management procedure – to manage vulnerabilities from the detection phase through to proactive handling and neutralisation of the threat;
3. incident handling procedure – to manage the incident from the prevention phase, through detection and response, to identifying lessons and making improvements;
4. incident reporting procedure – to implement the specific regulatory requirements for reporting incidents to the relevant state authorities;
5. business continuity procedure – to restore the normal operation of the organisation and coordinate the way in which crises are managed;
6. third-party supplier risk management policy – to ensure the safety of the organisation when using the products or services of third-party suppliers;
7. access control policy – to regulate such aspects as physical access and security of human resources;
8. cyber hygiene policy – to implement general cybersecurity policies, such as software updates, password management, making backups, using encryption (including multi-factor authentication), regular cybersecurity training, etc.
They can be part of the main security policy or be introduced in addition to it. Importantly, the above policies and procedures should be regularly reviewed, tested and, if necessary, updated.
As an aside, it is worth pointing out that the smooth implementation of the NIS 2 Directive is one of the priorities of the new Polish government. The announcements by the Ministry of Digitalisation suggest that the draft implementing law should be submitted to the Parliament as early as Q2 of this year.