Getting NIS 2 ready: how ITSM tools can facilitate compliance

In today's digital age filled with cyber threats, the importance of cybersecurity can't be overstated. In 2023 alone, a staggering 72.7% of organizations worldwide fell prey to ransomware attacks, underscoring the critical need for effective security measures.

In Europe, new cybersecurity regulations continue to dictate the way organizations protect their networks and information systems. The European Union's NIS 2 Directive is one of these regulations that aims to improve the continent's cybersecurity infrastructure.

If you're wondering what NIS 2 is all about and what role IT Service Management (ITSM) plays in helping you comply with it, you're in the right place. Let's break it down.

What is NIS 2 and why does it matter?

NIS 2, short for the Network and Information Systems Directive 2, is the EU's latest regulation designed to enhance cybersecurity across EU member states. This directive is set to go into effect on 18 October 2024, marking a significant milestone in the EU's ongoing efforts to strengthen digital security. And while NIS 2 is currently only a mandatory directive for the EU, it does apply as well for international organizations that have EU branches.

Failing to comply with NIS 2 isn't just a regulatory issue—it's a serious risk. Organizations – and specifically senior management – that don't meet the new requirements could face substantial fines. And more importantly, they leave themselves vulnerable to cyberattacks that could cripple operations.

While it's true that security officers and IT teams are typically responsible for implementing these measures, not every organization has the infrastructure or resources to handle such complex directives effectively. And if things don't go well, it's the IT department that will be on the front lines, dealing with the fallout. This makes it crucial for businesses to understand the urgency of NIS 2 and take proactive steps to ensure compliance.

But before we dive into the specifics of NIS 2, it's essential to understand its predecessor, the original NIS Directive (NIS 1), which laid the groundwork for this new regulation.

A brief history: from NIS 1 to NIS 2

The NIS 1 Directive was the EU's first attempt at enhancing cybersecurity for essential services and operators of critical infrastructure, such as energy, transport, and healthcare sectors. It was a solid start but had some limitations, like a relatively narrow scope and varying levels of implementation across member states. This created a need for a more robust, uniform approach—cue NIS 2.

The NIS 2 Directive builds on NIS 1, expanding its scope, tightening security requirements and placing a stronger emphasis on risk management and incident response. It's more inclusive and rigorous, reflecting the evolving cybersecurity landscape and the growing threat of cyberattacks.

What are the key objectives of NIS 2?

The NIS 2 Directive is all about raising the bar for cybersecurity across the EU. These are the main goals of NIS 2:

• Enhance cybersecurity across the EU: NIS 2 aims to ensure that all EU member states have a strong cybersecurity baseline, reducing the likelihood of successful cyberattacks.
• Improve resilience of critical infrastructure: By setting higher security standards, NIS 2 seeks to protect essential services and critical infrastructure from disruptions that could significantly impact society.
• Ensure consistency: The directive promotes a more harmonized approach to cybersecurity across the EU, minimizing disparities in how different countries handle cyber threats.

NIS 2 compared to other EU directives

NIS 2 has a lot in common with other key EU directives like GDPR and DORA, reflecting a shared goal of boosting security and resilience in our increasingly digital world.

Just as GDPR is all about protecting personal data, NIS 2 focuses on safeguarding critical infrastructure and essential services, with both directives pushing for strong security practices and quick incident reporting.

Similarly, DORA, which targets financial entities, is all about building resilience, especially against cyber threats. Whether it’s personal data, financial systems, or critical infrastructure, these directives are all about managing risks and staying ahead of potential disruptions, showing the EU’s commitment to keeping the digital space safe and secure.

Breaking down NIS 2: Scope, requirements, and provisions

Now that we understand the goals of NIS 2, let's look at what it actually entails.

NIS 2 scope

NIS 2 has broadened its reach compared to NIS1. It now covers more sectors and entities, including providers of essential services (like energy, transport, banking) and digital services (like cloud computing and online marketplaces). If your organization falls into any of these categories, NIS 2 likely applies to you.

For the full scope of NIS 2, visit their website.

NIS 2 requirements

Under NIS 2, organizations are required to implement specific security measures and risk management practices. These include:

Risk Management: Regularly evaluating the risks to your network and information systems. In addition to keeping your own environment risk-free, the organization must also ensure risk management procedures are followed for all suppliers.

Security policies: Establishing and maintaining robust cybersecurity policies.

Incident response: Developing and implementing processes for detecting, managing, and reporting security incidents.

Incident reporting

NIS 2 places a heavy emphasis on incident reporting. Organizations must report significant security incidents to relevant authorities as soon as possible. This approach minimizes the impact of such incidents and allows for the coordination of appropriate responses.

Governance and accountability

Senior management is now more accountable than ever. While NIS1 required organizations to implement cybersecurity measures and report incidents, the directive did not specifically mandate that top-level management be held responsible for compliance failures. Under NIS 2, top executives and designated cybersecurity officers have clear responsibilities. This includes overseeing the implementation of security measures and ensuring compliance with the directive.

How ITSM can help with NIS 2 compliance

By now, you might be thinking, "This all sounds great, but how do we actually comply with NIS 2, and what is the IT department’s role in this?" This is where ITSM comes into play.

What is ITSM?

ITSM stands for IT Service Management, which is basically how you manage your IT services to meet business needs. It involves a set of practices and processes that help organizations deliver IT services efficiently and effectively. Think of ITSM as the blueprint for running your IT operations.

ITSM processes relevant to NIS 2

Let's look at some key ITSM processes that can directly support NIS 2 compliance.

Incident Management

One of the cornerstones of NIS 2 is effective Incident Management. ITSM helps by providing a structured approach to managing security incidents. This includes logging incidents, categorizing them and ensuring they are resolved in line with NIS 2's reporting requirements.

A solid incident management process ensures that when something goes wrong, you're ready to respond swiftly and in a compliant manner. For example, having a well-defined incident response plan in place enables your organization to quickly identify the nature of the threat, coordinate the necessary resources, and take immediate action to contain and mitigate the impact of the incident.

IT Change Management

Changes in the world of IT are inevitable, but in the context of NIS 2, those changes need to be controlled. IT Change Management ensures that any changes to your IT systems—whether it’s a software update or a new security measure—are implemented without introducing new risks. By managing changes carefully, you can maintain security and stay compliant.

Risk Management

Risk Management is central to NIS 2 compliance, and ITSM provides the tools to do it right. ITSM processes help you assess, manage, and mitigate risks to your IT services. By continuously monitoring risks and implementing appropriate controls, you can ensure that your organization stays within NIS 2's Risk Management requirements.

Problem Management

Recurring issues are a headache, but they’re also an opportunity to improve. Problem Management in ITSM focuses on identifying the root causes of incidents and resolving them to prevent future occurrences. This proactive approach is in line with NIS 2's emphasis on improving overall security posture.

How ITSM tools can help you be NIS 2 ready

Having the right processes is crucial, but without the right tools, implementing those processes can be challenging. Fortunately, ITSM tools are designed to efficiently facilitate your processes, and additionally can be used to support compliance efforts.

Centralized Incident Management

ITSM tools can centralize incident management, providing a single platform where all security incidents are logged, tracked and managed. This not only makes life easier for your IT team but also ensures that you have a clear audit trail for compliance purposes.

Automated reporting

NIS 2 requires timely and detailed incident reporting. ITSM tools can automate much of this process, generating reports automatically and even submitting them to relevant authorities if needed. This reduces the risk of human error and ensures that your reports are always up to date.

Risk Assessment and Management

Many ITSM tools come with built-in risk assessment features, allowing you to continuously monitor your systems for potential threats. By keeping an eye on risks in real-time, you can quickly take action to mitigate them, staying in line with NIS 2’s security requirements.

Change control

ITSM tools can help you manage and document changes to your IT systems. This ensures that every change is tracked, reviewed, and approved before it’s implemented, reducing the risk of introducing new vulnerabilities.

Documentation and auditing

Compliance isn’t just about doing the right things; it’s also about proving you’ve done them. ITSM tools can maintain detailed records and audit trails, making it easier to demonstrate your compliance during inspections or audits.

Integration with security tools

ITSM tools often integrate seamlessly with other security solutions, like Security Information and Event Management (SIEM) systems and vulnerability management tools. This integration provides a more comprehensive approach to cybersecurity, helping you meet NIS 2’s stringent requirements.

Steps to become NIS 2 ready

So, how do you get started on the path to NIS 2 compliance? Here’s a step-by-step approach.

1. Conduct an assessment and gap analysis

Start by assessing your current cybersecurity posture and identifying any gaps between your existing practices and NIS 2’s requirements. This will give you a clear picture of where you need to improve.

2. Implement ITSM best practices

Adopt ITSM processes that align with NIS 2 requirements. This includes setting up effective Incident Management, IT Change Management, Risk Management, and Problem Management practices.

3. Choose the right ITSM tool

Select an ITSM tool that offers features specifically designed to support NIS 2 compliance. Look for tools that provide centralized Incident Management, automated reporting and robust change control capabilities.

4. Train Your Staff

Ensure that your team is well-versed in both NIS 2 requirements and ITSM processes. Regular training and awareness programs can help keep everyone on the same page and ensure that your compliance efforts are effective.

5. Continuous Monitoring and Improvement

Compliance isn’t a one-and-done deal. Regularly review and update your ITSM practices and tools to ensure that they continue to meet NIS 2’s evolving requirements. Continuous improvement is key to staying compliant and secure.

GLS: getting NIS 2 ready with TOPdesk

GLS, a client of TOPdesk in Hungary, started implementing NIS 2 quite early on. In fact, Hungary was one of the first EU countries to start implementing the directive.

Although GLS already has a dedicated information security partner, it was also important for them to be able to rely on TOPdesk as their ITSM partner. With features like Incident Management and IT Change Management, TOPdesk enables GLS to manage cybersecurity incidents, changes, and problems in a structured and audited manner. With built-in checks, automated summaries of incident details, automated templates to perform impact analyses, and more, TOPdesk is there to ensure that their customers can meet the objectives for NIS 2 compliance.

In addition, TOPdesk serves as a tool that can be used not only by IT departments, but also by other business departments, thus contributing to the overall information security strategy of a company.

Stay on top of cybersecurity

NIS 2 represents a significant step forward in the EU’s approach to cybersecurity. For organizations, this means new challenges—but also new opportunities to strengthen their cybersecurity. The right ITSM tool can be your best ally in navigating these challenges and achieving compliance. By adopting ITSM best practices, you can ensure that your organization is not only ready for NIS 2 but also better protected against the ever-evolving landscape of cyber threats.

Our advice? Don’t wait until the last minute. Start assessing your current practices, choose the right tools and train your team. With the right approach, NIS 2 compliance is not just achievable—it’s an opportunity to build a more resilient and secure organization. And the best solution? Be proactive! Don’t wait for security directives to pop up for you to get started. Cybersecurity should always be top of mind.

TOPdesk for NIS 2 compliancy

With TOPdesk as your ITSM partner, you can rest easy: our ITSM software lets you track and resolve security incidents, manage risks and keep an eye on all your IT assets. We'll help you comply with NIS 2 and monitor your cybersecurity efforts continuously. Discover what our software can do for you.