All you need to know about NIS2 and the steps to its compliance
NIS2, the first EU-wide cybersecurity law, has positioned cybersecurity as the only first-line enforcer. With the continued strict regulations, organizations are increasingly asked to add tooling, process, and prioritization to retrofit them.
To understand your position and priorities within NIS2, you target function-specific technology applications recommended by tech and admin audits. Telelink Business Services has the resources and competence to do both.
Required by the NIS 2 Directive, the audits are considered essential tools for continuously assessing and improving the security of critical infrastructures.
Volume 1 of our podcast provides an accurate overview of NIS2 from a business perspective, offering valuable insights into the financial and other risks that companies may face if they don’t apply the directive. Speakers:
Volume 2 of our podcast gives an in-depth description of all the necessary steps that companies must take to comply with NIS2, including auditing, controls, measures, and procedures. Speakers:
Identification of cybersecurity information for assets connected to the network.
Testing designed to assess the digital protection of the organization from a hacker’s point of view.
Exclusive phishing simulation to determine the level of employees’ awareness.
Performing a documentary audit of organizational and technical controls in compliance with the NIS2 Directive.
The most successful NIS2 compliance enables the underlying business to work unhindered, something Telelink Business Services strives to provide.
The revised EU directive on the security of network and information systems (NIS2) repeals and replaces the existing NIS Directive. Adopted in 2016, it is the first EU-wide cybersecurity law.
The principal objective of the NIS2 Directive is to increase the level of cyber resilience across the EU. It does so by requiring all entities in the EU that provide critical services to the economy and society to take appropriate cybersecurity measures.
Risks go beyond fines up to €10 million or 2% of global turnover with one of more of the following turn outs:
● Management can face personal financial penalties.
● Authorities can temporarily shut down your operations.
● Regulatory checks from both Bulgarian and EU authorities.
● Operational disruptions, loss of clients, damaged reputation.
Conduct a quick impact analysis covering:
● Cost of downtime due to cyber incidents or regulatory actions.
● Consequences of data leaks.
● Loss of customer and partner trust.
● Cost of fines versus cybersecurity investment.
Not entirely. NIS2 requires a comprehensive approach including incident management, clear policies, training, and proven compliance — not just technical tools.
It depends on your current state. An adequate approach is to do technical and documentation audits to identify current gaps. EU funding options can also assist.
Believing cybersecurity is only the IT department’s responsibility. Buying expensive technology without an integrated strategy. Neglecting employee training. Failing to regularly test backups and response plans.
Conduct an audit (technical and documentation-based), then prioritize critical measures and develop a clear, step-by-step strategy.
The risk is significant. Unsynchronized audits cause gaps, inconsistencies, and lack a unified action plan.
What do we do differently?
● Conduct simultaneous audits.
● Provide clear, prioritized action plans.
● Ensure consistency between administrative and technical measures.
Maintain clear documentation:
● Cybersecurity policies and incident management.
● Regular internal/external audits and penetration tests.
● Documented employee cybersecurity training.
● Tested backup systems and recovery plans.
● Continuous security monitoring and reporting.
● Contractual compliance assurance from suppliers.
Tools like ISO 27001, NIST, or CIS Controls can simplify compliance demonstration.
Yes, training is explicitly required. Companies must regularly train employees, conduct phishing simulations, implement clear procedures, perform regular security assessments, and encourage incident reporting.
To avoid contradictions between administrative and technical audits, it’s best to use a single provider for both audits. The benefits are as follows:
● Consistency: One provider ensures administrative and technical measures complement each other.
● Contextual Understanding: A single team offers integrated insights tailored to your organization’s specific needs.
● Reduced Conflict Risk Efficient internal communication within one provider prevents conflicting recommendations.
● Time and Resource Savings: Eliminates the need to coordinate and reconcile conflicting advice from separate auditors.
● Simplified Implementation: Results in a unified action plan, making compliance with NIS 2 easier.
Administrative and technical audits cover different security aspects but must align:
● Clearly define audit framework based on NIS 2 standards.
● Analyze and reconcile findings from both audits through collaborative discussions.
● Use a compliance matrix linking policies to specific technical measures.
● Address potential conflicts by involving management to make balanced decisions.
● Regular monitoring and updates using compliance tools to ensure alignment.
Reasons to use such a tool:
● Objective evaluation of your current security posture.
● Specific, actionable improvement recommendations.
● Trackable progress over time to visibly enhance security.
Rather than choosing one, we recommend an integrated approach since weaknesses in any area reduce overall security effectiveness. The phases can be described as:
● Policies: Essential for setting clear security guidelines.
● Technology: Provides practical protection against threats.
● Training: Crucial for ensuring effective implementation by employees.
Immediate availability depends on having a centralized compliance management system, including:
● Security policies and procedures documentation.
● Technical evidence (logs, configurations, vulnerability assessments).
● Recent risk assessments and audit reports.
● Cybersecurity and incident response training records.
● Documentation of previous incidents and response measures.
Without a centralized system, urgent data collection might result in non-compliance risks, delays, and potential penalties.
Request more information or initiate a meeting by submitting the form below.