Contents:
Two weeks.
That’s how long your organization will have to prepare if you face a NIS2 compliance audit. In those two weeks (just 10 working days), you’ll need to collate a huge amount of evidence to show you’re meeting minimum security standards. We’re talking about risk assessment records, an overview of all your security measures, incident reports, and much more besides.
For many organizations, complying with regulations like NIS2 is something they do reactively. As Larisa Mihai, a Compliance Expert, told us during a recent webinar:
Usually, when you think about compliance, you don’t think sustainable. Instead, you go with the idea ‘I have an audit [coming up]. I need to be compliant’.
But as Larisa explained, taking a proactive, “continuous”, approach to compliance is far more sustainable – and means that a two-week turnaround is manageable.
In this article, you’ll learn:
- What the NIS2 Directive is
- What sustainable NIS2 compliance means
- The benefits of continuous compliance with NIS2
- Heimdal’s solution for NIS2 compliance
What is NIS 2 compliance?
The NIS2 Directive is a European Commision regulation that is intended to enhance cybersecurity protection and incident response across the European Union. It came into effect in October 2024, and EU countries are now transposing the Directive into national law.
A wide range of ‘essential’ and ‘important’ entities will be subject to the regulation. NIS2 covers both the public sector and private businesses in various industries deemed strategic to the EU’s stability (e.g. energy, finance, water, transport, etc.).
Compliance with NIS2 will be enforced by ‘competent authorities’ in each EU country. If a company’s data ever gets breached, then the competent authority will request information about the breach and may fine organizations that are found to have had lax protections. The competent authorities will also conduct random spot checks on firms.
Another kind of audit will happen in supply chains. If a business sells products or services to ‘essential’ or ‘important’ entities, they may also be required to undergo an audit of their security posture.
As mentioned above, when an organization gets audited, they will have two weeks to compile evidence to show how they are complying with the regulation. If you are not practicing continuous compliance, collating all this information can be very challenging.
You will need to gather significant amounts of information and data from various systems and employees, then compile this into a report. Especially when the audit is unexpected, this can be very disruptive.
How to demonstrate you are NIS2 compliant
If you face a NIS2 audit, you will need to present a range of evidence that shows how you comply:
Documents and reports
- Incident handling reports and policies
- Security policies (including your access control policy)
- Risk analysis reports
- Risk management policies
- Information about your supply chain’s security
- Disaster recovery and backup policy
Systems and technical
- Overview of your multi factor authentication (MFA) systems
- Overview of your encryption technology
- Disaster recovery and backup systems
People and processes
- Overview of training and onboarding
- Auditors may wish to interview senior and ‘regular’ staff about their cybersecurity awareness
Why you need a ‘sustainable’ approach to NIS2 compliance
We are hit with audit requirements that were not there before, and we get them two weeks ahead. That’s crazy! Who can implement something in two weeks? Nobody
– Larisa Mihai, Cyber Compliance Expert
In our recent webinar, Larisa argued that organizations that are subject to the NIS2 Directive should take a continuous approach to compliance. This, she reckons, is a far more sustainable approach than simply responding to audit requests as and when they come in.
If you don’t take a continuous approach to compliance, then any audits that you face will be incredibly stressful. With just two weeks – or 10 working days – to compile evidence, the pressure will be enormous.
So, what does it mean to have a ‘sustainable’ approach to NIS2 compliance?
For Larisa, it’s partly about mindset. Rather than viewing compliance as something you do to tick a box, it’s better to approach it as something that’s foundational to business security. In the end, complying with regulations like NIS2 (or GDPR, DORA, HIPAA, or anything else) is ultimately about cybersecurity best practice anyway.
But there’s also a technical element here too. Continuous compliance is about regularly monitoring how you’re doing against those standards. Checking your systems and processes – to ensure they still comply – and fixing any issues.
If you are already monitoring your organization for various cybersecurity ‘signals’, then compiling the relevant data and reports for a NIS2 audit should actually be relatively straightforward.
Benefits of continuous NIS2 compliance
Taking a continuous approach to NIS2 compliance might sound like a lot of extra work. But it doesn’t necessarily have to be onerous – and many elements of compliance are basically about following cybersecurity best practice.
During the webinar, Larisa highlighted several benefits of taking a continuous approach to NIS2 compliance.
It makes you more secure
Perhaps the most important reason to take a continuous approach to NIS2 compliance is that it’s likely to improve your overall cybersecurity posture. By frequently monitoring compliance, you’re more likely to notice problems (e.g. new security risks), and can then act faster.
May help reduce or avoid fines after a breach
Continuous compliance means you will have a consistent record that shows all your efforts to comply with NIS2. This means that, even if you do get breached, you’ll be able to show auditors clear evidence that you were doing your best to follow the rules. That may help reduce the size of fines – or mean you avoid them altogether.
Makes responding to audits easier
As Larisa pointed out in our webinar,
if you have continuous monitoring… you can show it in an audit super-fast”. Particularly if you use automated monitoring systems (such as Heimdal’s NIS2 reporting tool), preparing for an audit becomes quick and simple. Many of the auditors’ requests can be answered by simply generating a report that contains clear, evidenced data of your compliance activities.
Saves technical employees’ time
Similarly, if you continually monitor for NIS2 compliance, you can produce reports quickly and easily – without having to call on your technical teams.
Larisa explained that “an engineer can’t be [involved in] in 27 audits [at any one time] … They need pockets of silence, pockets of no meetings”. If you can simply generate reports automatically showing how you’re compliant, Larisa said: “I don’t have to bother anybody from my technical department and I can let them actually do their job”.
Stronger insurance claims
Continuous compliance means you’ll have plenty of evidence that you are following cybersecurity best practice. Should you ever need to file a claim on your insurance following a breach, you’ll be able to show insurers that you have indeed been actively protecting yourself.
So, they’ll be more likely to honor claims.
Customer relationships
NIS2 emphasizes the importance of supply chains when it comes to cybersecurity. If you are a vendor to an ‘essential’ or ‘important’ organization under NIS2, then your customers may require you to provide evidence of your compliance efforts.
Being able to demonstrate this quickly and efficiently with a report will enhance trust and improve customer relationships.
Personal peace of mind
Unlike other cybersecurity-related laws, NIS2 compliance places liability on named individuals at companies (with the possible risk of fines or even jail terms). If you are a CEO, CIO, CISO or IT manager, this potentially places a lot of pressure on you.
Continuous compliance means you can regularly check your security posture and verify how compliant you actually are. That (hopefully!) means fewer sleepless nights.
Makes compliance cheaper
When organizations face audits, they often turn to external consultants who can help them through the process, gather information and conduct tests. Given the two-week turnaround times for NIS2 audits, you can expect to pay a premium for this kind of urgent work. On the other hand, if you’re continuously compliant, you avoid these high costs.
A sustainable approach to NIS2 compliance
While continuous compliance might, at first, sound onerous, it is in fact a far more sustainable and effective way of dealing with regulations like NIS2. If you are regularly monitoring your environment and collecting evidence that shows you comply, you’ll have much less to fear when auditors come calling.
And with Heimdal’s automated NIS2 reporting tool, continuous compliance is even easier. The solution constantly monitors your environment and collects evidence of your security posture. It then automatically generates a white label report, showing what you’re doing to comply.
The report won’t make you compliant in and of itself – you will need to adjust your policies, procedures and settings to ensure you meet the minimum requirements. But by automating a large portion of the reporting, you’ll be ready for audits, while also ensuring a higher level of security too.
Get your hands on our comprehensive NIS2 Compliance Checklist, now available for download in three convenient formats: PDF, Word, and Google Docs – ensuring you have everything you need to streamline your compliance.
Want to see how it works? Contact us today for a demo.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.