Essential steps which organizations should consider to prepare for compliance with the NIS2 Directive and implement it with success:
1. Identify if your organization is subject to the NIS2 directive
Begin by assessing if your organization falls under the NIS2 scope or if you offer managed services or other services to entities regulated by NIS2. Additionally, identify which member state’s laws apply to your organization to understand the specific requirements you need to comply with.
In the case of Poland, the main piece of legislation is the National Cyber Security System Act. In February 2025, the fifth version of the draft amendment to this law was already published, implementing the EU’s NIS2 directive into Polish law: https://legislacja.rcl.gov.pl/projekt/12384504/katalog/13055217#13055217
Each member state (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republik, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia Slovenia, Spain, Sweden) must individually adapt the NIS2 directives into their national laws.
2. Appoint a dedicated roles and assign responsibilities
Describe and assign corresponding responsibilities regarding the following roles (or comparable equivalents): Chief Information Officer (CIO), Chief Information Security Officer (CISO) and IT security Incident Handling Officer. Depending on the size of the relevant entities, network and information system security shall be covered by dedicated roles (like a CISO) or in smaller entities duties carried out in addition to existing IT roles.
3. Assess your current cybersecurity posture
Start by conducting a thorough assessment of your existing IT systems, security controls, and cybersecurity practices. Identify any gaps or weaknesses against the NIS2 requirements.
Before the exact NIS2 requirements are set in your country, you can use Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) and 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures (https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj) and ENISA Implementing Guidance on NIS2 security measures (https://www.enisa.europa.eu/publications/implementation-guidance-on-nis-2-security-measures).
NIS2 is structured around three main categories, so consider them first when conducting a gap analysis:
- Governance (Article 20). The NIS2 emphasizes the importance of management’s role in ensuring compliance and overall cybersecurity.
- Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21.
- Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
This may necessitate a review of the organizational culture and the adoption of behavioral changes.
- Cybersecurity risk management measures (Article 21). NIS2 mandates that organizations assess and prepare for all potential threats by implementing suitable and proportionate technical, operational, and organizational measures.
- Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimize the impact of incidents on recipients of their services and on other services.
- The measures shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:
- policies on risk analysis and information system security;
- incident handling;
- business continuity, such as backup management and disaster recovery, and crisis management;
- supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
- security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
- policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
- basic cyber hygiene practices and cybersecurity training;
- policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- human resources security, access control policies and asset management;
- the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
- Reporting (Article 23). Ensure transparent and timely post-incident reporting to align with the NIS2 requirements.
- EU cybersecurity certification (Article 24). In order to demonstrate compliance with particular requirements of Article 21, Member States may require essential and important entities to use particular ICT products, ICT services and ICT processes, developed by the essential or important entity or procured from third parties, that are certified under European cybersecurity certification schemes. Furthermore, Member States shall encourage essential and important entities to use qualified trust services.
4. Notify and activate leadership
Ensure that your organization’s management team fully understands the implications and requirements of the NIS2 Directive. Provide a compelling business case that details the risks associated with non-compliance and underscores the advantages of proactive cybersecurity measures.
5. Allocate adequate budget and resources
Collaborate with leadership to obtain the necessary budget and resources for implementing the required security controls and processes. This could include investments in new technologies, hiring personnel, providing training, and ensuring ongoing maintenance.
6. Create a strategy and execution plan
Based on your gap assessment, create a comprehensive strategy and execution plan to meet the NIS2 requirements.
7. Implement organizational measures
Review and update or develop and implement security policies, incident response procedures, and business continuity and disaster recovery plans. Establish policies and procedures for conducting regular risk assessments, identifying vulnerabilities, managing access control, protecting data, securing the supply chain, and implementing appropriate security controls to manage identified risks.
Sample set of policies:
- Policy on the security of network and information systems
- Incident handling policy
- Supply security chain policy
- Security testing policy
- Policy to assess the effectiveness of cybersecurity risk-management measures
- Policy related to cryptography
- Access control policy
- Policies for the management of privileged accounts and system administration accounts
- Handling of information and assets policy
- Removable media policy
8. Implement technical measures
Deploy the necessary technical security controls, such as multi-factor authentication, encryption, network segmentation, access control, vulnerability management, and security monitoring and logging capabilities.
Here are some devices and technical solutions recommended for NIS2 compliance:
- Firewalls
- Intrusion Detection/Prevention Systems (IDS/IPS)
- Multifactor Authentication (MFA)
- Encryption Tools
- Endpoint Protection Solutions
- Security Information and Event Management (SIEM) Systems
- Vulnerability Management Tools
- Access Control Systems
- Incident Response Platforms
- Backup and Recovery Solutions
- Supply Chain Security Solutions
9. Provide cybersecurity training
Ensure that all employees receive regular cybersecurity training that takes into account their roles and job responsibilities.
TARGET GROUPS
- Management Personnel: Training for members of management aims to provide them with the necessary knowledge and skills to identify cyber risks, assess risk management practices and their impact on the services provided by the entity, and implement and oversee security policies.
- Employees: technical and no-technical: Training for employees at all levels aims to equip them with the knowledge and skills necessary to perform their duties safely, identify and report threats, and respond to security incidents.
AWARENESS RAISING AND BASIC CYBER HYGIENE PRACTICES
(the relevant entities shall ensure that their employees are aware of risks, are informed of the importance of cybersecurity and apply cyber hygiene practices)
- Awareness Training: the goal of awareness training is to raise employees’ awareness of cybersecurity, including recognizing threats, following safe practices for using IT systems, mobile devices, and email, protecting personal data, and reporting suspicious incidents.
Topics to include to the program may include (indicative, non-exhaustive list):
- Train personnel to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
- Train personnel to be aware of causes for unintentional data exposure. Example topics include erroneous delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
- Train personnel on the dangers of connecting to, and transmitting data over, insecure networks for entity’s activities. If the entity has remote workers, training should include guidance to ensure that all users securely configure their home network infrastructure.
- Train personnel on understanding malicious and unauthorized software, on the importance of malicious software detection and n the risks and consequences of using unauthorized software.
AWARENESS RAISING AND BASIC CYBER HYGIENE PRACTICES
(the relevant entities shall identify employees, whose roles require security relevant skill sets and expertise, and ensure that they receive regular training on network and information system security)
- Assess which roles within the entity require security relevant skills and expertise.
- Offer training that focuses on the specific security skills required by the identified roles.
- Provide cybersecurity training periodically: the program shall be updated and run periodically taking into account applicable policies and rules, assigned roles, responsibilities, as well as known cyber threats and technological developments.
Topics to include to the program may include (indicative, non-exhaustive list):
- Cyber Risk Management: these training should cover the identification, analysis, assessment, and management of cyber risks, as well as the selection and implementation of appropriate security measures.
- Cyber Incident Handling: these training should focus on procedures for detecting, responding to, reporting, and recovering from incidents, as well as reporting incidents to CSIRT or relevant authorities.
- Business Continuity and Crisis Management: these training aim to prepare employees for crisis situations and ensure business continuity, such as in the event of a cyberattack disrupting IT systems.
- Network Security: training should cover topics such as network segmentation, protection against malware, firewall configuration, secure use of wireless networks and VPNs, identity and access management, security testing, and applying security patches.
- Cryptography: these training should focus on the basics of cryptography, secure storage and management of cryptographic keys, data and communication encryption, and the use of electronic signatures and trust services.
- Asset Management: these trainings cover the classification, inventory, protection, and secure handling of assets, including information, IT systems, and data storage media.
- Physical and Environmental Security: training should address issues such as access control to premises, physical security of IT infrastructure, protection against environmental threats (e.g., fire, flood), and procedures for dealing with power outages or other system failures.
Here are some recommended training on specific topics:
- Basic Cyber Hygiene Practices/Security Awareness Training
- Aware by EC-Council
- Compendium CE > Security Awareness
- Cybersecurity and information security management
- ISC2 > ISC2 CISSP Certification Prep Course
- Mile2 > C)ISSO – Certified Information Systems Security Officer
- Mile2 > C)SLO – Certified Security Leadership Officer
- Mile2 > C)CSSM – Certified Cybersecurity Systems Manager
- CompTIA > CompTIA SecurityX Prep Course
- Risk Management
- ISC2 > ISC2 CISSP Certification Prep Course
- Mile2 > C)ISRM – Information Systems Risk Manager
- Mile2 > C)RMFA – Risk Manager Framework Analyst
- Vulnerability detection and penetration testing
- Mile2 > C)VA – Certified Vulnerability Assessor
- EC-Council > CEH – Certified Ethical Hacker v13
- CompTIA > CompTIA PenTest+ Prep Course
- Mile2 > C)PTE – Certified Penetration Testing Engineer
- OffSec > OffSec PEN-200 Penetration Testing with Kali Linux
- Incident Handling
- CompTIA > CompTIA CySA+ Prep Course
- Mile2 > C)IHE – Certified Incident Handling Engineer
- Mile2 > C)TIA – Certified Threat Intelligence Analyst
- Mile2 > C)CSA – Certified Cyber Security Analyst
- Mile2 > C)DFE – Certified Digital Forensics Examiner
- Mile2 > C)NFE – Certified Network Forensics Examiner
- Backup, Business Continuity Planning, Disaster Recovery
- Mile2 > C)DRE – Certified Disaster Recovery Engineer
- Network Security
- Check Point
- Extreme Networks
- F5 Networks
- Fortinet
- HPE Aruba Networking
- Infoblox
- Netskope
- Palo Alto Networks
- Radware
10. Assess and manage supply chain risks
Evaluate the cybersecurity posture of your organisation’s suppliers and service providers and implement appropriate security measures to mitigate risks across the supply chain.
To meet the requirements of the NIS2 Directive regarding supply chain security, organizations should implement the following security measures:
- Check and Monitor Suppliers: Carefully select suppliers based on their cybersecurity practices and continuously monitor their compliance with security requirements
- Conduct Regular Risk Assessments: Evaluate and manage risks associated with suppliers and third parties.
- Implement Strong Access Controls: Ensure that only authorized personnel have access to sensitive information and systems.
- Implement Secure Communication Channels: Use secure communication methods, such as encrypted emails and secure messaging platforms, to protect information exchange.
- Use Encryption: Protect data in transit and at rest using robust encryption methods.
- Establish Incident Response Procedures: Develop and maintain procedures for detecting, reporting, and responding to cybersecurity incidents.
- Ensure Continuous Monitoring: Monitor supply chain activities and systems for potential threats and vulnerabilities.
- Conduct Regular Audits: Perform regular security audits and assessments of suppliers to ensure compliance with cybersecurity standards.
- Regular Cybersecurity Training: Ensure that all supplier personnel regularly participate in security awareness training, and that technical staff regularly undergo training on the IT and cybersecurity systems they are responsible for and certify their knowledge with appropriate certifications.
- Maintain Business Continuity Plans: Develop and regularly update business continuity and disaster recovery plans to ensure resilience against disruptions.
11. Prepare for incident reporting and audits
Establish robust incident detection, analysis, and reporting procedures to meet the NIS2 Directive’s strict notification requirements. Also, be ready for potential audits and inspections by regulatory authorities.