Complying with NIS2 in Incident Handling and Reporting: A Cybersecurity Perspective

Introduction

The NIS2 Directive is a significant step forward in enhancing the cybersecurity posture of organisations within the European Union. With an emphasis on incident management and handling, NIS2 imposes stringent requirements on organisations. This article provides an overview of the requirements for successfully complying with NIS2 in Incident handling and reporting, with a focus on alignment with industry standards such as ISO 27001:2023, NIST 800-53 Revision 5, and CIS Controls v8. Please refer to the appendix for a detailed, step-by-step guide to developing a plan for responding to a cybersecurity incident.

NIS2 Requirements for Incident Management and Handling

Incident Prevention, Detection, and Response

The NIS2 mandates that organisations have plans and backup plans, conduct drills, and train all relevant parties. Once an organisation has identified its most significant vulnerabilities, the revised directive mandates that it implement clear procedures to prevent attacks and agree upon methods to detect potential incidents. This should result in an incident response plan with a transparent implementation chain of command.

Incident Reporting

Under the updated directive, companies must submit an initial report within 24 hours of becoming aware of any “significant” incident, a full incident notification within 72 hours, and a final report within one month to any relevant competent authority, Computer Security Incident Response Team (CSIRT), and sometimes, to their customers. A “significant” incident is any incident that has caused or is capable of causing severe operational disruption of the service or financial losses or if the incident has affected or is capable of causing considerable losses to others.

The UK is proposing a broader range of incidents be reported to the regulator, including those that pose a high risk to or significantly impact a service, even if they don’t disrupt it. NIS2 also contains more demanding requirements for reporting of “significant incidents” – that is, those which have caused, or are capable of generating, significant operational disruption or financial losses to the affected entity or others.

The United Kingdom is proposing that a broader range of incidents, including those that pose a high risk or have a significant impact on a service but do not disrupt it, be reported to the regulator. Additionally, NIS2 contains more stringent reporting requirements for "significant incidents" – those that have caused or are capable of causing significant operational disruption or financial losses to the affected entity or others.

How NIS2 Can Improve Business Operations

Incident Management: The Directive mandates that organisations implement incident management procedures, such as reporting requirements and response plans. This enables businesses to respond quickly and effectively to cyber incidents, mitigate their effects, and prevent future occurrences.

Better Management of Cyber Incidents: NIS2 mandates that organisations implement incident management procedures, including reporting requirements and response plans. With a clear and well-defined incident management plan, businesses can quickly contain cyber incidents and mitigate their effects. This can reduce the costs associated with downtime, productivity loss, and reputational harm.

Aligning with Industry Standards: Achieving Alignment with NIS2

Mapping ISO 27001:2023 to NIST 800-53 Revision 5

Achieving perfect alignment with NIS2's incident handling and reporting requirements involves understanding the intricate relationships between various industry standards. The table below provides a comprehensive mapping between ISO 27001:2023 and NIST 800-53 Revision 5 incident response controls, including justifications for full or partial mappings (in brackets):

This mapping illustrates the synergy between ISO 27001:2023 and NIST 800-53 Revision 5, highlighting areas of full alignment and recognising areas where the relationship is more nuanced. By understanding these connections, organisations can leverage both standards to create a robust incident management framework that resonates with NIS2's objectives.

Mapping ISO 27001:2023 to CIS Controls v8

In addition to aligning with NIST 800-53 Revision 5, understanding the relationship between ISO 27001:2023 and CIS Controls v8 is essential for a holistic approach to incident handling and reporting. The table below provides a detailed mapping between ISO 27001:2023 incident response controls and equivalent CIS Controls v8 safeguards, including justifications for full, partial, or no direct match:

This mapping highlights the areas where ISO 27001:2023 and CIS Controls v8 align, as well as the areas where there is no direct match. By recognising these connections and gaps, organisations can create a more nuanced and effective incident management strategy that resonates with NIS2's objectives.

Summary

The NIS2 Directive establishes a stringent cybersecurity compliance standard. By acknowledging ISO 27001:2023 as the foundational framework and incorporating the complementary strengths of NIST 800-53 Revision 5 and CIS v8, businesses can achieve perfect alignment with NIS2. This combination offers a nuanced and resilient approach, allowing organisations to navigate the constantly shifting threat landscape with confidence and integrity.

By understanding the relationships between these standards and NIS2's specific requirements, organisations can develop a robust incident management framework that aligns with NIS2's objectives. The synergy between these standards provides a compliance road map, ensuring that businesses are well-equipped to respond swiftly and effectively to cyber incidents, to mitigate their impact, and to prevent future occurrences.

For further insights and practical guidance on creating a NIS2-compliant cybersecurity incident response plan, please refer to the appendix of this article.

Appendix: NIS2 Incident Response Obligations and Creating a Compliant Plan

NIS2 Incident Response Concepts

The NIS2 directive is based on two distinct concepts that must be considered when devising an incident response plan:

1. Incidents: Defined as “any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems” (Article 6(6)).
2. Cyber Threats: Defined as “any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons” (Article 2(8) of the Cybersecurity Act, referred to in Article 6(10) of NIS2).

Criteria for Significant Incidents

According to Article 23 of NIS2, an incident shall be considered significant if:

• It has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned.
• It has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Step-by-Step Approach to Creating a NIS2-Compliant Cybersecurity Incident Response Plan

1. Understand NIS2 Requirements and Scope: Recognise the NIS2 Directive's emphasis on incident management and response, and assess specific risks and threats.
2. Analyze the Threat Landscape in the Context of NIS2: Identify cyber threats that could affect compliance with NIS2.
3. Develop the NIS2-Compliant Plan: Create a policy and plan aligned with NIS2's requirements, including preparation, identification, containment, eradication, recovery, and lessons learned.
4. Select Tools and Technologies for NIS2 Compliance: Identify tools and technologies that support NIS2 compliance.
5. Align with NIS2 Compliance and Regulations: Ensure alignment with NIS2's legal and regulatory requirements.
6. Implement the NIS2-Compliant Plan: Train relevant parties on NIS2 requirements and implement NIS2-focused security measures.
7. Test and Continuously Improve for NIS2 Alignment: Regularly test the plan to ensure alignment with NIS2 and continuously adapt to changes in NIS2 requirements.
8. Utilise NIS2-Focused Templates and Resources: Consider using NIS2-specific templates and resources to assist in plan creation and implementation.

Understanding the specific definitions and criteria set forth in the NIS2 directive is essential for creating a compliant cybersecurity incident response plan. By following the general step-by-step approach outlined in this appendix, organisations can have an overview of the alignment with NIS2's stringent requirements, leveraging industry standards like ISO 27001:2023, NIST 800-53 Revision 5, and CIS Controls v8. This alignment offers a robust framework for incident handling and reporting, enabling organisations to navigate the complex landscape of cybersecurity compliance with confidence.

Further Reading

1. The NIS2 Directive A high common level of cybersecurity in the EU
2. NIST SP 800-53, Revision 5 Control Mappings to ISO/IEC 27001
3. CIS Controls v8 Mapping to ISO/IEC 27001:2022
4. Computer Security Incident Handling Guide?
5. Government confirms proposals to reform the NIS Regulations in order to strengthen UK cyber resilience
6. Proposal for legislation to improve the UK’s cyber resilience