Implementation guidance on NIS2 security measures – Draft - IMPLEMENTATION OF TRAINING

Publications Office

ENISA is developing technical guidance to support EU Member States and entities with the implementation of the technical and methodological requirements of the?NIS2 cybersecurity risk-management measures outlined in the Commission Implementing Regulation (EU) 2024/2690 of 17.10.2024? https://data.europa.eu/eli/reg_impl/2024/2690/oj ?(available in English, Polish , German, French, .. all EU language versions)

ENISA develops this technical guidance to provide:

• Additional advice and tips on what to consider when implementing a requirement and further explanation about concepts and terms used in the legal text;?
• Examples of evidence, which could be used to asses if a requirement has been met;?
• Tables, mapping the security requirements in the Implementing Regulation to European and international standards, as well as national frameworks.

and with regard to DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

Although the implementation guide provided by ENISA can certainly be useful and valuable for all organizations subject to the NIS2 directive, which are recognized as essential or important.

The draft of the technical guidance is now available for industry consultation through the following link: https://www.enisa.europa.eu/publications/implementation-guidance-on-nis-2-security-measures

The most important insights from ENISA guidance in relation to mandatory training:

Incident handling policy > … performing of red team/blue team exercise; make sure that personnel are properly trained to handle and manage incidents.

Risk Mitigation > … conducting regular security training for employees.

Business continuity plan and disaster recovery > …train personnel regularly in the crisis management…train regularly the responsible personnel in disaster recovery operations.

Crisis management plan > …train personnel regularly in the crisis management.

Supply chain security policy> … requirements regarding awareness, skills and training, and where appropriate certifications, required from the suppliers’ or service providers’ employees.

The exact recommendations regarding maintaining cyber hygiene and security training can be found on pages 99-103 of the ENISA document:

AWARENESS RAISING AND BASIC CYBER HYGIENE PRACTICES

(the relevant entities shall ensure that their employees are aware of risks, are informed of the importance of cybersecurity and apply cyber hygiene practices)

Topics to include to the program may include (indicative, non-exhaustive list):

• Train personnel to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Train personnel to be aware of causes for unintentional data exposure. Example topics include erroneous delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences.
• Train personnel on the dangers of connecting to, and transmitting data over, insecure networks for entity’s activities. If the entity has remote workers, training should include guidance to ensure that all users securely configure their home network infrastructure.
• Train personnel on understanding malicious and unauthorized software, on the importance of malicious software detection and on the risks and consequences of using unauthorized software.

SECURITY TRAINING

(the relevant entities shall identify employees, whose roles require security relevant skill sets and expertise, and ensure that they receive regular training on network and information system security)

1. Assess which roles within the entity require security relevant skills and expertise.
2. Offer training that focuses on the specific security skills required by the identified roles.
3. Provide role-specific network and information security training.
4. Consider various training methods, such as online courses, workshops, hands-on labs, and simulations.
5. Consider various types of trainings, such as courses, certifications, or attending security conferences or webinars.
6. Provide cybersecurity training periodically: the program shall be updated and run periodically taking into account applicable policies and rules, assigned roles, responsibilities, as well as known cyber threats and technological developments.

Topics to include to the program may include (indicative, non-exhaustive list):

• Train personnel on authentication best practices, such as MFA, password creation, and credential management.
• Train personnel on how to identify and properly store, transfer, archive, and destroy sensitive data.
• Train personnel to recognize a potential incident, such as unusual email attachments, unexpected system behavior, and suspicious network traffic.
• Train staff on how to report events promptly and accurately, including the use of designated communication channels.
• Train personnel to understand how to verify and report out-of-date software or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
• Provide regular updates on the latest cyber threats.
• Test the security knowledge of employees to make sure that they have sufficient and up-to-date security knowledge.