The NIS2 Directive: How to Ensure Awareness and Lawful Incident Reporting

In this month’s newsletter, we help you and your organization ensure cybersecurity awareness and training on a 360-degree scale as we go through:

???? Stats showing why cyber training in your organization is crucial – whether you’re affected by the NIS2 Directive or not

?? 4 tips from our in-house expert on incident training and response

3?? The 3 steps you must follow when reporting an incident

?? Today’s customer question on how you handle incidents with notification within 24 hours.

Happy reading!

Did you know that...

Human error causes 95% of cybersecurity breaches?

It's clear why awareness and training of management, board members, and key employees needs to be one of the minimum requirements in the NIS2 Directive.

This is to ensure that they get the knowledge and skills they need to identify risks. And to ensure that they can assess cybersecurity risk management practices and their impact on the services that your company provides.

But how does awareness and training look like in practice?

We asked our Head of Information Security and Compliance Frederik Raabye – and he’s sharing his 4 best tips with you below.

4 tips from our in-house expert: Incident training and response

Reporting an incident: The 3 steps

You can do and train a lot to prevent incidents from happening. However, we still have to address the ‘what if’-elephant in the room.

If you’re exposed to a cyberattack, you must, according to the NIS2 Directive, follow these 3 steps in terms of reporting to the relevant authority:

1. 24 hours to submit an early warning
2. 72 hours to submit an incident notice with a preliminary assessment
3. One month to submit a final report.

The reason for dividing the incident response into three steps is to ensure 1) damage control by ensuring that companies can seek assistance from the authorities and 2) in-depth reporting that gives companies as well as the authorities the chance to learn and improve resilience toward cyberattacks for the future.

Today's customer question

Many companies are worried about the 24-hour deadline for doing an incident report and whether they have enough time. At least, we got this question from a customer:

“How do we ensure the handling of incidents with notification within 24 hours?”

We’ve asked our in-house legal NIS2 expert Jakob Krabbe S?rensen to break it down for you:

You ensure the handling of incidents within 24 hours by:

• Knowing what kind of incidents, you need to report
• Knowing where you report an incident
• Having bound your critical vendors to collaborate with you if the incident happens in their systems.

Incidents you need to report

The incidents you need to report are defined as ‘significant incidents’ in the NIS2 Directive. These are incidents that can cause:

1. Severe disruptions of services
2. Financial loss
3. Considerable material damage
4. Considerable non-material damage

Where you report an incident

The NIS2 Directive encourages EU member states to establish a Cyber Incident Response Team (CIRT) as the national/local authority that companies can report incidents to.

As examples, the Netherlands has CSIRT voor digitale dienstverleners (CSIRT-DSP) and Denmark has CFCS (Center for Cybersikkerhed).

We expect to see a process where you have to fill out a form on the CIRT’s website when reporting an incident.

Binding vendors to collaborate

Sometimes a significant incident can happen somewhere down in the supply chain.

In these cases, it can be extra difficult to report the incident appropriately and in time since a lot of the required knowledge will lie with the vendor.

Therefore, it’s crucial to enter into contractual arrangements with the vendor binding them to provide you with necessary assistance if needed.

Get ready for the NIS2 Directive in time with our NIS2 playbook

Do you want more hands-on guidance and advice from our in-house NIS2 experts? Get your own copy of our NIS2 compliance playbook for free right here.