NIS2 Directive – are you ready?

Follow cybersecurity experts CSC’s top three tips for preparing for the Network and Information Security 2 (NIS2) Directive.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Finance is one of the 10 industries that the European Parliament consider essential for society to function, so it is, therefore, one of the first to be affected by the NIS2 Directive. The official summary of NIS2 calls for “a high common level of cybersecurity across the Union,” which includes national cybersecurity strategies, setting up cyber crisis management authorities, putting cyber risk management measures into place, clear reporting, and having enforcement action plans.

As cybersecurity experts, CSC of course champions NIS2 – good cyber hygiene can only benefit everyone. But what does it mean in reality? There are only four months to go until the October deadline, by when member states will have to define how they’ll make the requirements of NIS2 applicable to their own laws. Although mandated to EU member states, it also covers any organisation doing business in the EU—so UK organisations must be proactive when it comes to applying NIS2 as well. 

Here are my top three tips for UK finance organisations to get prepared for NIS2.

1. Review your risk management policies. The finance industry is no stranger to risk management, but to meet NIS2 requirements, I suggest ensuring that cyber security is explicitly referenced, and in particular:

  • Include domain registrars and domain name system (DNS) services
  • Ensure the organisations you work with are NIS2 compatible/compliant (see point 2)
  • Make sure you have enterprise-class DNS and secondary DNS as a backup

2. Audit your suppliers for NIS2 compliance. At CSC we say you’re only as strong as your weakest link – a cyberattack on an organisation in your supply chain could affect you just as much as a direct attack, so make sure that the organisations you work with are compliant, and therefore lower risk. Evaluate your suppliers by conducting a risk-assessment questionnaire, asking for a NIS2 compliance statement, or putting in place some applicable service level agreements. 

3. Appoint a cyber security incident response team (CSIRT). This is mandated by NIS2 – organisations within each affected industry will need to appoint a CSIRT, which will liaise with the government’s own CSIRT in the event of an incident. With only 24 hours to report an incident, having a CSIRT ready to go is essential to avoid the hefty fines that NIS2 carries. Your CSIRT should be a multi-disciplinary team covering cybersecurity, IT, legal, governance, and compliance. Cybersecurity is everyone’s responsibility—and appointing a CSIRT with representatives from each of these areas will ensure this.

Find out more on how organisations can prepare for NIS2, plus other cybersecurity and online brand protection topics, at CSC’s upcoming event on 9 July – you can register to attend here.

Area of expertise: