The NIS2 Directive

by Christopher Nett
Connect with me!

Get discounted courses, updates and industry insights Social Media

My Website LinkedIn

Azure Newsletter X

Cybersecurity Newsletter Bluesky

Threads

Christopher Nett
What is the NIS2 Directive?

The NIS2 Directive builds upon the foundation laid by the original NIS Directive, aiming to establish
a higher and more consistent level of cybersecurity across the European Union.

It introduces responsibilities for both Member States and individual companies operating in critical
sectors.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

What is the NIS2 Directive?

• Introduction to NIS2 Directive:

• First introduced in 2020 and officially came into effect on January 16, 2023.
• Serves as a continuation and expansion of the original EU NIS Directive to address gaps in cybersecurity measures.

• Purpose and Goals:

• Designed to strengthen the security of network and information systems across the European Union.
• Mandates critical infrastructure operators and essential service providers to adopt effective security practices.
• Establishes requirements for incident reporting to ensure timely responses to cybersecurity threats.

• Enhancements Over the Original NIS Directive:

• Broadens the scope of organizations and sectors covered.
• Introduces more comprehensive EU-wide security requirements and measures for improved standardization.
• Simplifies and streamlines reporting obligations to reduce administrative burden while maintaining robust oversight.
• Enforces stricter penalties and sanctions to ensure compliance and accountability throughout the EU.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

What is the NIS2 Directive?

Member States have until October 17, 2024 to transpose the Directive into national law. This
means that each organization encompassed by the Directive will be legally obligated to live up to
its requirements by Q4 2024.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 - Essential and Important Entities

All companies within the scope must adhere to the same cybersecurity
standards, regardless of classification as essential or important entities.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 - Essential and Important Entities

• Entities can be “Essential” or ”Important

• Entities are clustered into “Large”, “Medium” or “Small” based on employee count and
revenue:
• Large: >=250 employees or more than 50 million revenue
• Medium: 50-249 employees or more than 10 million revenue
• Small: <50 employees or less than 10 million revenue

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 - Supervision & Compliance Measures for Entities

• Essential entities:
• On-site/off-site inspections.
• Regular security audits and ad hoc assessments.
• Security scans to ensure compliance.

• Important entities:
• Actions triggered post-incident or upon evidence of non-compliance.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 - Essential and Important Entities
Sector Large Entities Medium Entities Small Entities

Energy Essential Important Not in Scope

Banking Essential Important Not in Scope

Financial Markets Essential Important Not in Scope

Health Essential Important Not in Scope

Drinking Water Essential Important Not in Scope

Waste Water Essential Important Not in Scope

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 - Essential and Important Entities
Sector Large Entities Medium Entities Small Entities

Digital Infrastructure Essential Essential Not in Scope

ICT Service Providers Essential Important Not in Scope

Public Administration Essential Essential Not in Scope

Space Essential Important Not in Scope

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 – Other Critical Sectors
Sector Large Entities Medium Entities Small Entities

Postal Services Important Important Not in Scope

Waste Management Important Important Not in Scope

Chemicals Important Important Not in Scope

Food Important Important Not in Scope

Manufacturing Important Important Not in Scope

Research Important Important Not in Scope

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 – Fines and Personal Liability

• Fines for Non-Compliance:

• Must be effective, proportionate, and dissuasive.
• Financial penalties accompanied by enforcement measures (e.g., warnings, instructions,
orders).

• Maximum Fines:
• Essential Entities: Up to €10 million or 2% of worldwide annual turnover, whichever is
higher.
• Important Entities: Up to €7 million or 1.4% of worldwide annual turnover, whichever is
higher.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 – Fines and Personal Liability

• GDPR Cross-Compliance:
• Violations leading to personal data breaches under GDPR require notification of relevant supervisory
authorities.
• Authorities may impose additional fines under GDPR for the same conduct.

• Additional Enforcement Measures (Essential Entities):

• Temporary suspension of certifications or authorizations for specific services or activities.
• Temporary prohibition of the CEO or legal representative from exercising managerial functions.

• Management Liability:
• Senior managers or representatives with decision-making power can be held personally liable for failing to
ensure compliance with NIS2.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 – Enforcement Powers of Authorities

• For Essential Entities:

• Gather information, issue warnings, and adopt binding instructions.
• Order cessation of non-compliance, impose fines, and suspend
certifications/authorizations.

• For Important Entities:

• Limited to warnings, instructions, cessation orders, and fines.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Core Pillars

Member State Cooperation and

Risk Management
Responsibilities Information Exchange

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Member State Responsibilities

• National Authorities
• National Strategies
• CVD Frameworks
• Crisis Management Frameworks

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Risk Management

• Accountability for top management

• Essential and important companies are required to implement security measures for:
• Cyber Security Risk Management (CSRM)
• Incident Handling
• Business Continuity and Crisis Management
• Supply Chain Security
• Security in System acquisition, development and maintenance
• Policies and procedures to assess the effectiveness of CSRM
• Cyber hygiene and awareness training
• Cryptography
• Human resource security

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Cooperation and Information Exchange

• Cooperation group
• CSIRT network

• CVD and European vulnerability registry

• Peer-reviews
• ENISA

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

What is a Threat?

Any circumstance or event with the potential to adversely impact

organizational operations, organizational assets, or individuals through
an information system via unauthorized access, destruction, disclosure,
modification of information, and/or denial of service.

Christopher Nett Source: Security and Privacy Controls for Information Systems and Organizations (nist.gov)
Intelligence, Threat Intelligence and CTI

Intelligence
Threat Intelligence
Cyber Threat Intelligence

Christopher Nett Source: What is Cyber Threat Intelligence? (cisecurity.org)

Cyber Threat Intelligence (CTI)

What is Cyber Threat Intelligence?

“Cyber Threat intelligence is knowledge about adversaries and their
motivations, intentions, and methods that is collected, analyzed, and
disseminated in ways that help security and business staff at all levels
protect critical assets of the enterprise.”

Enabling Threat-Informed-Defense

Christopher Nett Source: What is Cyber Threat Intelligence? (cisecurity.org)

Threat, Vulnerability & Risk

Initiates Exploits Causing Adverse

Threat Actor Threat Vulnerability
Impact

Producing

Risk

Impact + Likelihood

Christopher Nett Source: Security and Privacy Controls for Information Systems and Organizations (nist.gov)
Threat-Informed-Defense

• What is the mission of my organization?

• What threat actors are interested in my organizations industry?
• What are the motivations of those threat actors?
• What TTPs are those threat actors using?
• How can I detect and protect my organization against those TTPs?

Christopher Nett
Tactics, Techniques and Procedures

• Tactics: The high-level description of the behavior and Reconnaissance

strategy of a threat actor.
• Techniques: These are the non-specific guidelines and
intermediate methods that describe how a tactic action Scanning
can be realized.
• Procedures: These refer to the sequence of actions
performed using a technique to execute on an attack
Vulnerability Scanning
tactic. The procedure involves detailed descriptions
activities.

Christopher Nett Source: What Are TTPs? Tactics, Techniques & Procedures Explained | Splunk
IOCs and IOAs

• IOC: An Indicator of Compromise (IOC) is evidence on a system that

indicates that the security of the network has been breached.
• IOA: Indicators of attack (IOA) focus on detecting the intent of what
an attacker is trying to accomplish and its behavior, regardless of the
malware or exploit used in an attack.

IOCs IOAs

File Hashes, Domains, URLs Intent & Behavior

Christopher Nett Source: IOA vs IOC: Understanding the Differences - CrowdStrike

Pyramid of Pain

TTPs Tough!

Tools Challenging

Network/
Annoying
Level of Host Artifacts
difficulty
Domain Names Simple

IP Addresses Easy

Hash Values Trivial

Christopher Nett Source: Enterprise Detection & Response: The Pyramid of Pain (detect-respond.blogspot.com)
What is Threat Hunting?

Threat Hunting is the practice of proactively searching for cyber

threats that are lurking undetected in your environment.
There are two Threat Hunting Models:
1) Intelligence-based Hunting: Leverage IOCs, hash values, IP
addresses, domain names or host artifacts
2) Hypothesis-based Hunting: Hunt based on IOAs and TTPs of
adversaries

Christopher Nett Source: What is threat hunting? | IBM)

CTI Sources

Enterprise OSINT Social Media

Christopher Nett
NIS2 Requirements for CSRM

• Critical risks are identified, documented, and effectively managed.

• Key threats are recognized, documented, and addressed appropriately.

• Risks are prioritized, evaluated, and managed systematically.

• Risks are analyzed, and actionable plans are developed.

• The risk management system is aligned with asset management practices.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: CSRM

• Conduct a comprehensive inventory of all critical assets, systems, and processes to establish a risk
management baseline.

• Identify potential critical risks to operations, systems, and assets through structured risk assessments and
expert consultations.

• Document identified risks in a centralized risk register, ensuring accessibility and regular updates.

• Establish a threat intelligence framework to recognize and document key threats, utilizing industry best
practices and real-time threat feeds.

• Prioritize risks based on impact and likelihood using a standardized risk evaluation matrix to ensure
systematic management.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: CSRM

• Develop and implement risk mitigation plans tailored to address high-priority threats, ensuring actionable and
measurable outcomes.

• Align risk analysis with asset management practices, ensuring risk mitigation efforts are directly tied to asset
criticality and value.

• Integrate risk management workflows into existing IT and operational governance frameworks for seamless
execution.

• Establish regular monitoring and review cycles for risk assessments to adapt to evolving threats and
operational changes.

• Conduct organization-wide training programs on risk management practices to foster a culture of proactive
threat recognition and mitigation.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Incident Reporting

• Security incidents are identified and detected promptly.

• Incident response processes are established and operational.

• Incidents are monitored, tracked, and thoroughly documented.

• An effective incident reporting system is implemented and functional.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Incident Reporting

Early Warning Is it a malicious act with potential cross-border impact? 24h

Official
Severity of the incident + IoCs + first impact assessment 72h
Notification

Intermediate
Per request from authorities As requested
Status Report

Final Report Thorough Analysis and Reporting 1 month

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIST Incident Response Process

Containment,
Detection & Post-Incident
Preparation Eradication &
Analysis Activity
Recovery

Christopher Nett Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

NIST IR - Preparation

• Establish Policies and Procedures: Develop comprehensive incident response policies and
procedures tailored to your organization's needs and compliance requirements.

• Training and Awareness: Regularly train staff on their roles in incident response, including
recognizing potential security incidents.

• Tool and Resource Allocation: Equip the incident response team with necessary tools
(software and hardware) and access rights to perform their duties effectively.

• Communication Plan: Create a clear communication strategy that includes internal escalation
paths and external communication with stakeholders.

• Incident Response Plan Testing: Conduct regular simulations and tabletop exercises to test
the incident response plan and identify areas for improvement.

Christopher Nett Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

NIST IR – Detection & Analysis

• Incident Detection Tools: Utilize tools like SIEM (Security Information and Event Management),
IDS (Intrusion Detection Systems), and antivirus software to monitor for signs of security
incidents.

• Incident Analysis Techniques: Apply a structured approach to investigate alerts, using log
analysis, forensics, and root cause analysis to determine the scope and impact.

• Incident Documentation: Document all detected incidents and their analysis steps in detail for
future reference and legal compliance.

• Event Prioritization: Classify and prioritize incidents based on their potential impact and
urgency, to allocate resources accordingly.

• Integration with Threat Intelligence: Leverage external threat intelligence to enhance

detection capabilities and contextualize detected incidents.

Christopher Nett Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

NIST IR – Containment, Eradication & Recovery

• Short-term Containment: Implement immediate containment strategies to limit the spread of an

incident, such as isolating network segments or disabling affected accounts.

• Long-term Containment: Develop strategies for longer-term solutions to ensure that threats
are completely neutralized without impacting business operations.

• Eradication of Threats: Remove malware, unauthorized access, and other malicious elements
from the environment. Patch vulnerabilities and address the root cause of the incident.

• System Restoration: Restore systems from clean backups, ensuring no remnants of the threat
remain. Validate the integrity of systems before bringing them back online.

• Post-Recovery Monitoring: Monitor the affected systems for signs of re-compromise and
ensure all security measures are effective.

Christopher Nett Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

NIST IR – Post-Incident Activity

• Lessons Learned: Conduct a post-incident review to identify what was successful and what
could be improved in your incident response plan.

• Update Incident Response Plan: Use lessons learned to refine the incident response plan,
improving procedures and strategies based on practical experience.

• Reporting: Complete any necessary incident reporting to stakeholders, regulators, and possibly
the public, based on legal and regulatory requirements.

• Incident Metrics: Develop and review metrics to measure incident response effectiveness and
to identify trends or areas needing improvement.

• Continual Improvement: Implement a continual improvement process for security measures

and incident response capabilities, integrating new technologies and methods as needed.

Christopher Nett Source: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Implementation Plan: Incident Handling

• Establish a robust incident response policy outlining roles, responsibilities, and escalation procedures for all
stakeholders.

• Develop and implement an incident detection framework, utilizing automated monitoring tools, intrusion
detection systems (IDS), and log analysis to promptly identify potential security incidents.

• Conduct regular threat hunting exercises and red team/blue team simulations to improve incident detection
capabilities.

• Set up a centralized incident response playbook with predefined processes and workflows for handling
different types of incidents.

• Ensure a 24/7 incident monitoring system is operational, supported by a dedicated Security Operations
Center (SOC) or managed security services.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Incident Handling

• Deploy an incident tracking system that records details such as timelines, root causes, impacts, and
remediation actions for each incident.

• Establish an effective incident reporting system that enables stakeholders to report incidents quickly,
including automated reporting for critical events.

• Conduct regular training and drills for incident response teams to ensure they can execute processes
effectively under pressure.

• Implement a post-incident review process to analyze response effectiveness, update playbooks, and integrate
lessons learned into the overall cybersecurity strategy.

• Align incident response processes with NIST’s guidance, ensuring thorough preparation, detection, analysis,
containment, eradication, and recovery activities.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Business Continuity and Crisis
Management

• A comprehensive business continuity plan (BCP) is in place, documented, and regularly updated
to address potential disruptions.

• Crisis management procedures are clearly defined and tested to ensure an effective
organizational response to emergencies.

• Regular drills and simulations are conducted to validate the effectiveness of business continuity
and crisis management strategies.

• Critical systems and services are prioritized for recovery to minimize operational impact during
disruptions.

• Communication protocols are established to ensure timely and clear information flow to
stakeholders during a crisis.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Business Continuity and Crisis
Management

• Conduct a business impact analysis (BIA) to identify critical systems, processes, and services
that require prioritization during disruptions.

• Develop and document a comprehensive Business Continuity Plan (BCP) tailored to address
potential operational disruptions, natural disasters, and cyber incidents.

• Create crisis management procedures that outline decision-making structures, escalation paths,
and key roles during emergency situations.

• Establish recovery objectives such as Recovery Time Objective (RTO) and Recovery Point
Objective (RPO) for critical systems and services to guide recovery efforts.

• Implement redundancy and failover mechanisms, including secondary systems, cloud backups,
and geographically diverse data centers, to ensure resilience.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Business Continuity and Crisis
Management

• Conduct regular drills, tabletop exercises, and simulations to validate the BCP, crisis
management strategies, and organizational readiness.

• Define and document clear communication protocols, ensuring timely updates to employees,
customers, partners, and regulators during crises.

• Establish a crisis response team, equipped with the resources and authority needed to make
swift decisions and coordinate recovery efforts.

• Regularly review and update the BCP and disaster recovery strategies based on lessons learned
from drills, audits, and real incidents.

• Align business continuity and disaster recovery plans with overarching risk management
frameworks and regulatory requirements for a cohesive organizational approach.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements Supply Chain Security

• Critical services provided by suppliers are clearly identified, documented, and described.

• Service suppliers are recognized and thoroughly documented.

• IT service suppliers are effectively monitored and managed.

• Maintenance suppliers are managed and remain under control.

• Contracts with IT service providers are carefully managed and monitored.

• Cleaning contractors are effectively controlled and supervised.

• Supplier contracts include necessary provisions to ensure information security, protection, and
proper service termination protocols.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Supply Chain Security

• Identify and document all critical services provided by suppliers, including IT, maintenance, and operational
services, in a centralized supplier register.

• Develop and maintain a detailed inventory of service suppliers, categorizing them by service type, criticality,
and potential impact on organizational operations.

• Conduct thorough risk assessments for each supplier to evaluate their security posture and potential
vulnerabilities in the supply chain.

• Establish a supplier monitoring framework, including regular performance reviews, compliance audits, and
security assessments for IT service providers.

• Implement strict access controls and monitoring protocols for maintenance suppliers, ensuring their activities
are documented and supervised.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Supply Chain Security

• Develop and enforce robust contracts with IT service providers, including specific provisions for information
security, incident reporting, and service termination protocols.

• Ensure cleaning contractors and other non-IT suppliers are vetted, supervised, and adhere to physical
security requirements for sensitive areas.

• Establish clear communication and escalation protocols with suppliers to ensure rapid response and
transparency in the event of a supply chain incident.

• Implement a supplier onboarding and offboarding process to verify compliance with security standards before
engagement and ensure secure service termination.

• Regularly review and update supplier agreements to reflect evolving security requirements, regulatory
changes, and organizational needs.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Security in system acquisition,
development and maintenance

• Security is integrated into the system development lifecycle, including design, implementation,
and testing phases.

• Regular penetration testing is conducted on critical systems to identify and address potential
security weaknesses.

• A vulnerability management program is established to continuously identify, evaluate, and

remediate vulnerabilities in systems and applications.

• Vulnerability assessments are performed periodically to ensure that systems remain secure and
resilient against emerging threats.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

What is a Vulnerability?

Weakness in an information system, system security procedures,

internal controls, or implementation that could be exploited or triggered
by a threat source.

Christopher Nett Source: vulnerability - Glossary | CSRC (nist.gov)

Common Vulnerabilities and Exposures (CVE)

• Led by MITRE
• Every newly discovered vulnerability is assigned a CVE ID in the form
of CVE-yyyy-xxxx
• Includes a vulnerability description, data sources as well as the official
vendor announcement

Christopher Nett
Common Vulnerabilities and Exposures (CVE)

• CVE-2009-2935
• Google V8, as used in Google Chrome before 2.0.172.43, allows
remote attackers to bypass intended restrictions on reading memory,
and possibly obtain sensitive information or execute arbitrary code in
the Chrome sandbox, via crafted JavaScript.
• CVSS Version 2.0 Score: 10.0

Christopher Nett https://nvd.nist.gov/vuln/detail/CVE-2009-2935

Common Vulnerability Scoring System (CVSS)

• Evaluates the severity of the vulnerability from 1-10

• Considers the CIA triad but also other factors

CVSSv2 CVSSv3
CVSS Score Severity CVSS Score Severity
7.0 – 10.0 High 9.0 – 10.0 Critical
4.0 – 6.9 Medium 7.0 – 8.9 High
0.0 – 3.9 Low 4.0 – 6.9 Medium
0.1 – 3.9 Low
0 None
Christopher Nett Source: https://nvd.nist.gov/vuln-metrics/cvss
What is Vulnerability Management?

• Identification: Detecting vulnerabilities in IT assets like applications, systems,

and networks through automated scanning and manual testing methods.
• Evaluation: Analyzing identified vulnerabilities to assess their nature,
exploitability, and potential impact on the organization.
• Prioritization: Ranking vulnerabilities based on their criticality and the urgency of
action needed, considering factors such as threat environment and asset value.
• Remediation: Addressing vulnerabilities by applying patches, configuring
security settings, or employing other mitigation strategies to reduce risk.
• Reporting: Documenting the vulnerability management process, outcomes, and
unresolved issues for internal stakeholders and compliance with external
regulations.

Christopher Nett
 Identification

Vulnerability Identification Reporting Evaluation

Remediation Prioritization

• Scanning Tools: Utilize automated software tools to scan for

vulnerabilities across all digital assets
• Agent-based
• Agent-less

• Manual Testing: Conduct expert-driven assessments and penetration

testing to find security gaps missed by automated tools
• Inventory Management: Maintain an updated inventory of all
organizational assets to ensure comprehensive vulnerability detection

Christopher Nett
 Identification

Vulnerability Evaluation Reporting Evaluation

Remediation Prioritization

• Severity Assessment: Assess vulnerabilities based on the potential

harm they could cause if exploited.
• CVSS
• Asset Criticality

• Context Analysis: Consider the specific context of the asset, such as

its role in the organization and exposure level.
• Vulnerability Research: Stay informed about the latest vulnerability
disclosures and industry advisories

Christopher Nett
 Identification

Vulnerability Prioritization Reporting Evaluation

Remediation Prioritization

• Risk-Based Ranking: Prioritize fixing vulnerabilities based on the risk

they pose to the most critical assets.
• Compliance Requirements: Factor in legal and compliance
implications to prioritize vulnerabilities.
• Resource Availability: Align vulnerability remediation with available
security resources and operational impact.

Christopher Nett
 Identification

Vulnerability Remediation Reporting Evaluation

Remediation Prioritization

• Patch Management: Deploy security patches promptly to mitigate

identified vulnerabilities.
• Configuration Changes: Adjust settings and configurations to harden
systems against attack.
• Mitigation Techniques: Implement interim protective measures when
immediate remediation is not possible.

Christopher Nett
 Identification

Reporting Reporting Evaluation

Remediation Prioritization

• Documentation: Record details of the vulnerability management

efforts, including identified, mitigated, and outstanding vulnerabilities.
• Review Meetings: Regularly review the vulnerability management
process with stakeholders to align on progress and strategy.
• Compliance Auditing: Prepare reports for auditing purposes to ensure
compliance with industry regulations and standards.

Christopher Nett
What is Penetration Testing?

• Simulated cyber attack to evaluate security of systems.

• Identifies vulnerabilities before real attackers exploit them.

• Involves various techniques to bypass defenses.

• Conducted by ethical hackers under controlled conditions.

• Essential for maintaining robust security posture.

Christopher Nett
Penetration Testing in Cyber Security

• Detects and addresses security weaknesses.

• Helps in risk management and compliance.

• Provides insights for enhancing security measures.

• Validates effectiveness of existing security controls.

• Builds organizational resilience against cyber threats.

Christopher Nett
Red Teaming vs. Penetration Testing

• Scope: Red Teaming is broader, focusing on end-to-end security; Penetration Testing targets
specific vulnerabilities.

• Methodology: Red Teaming uses diverse tactics, techniques, and procedures (TTPs);
Penetration Testing follows a structured checklist.

• Objective: Red Teaming assesses overall security resilience; Penetration Testing aims to
identify and fix specific flaws.

• Duration: Red Teaming is often ongoing or long-term; Penetration Testing is usually time-bound.

• Outcome: Red Teaming provides strategic insights and recommendations; Penetration Testing
delivers a list of vulnerabilities and fixes.

Christopher Nett
Implementation Plan: Security in system acquisition,
development and maintenance

• Integrate security requirements into the system development lifecycle (SDLC), ensuring security is addressed
at the design, implementation, testing, and deployment phases.

• Develop and enforce secure coding practices for software developers, including the use of static and dynamic
code analysis tools during development.

• Implement threat modeling during the design phase to identify potential vulnerabilities and ensure security-by-
design principles are applied.

• Conduct regular penetration testing on critical systems and applications to identify security weaknesses and
validate the effectiveness of implemented controls.

• Establish a vulnerability management program to continuously monitor, identify, and prioritize vulnerabilities in
systems, applications, and third-party components.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Security in system acquisition,
development and maintenance

• Schedule periodic vulnerability assessments using automated scanning tools and manual reviews to maintain
system resilience against emerging threats.

• Apply patches and updates to software and systems promptly, based on the severity of identified
vulnerabilities and the organization's risk appetite.

• Maintain an inventory of all system and application dependencies, ensuring that third-party libraries and
frameworks are monitored for vulnerabilities.

• Incorporate secure configuration management practices to standardize and harden systems against common
attack vectors.

• Conduct regular security awareness training for development and IT teams to keep them updated on secure
development practices, emerging threats, and vulnerabilities.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Cyber hygiene and awareness
training

• Key data (primary assets) are clearly identified and thoroughly documented.

• Support assets are recognized, identified, and described in detail.

• Critical systems are identified, documented, and well understood.

• Dependencies of primary assets on IT infrastructure (including software, hardware, and services) are clearly
described.

• Onboarding training programs are established and implemented.

• Regular training and coaching sessions are conducted to reinforce knowledge and skills.

• Training processes are systematically planned and documented.

• Training includes comprehensive education on information literacy, as well as information and cyber security
risks.

• Employees are regularly and consistently updated on internal regulations and organizational news.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Cyber hygiene and awareness training

• Identify and thoroughly document key data assets (primary assets), including sensitive information, intellectual
property, and critical operational data.

• Recognize and catalog all support assets, such as IT systems, personnel, and services, detailing their roles in
supporting primary assets.

• Document and map critical systems, ensuring a clear understanding of their importance and
interdependencies within the organization.

• Describe dependencies between primary assets and IT infrastructure, including hardware, software, cloud
services, and third-party providers, to highlight potential vulnerabilities.

• Develop and implement a structured onboarding training program that introduces employees to the
organization's cyber hygiene practices and security policies.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Cyber hygiene and awareness training

• Conduct regular training and coaching sessions to reinforce employees' knowledge and skills on
cybersecurity risks and best practices.

• Systematically plan and document training processes, including schedules, content, and metrics for assessing
training effectiveness.

• Provide comprehensive education on information literacy and cybersecurity risks, focusing on recognizing
phishing, malware, social engineering, and other common attack vectors.

• Establish regular communication channels to update employees on internal regulations, new cyber threats,
and organizational security initiatives.

• Introduce gamified or interactive training methods to enhance employee engagement and improve retention
of critical security knowledge.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Cryptography

• Cryptographic algorithms used for securing data are up-to-date and comply with recognized
industry standards.

• Encryption is implemented for data at rest, in transit, and during processing to ensure
confidentiality and integrity.

• Cryptographic keys are securely stored, managed, and rotated periodically to prevent
unauthorized access or misuse.

• A policy for handling cryptographic incidents, such as compromised keys, is in place and
regularly tested.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Cryptography

• Identify and document all data types requiring cryptographic protection, including data at rest, in transit, and
during processing.

• Implement cryptographic algorithms that comply with recognized industry standards (e.g., AES-256, RSA-
2048, SHA-2), ensuring encryption methods are up-to-date and resistant to known vulnerabilities.

• Encrypt sensitive data at rest using strong encryption methods to protect it from unauthorized access or data
breaches.

• Apply encryption protocols for data in transit, such as TLS 1.3 or IPsec, to safeguard data integrity and
confidentiality during transmission.

• ntroduce homomorphic encryption or similar methods for protecting data during processing, especially in
sensitive or high-security environments.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Cryptography

• Establish a cryptographic key management system to securely generate, store, distribute, and rotate
encryption keys according to industry best practices.

• Implement hardware security modules (HSMs) or other secure storage mechanisms to protect cryptographic
keys from unauthorized access or compromise.

• Define and enforce a cryptographic incident-handling policy to address incidents such as compromised keys,
certificate failures, or algorithm weaknesses.

• Conduct regular audits and tests of cryptographic implementations to verify compliance with security policies
and to detect potential vulnerabilities.

• Train staff on cryptographic principles, policies, and incident response processes to ensure secure
management and usage of cryptographic tools and techniques.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

NIS2 Requirements for Human resource security

• Employees with access to sensitive information undergo thorough screening.

• The onboarding process is carefully managed and controlled.

• Authorization for job role changes is effectively monitored and managed.

• The employee exit process is systematically controlled to ensure security and compliance.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Human resource security

• Conduct thorough pre-employment background checks for employees with access to sensitive information,
verifying qualifications, references, and criminal records as permitted by law.

• Develop and implement a formal onboarding process that includes security awareness training, emphasizing
organizational policies, acceptable use, and responsibilities for safeguarding sensitive information.

• Define and document clear access control policies to ensure employees are granted permissions strictly
aligned with their job roles and responsibilities.

• Implement a robust system for monitoring and managing job role changes, ensuring timely adjustments to
access rights and privileges.

• Establish a procedure to authorize and document job role changes, including approval workflows and updates
to relevant systems and access controls.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Implementation Plan: Human resource security

• Develop a systematic employee exit process, ensuring that all access to systems, facilities, and sensitive
information is revoked promptly upon termination of employment.

• Conduct exit interviews that include reminders of confidentiality agreements and responsibilities for
protecting organizational information post-employment.

• Periodically review and update employee access rights to ensure alignment with current job responsibilities
and to prevent privilege creep.

• Deliver regular security training and awareness programs for all employees, with a focus on recognizing and
mitigating insider threats.

• Maintain a centralized log of access changes, onboarding, and offboarding activities for auditing and
compliance purposes.

Christopher Nett Source: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive