homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Beyond Compliance: Leveraging NIS2 for Enhanced Cyber Resilience and Leadership Accountability
370x370_James-Tarala.jpg
James Tarala

Beyond Compliance: Leveraging NIS2 for Enhanced Cyber Resilience and Leadership Accountability

To meet NIS2 risk assessment standards, organizations have multiple steps laid out ahead of them.

April 15, 2024

Missed the beginning of this series? Start with Part 1.

Organizations should view the Network and Information Security Directive (NIS2) as an extension of the principles and requirements already imposed by other regulations and standards. According to SANS Senior Instructor James Tarala, who has studied global regulations and standards for many years, NIS2 does not contain shocking new requirements. "If I were a CISO, I would eat my cybersecurity vegetables and be fine." 

The new regulation is not necessarily sexy and exciting or all that earth-shattering, said the cybersecurity risk assessment expert, but organizations must sort their cyber hygiene out to comply with NIS2. That being said, NIS2 will mean change and requires an effort from organizations to comply. “Indeed, the requirements in NIS2 are not new; they have been around for a long time. However, what NIS2 does is require organizations to do the things we have all known to be true for a long time. There are not many regulatory standards that require this today. That will change the scope for sure,” Tarala said.

Another notable NIS2 regulation specifically requires organizations to conduct regular risk assessments. "I think that concept is new. Even though cyber risk assessment has been around for many years, it's a good thing to see regulation pushing, requiring, and encouraging that behavior," Tarala said. "I am encouraged by this because I think whenever we can put this kind of information in front of executive leadership and organization and business stakeholders, it allows companies to have a conversation they might not have otherwise had." 

Baseline of Cybersecurity Standards

Tarala spends much of his time conducting cyber risk assessments. He also takes up cybersecurity research and education outside of that. His research focuses quite extensively on risk assessment. "I have worked with a team of people, including SANS, to release a risk engine model as well as aggregate safeguard libraries and similar research." As part of his research, Tarala has been doing a detailed analysis of over a hundred different standards and regulations worldwide. "What I've noticed when I process new regulations and overlay and map those into the research is that I rarely ever find a regulatory body asking for something new that I've never seen before." 

Risk Assessment

So, risk assessment isn't a new kid on the block either, and it has been theorized for many years in regulations and standards. However, NIS2 is definitely on the bandwagon in requiring organizations to perform those risk assessments regularly. "We do risk assessments for two reasons: one is to select what cybersecurity safeguards are appropriate for our organization to implement. And two is to look at the organization in light of those safeguards and validate that we've implemented them well. The focus in NIS2 and other compliance standards is on validation, as most organizations frankly don't have the resources or the expertise to understand how to choose which safeguards make the most sense,” said Tarala.  

To meet NIS2 risk assessment standards, organizations have multiple steps laid out ahead of them. First, they need to be clear on their target state. Tarala posed the question, "Do they clearly understand what cybersecurity safeguards they should implement into their business practices?" This may prove challenging, as the European Union (EU) hasn't specified what safeguards will be required for NIS2, much like they didn't specify the privacy safeguards in the GDPR. "The EU wants to leave it up to member states to have the opportunity to define cyber hygiene practices,” said Tarala. 

Elevate your assessment skills with hands-on, real-world strategies taught in James Tarala's course, LDR419: Performing A Cybersecurity Risk Assessment. Sign up for a demo, register today, or learn more and transform theoretical knowledge into actionable insights that safeguard your organization!

Quality Management Process

Once organizations understand what they believe they should do, as it relates to risk assessment, they must regularly practice to validate what they believe they should be doing. "The result of that validation process, of that risk assessment, then needs to be placed in front of leadership teams, the executive board, and business stakeholders. That information then enables them to form better decisions and ensure they're addressing the gaps that are identified," according to Tarala. "The idea of the cybersecurity risk assessment is a quality management process that needs to be implemented." The EU does not specify who should perform these assessments. It is assumed organizations will do an internal self-assessment, but the reality may be that some businesses will rely on third parties to do this for them.  

Liable Leadership

NIS2 requires executive leadership focus more on cybersecurity, as they are now liable for any significant incidents according to the new directive. "This means leadership needs to understand where they stand regarding cyber hygiene concepts. The expectation is that organizational leadership will sponsor, support, and fund these risk assessments and take the results seriously. In this way, NIS2 is trying to build a culture of organizational leadership owning cybersecurity issues and ensuring that they're addressed promptly," according to Tarala. "It does not mean that we're all going to be perfect because no organization adequately addresses these cybersecurity risks at any given time. But I think the liability aspect comes back to the fact that if an organization egregiously ignores best practices, there is no accountability for that leadership." 

Set Yourself Up for Compliance

Tarala advises risk assessors to continue looking for what they know to be important from other regulatory standards and map the specific NIS2 requirements of member states back to that core set of requirements. "Inherently, it doesn't change how you work; you need to be more aware of what other people are asking you and map that to the requirements to see if something new is outlined. And if that is the case, you must reconsider your safeguards and compliance. Regarding NIS2, if you eat your cybersecurity vegetables, you should be fine for now," he said. "You should do everything you probably have been doing for quite a few years already. Don't give yourself an excuse to skip those things because doing the right thing will help you be compliant. It may not always be in complete alignment, but doing the right thing in cybersecurity will make the compliance process easier." 

NIS2 Checklist

Asked for a checklist that CISOs and risk assessors can follow to ensure compliance, Tarala pointed to the list of ten bullet points published by the EU, (see the 10 Bullet Points from NIS2 section below). "There are some requirements at a high level that need to be included in national legislation. They comprise incident handling, business continuity, and cybersecurity hygiene best practices. Strikingly enough, they throw in a few technical things, like, multi factor authentication (MFA). So, if I were building a checklist, I would use those ten bullet points as my starting point and ensure I'm focused on those and customize according to national legislation." The SANS instructor stresses this doesn't mean an organization has to throw away existing programs or start from scratch. "Don't treat NIS2 as a new compliance requirement and change everything you do. Most requirements tend to be just different versions of the same thing." That being said, Tarala stressed he doesn’t want to be flippant about NIS2 or other new regulations. “They are important. It may not be all new in theory, but it still requires organizations to put in effort to optimize their security efforts and their compliance.”

Best Practices Provide Resilience

As a risk assessor himself, Tarala always asks organizations to look at regulatory requirements they know they are responsible for, the contractual requirements they've agreed to follow, and the cybersecurity best practices that are best for them. "Make sure all those areas are reflected in your safeguard libraries, where you document your intentions as an organization. You can then map the NIS2 requirements to the ones you already have in place and start improving. But don't make a whole new program or throw away what you've already done. Just use NIS2 as an extension of those principles that are already in place. Any organization that follows these best practices will be more resilient, giving them long-term business advantage." 

10 Bullet Points from NIS2

  1. Policies on risk analysis and information system security
  2. Incident handling
  3. Business continuity, such as backup management and disaster recovery, and crisis management
  4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
  5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  7. Basic cyber hygiene practices and cybersecurity training
  8. Policies and procedures regarding the use of cryptography, and where appropriate, encryption
  9. Human resources security, access control policies, and asset management
  10. MFA or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

Which Organizations Are Essential or Important?

Essential entities: Large organizations operating in a sector from Annex 1 of the NIS2 Directive

Key entities: Medium-sized organizations operating in an Annex 1 sector and medium and large organizations operating in an Annex 2 sector.

An organization is considered large based on the following criteria:

  • A minimum of 250 employees, or
  • An annual turnover of €50 million or more and a balance sheet total of €43 million or more.

An organization is considered medium-sized based on the following criteria:

  • 50 or more employees, or
  • An annual turnover and balance sheet total of €10 million or more.

In this series on NIS2, we highlight the new directive from different angles so CISOs and their organizations can gain insight into how to deal with NIS2.

As you look towards achieving NIS2 compliance, remember that knowledge is power. SANS's extensive resource center offers everything from learning paths to certifications, all designed with your compliance needs in mind. Start exploring NIS2 with SANS today!

As SANS maps out industry preparedness for the new EU Commission's NIS2 Directive, your insights are invaluable. Please take a moment to complete the NIS2 survey to contribute to our research. Your feedback will help us provide the guidance and resources needed for this and future directives.

Continue reading in Part 3 of our NIS2 Compliance series here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cybersecurity Leadership

Related Content

Blog
leadership blog image.png
Cybersecurity Leadership
May 13, 2024
A Visual Summary of SANS Cybersecurity Leadership Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS Cybersecurity Leadership Summit 2024
No Headshot Available
Alison Kim
read more
Blog
NIS2_-_Blog_-_Transforming_SOC_Challenges_Into_Opportunities_340_x_340.jpg
Cybersecurity Leadership
May 12, 2024
NIS2: Transforming SOC Challenges Into Opportunities
To address NIS2 requirements, organizations must ensure they can detect and respond faster and quicker.
370x370_Maxim-Deweerdt.jpg
Maxim Deweerdt
read more
Blog
NIS2_-_Blog_-_The_Ripple_Effect-_NIS2_s_Impact_on_Cybersecurity_Practices_Across_the_EU_340_x_340.jpg
Cybersecurity Leadership
April 23, 2024
The Ripple Effect: NIS2's Impact on Cybersecurity Practices Across the EU
The new NIS2 Directive increases the scope of organizations that must comply.
370x370_Bojan-Zdrnja.jpg
Bojan Zdrnja
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn