homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Empowering Cybersecurity Excellence: Certifications as the Keystone of NIS2 Compliance
Brian Correia
Brian Correia

Empowering Cybersecurity Excellence: Certifications as the Keystone of NIS2 Compliance

NIS2 creates more uniformity and consistency in cybersecurity and resilience across vital EU industries.

March 27, 2024

In this blog post, Anthony O’Keefe, SANS Institute’s Director of EMEA, lends his expertise as coauthor.

The Network and Information Security Directive (NIS2) focuses on developing an organization’s internal skills and capabilities. Especially with the greater accountability on senior leadership, cybersecurity is no longer something that can be swept under the carpet. SANS helps organizations navigate the complexities of NIS2 compliance by providing clear learning paths for different work roles and certification of skills.

Brian Correia, Director of Business Development on GIAC at SANS, worked closely with the European Union Agency for Cybersecurity (ENISA) to map SANS’s training and certifications against the new European Cybersecurity Skills Framework (ECSF). The ECSF is a practical tool that supports identifying and articulating tasks, competencies, skills, and knowledge associated with the roles of European cybersecurity professionals. “The ECSF defines 12 roles which are individually analyzed into the details of their corresponding responsibilities, skills, synergies, and interdependencies. It gives a standard of relevant roles within cybersecurity and what knowledge, competencies, and skills they require so everybody talks the same language,” said Correia.

Correia is confident this framework, combined with the correct certifications, is the biggest determining factor in an organization’s successful NIS2 compliance. “Organizations that fall under NIS2 must compile and submit a yearly security posture report to ENISA or their local authority,” Correia said. “Certifications validate the skills required in the report. It’s no different than with doctors, lawyers, or even when you get a driver’s license. It’s a means of showing what you are capable of.”

Skills Validation

Anthony O’Keefe, SANS Institute’s Country Director for Belgium and The Netherlands, works on security awareness, assessments, ranges, and everything else in between. NIS2 creates more uniformity and consistency in cybersecurity and resilience across vital EU industries, he explained. “NIS2 has four overarching areas: risk management, corporate accountability, reporting, and business continuity. Under those four areas, there are ten measures organizations must adhere to.”

One of the key components of NIS2 is greater senior-level accountability, said O’Keefe. “The new directive raises the bar for organizations, especially those with limited resources and skills. NIS2 requires an organization’s board of directors and leadership possess extended cybersecurity knowledge and its entire workforce possess the skills and capabilities need to improve cybersecurity regarding the four overarching areas. Brian's work mapping all our courses and certifications to the ECSF gives leadership teams a very clear map of how to develop their organization's capabilities to comply. Also, this is where our GIAC certifications come in, as they validate the skills and capabilities within an organization, showing they meet key metrics on risk management, incident planning and so on.” In a way, preparing for NIS2 resembles building a successful sports team, said Correia: “You need to think about what players you need to have and how you ensure they’re trained to properly work together.”

Outside Counsel

Correia refers to the NIS2 directive as ‘the new GDPR.’ “GDPR became the standard for the whole world, but it came out of the EU. When it first came out, it was very vague, but as time passed, it tightened up until, ultimately, everybody knew what was expected. I think we will see the same process with NIS2 over time.” He agreed it will be difficult for organizations to improve board members' cybersecurity skills and knowledge and compares it to the new US Securities and Exchange Commission (SEC) cybersecurity reporting rules adopted in July 2023. “Ultimately, the board is responsible for everything in an organization. When we look at the financial world, typically, boards seek outside counsel, where an outside accounting firm is hired to double-check the financial number. So, in cybersecurity, you may be advised by a CISO, but you also want to have some form of outside counsel.”

CISO as Board Member

When comparing the roles of chief financial officer (CFO) and chief information security officer (CISO), it’s a bit of a mystery why the CFO is always on the board while the CISO often is not. This continues to mystify Correia. “A CFO is considered one of the top directors making major decisions. However, we don’t see a CISO being on the top-five of directors, do we? It’ll be interesting to see if that changes. I don’t think that’ll be overnight – it will more likely take closer to 10 or 20 years, as in many organizations, CISOs don’t even have full access to the board. But we see cybersecurity getting bigger and bigger; remember, this is still a relatively new industry.” The liability of the board under NIS2 may speed this process up because board members potentially face jail sentences. “It’s no different than being thrown in jail if you lie on financial reports. This could be a consequence when a board lies about the company's cybersecurity posture after a cyber incident,” said Correia.

Hands-On Skills

Education is the key to a business understanding NIS2 its obligations to make cybersecurity an integral part of its organizational structure. This is where SANS provides invaluable assistance: by providing the right learning path, courses, and certifications, as well as a comprehensive resource center and by working closely with ENISA. “We’re very fortunate,” said O’Keefe. “At SANS, we have vast resources. Not just in terms of training and development capabilities and GIAC certifications – which is a very different approach to other providers in that it’s very practitioner-oriented. We don’t just review the theory, we give teams hands-on skills to implement within their organizations. They take away all the best practices and learning in our training courses and can take that and apply it in their own environments. That is the impact and value SANS provides. And GIAC tests students' capabilities, which validates the organizations by providing those certifications to the regulators to demonstrate their in-house capabilities.”

Enhancing Cybersecurity Capabilities

“This industry is moving at warp speed,” O’Keefe pointed out. “Look at it like this: Amazon has over 20 security teams. As you can imagine, when they first built them, they built them so fast that even within Amazon, they did not standardize the work roles. We have been working closely with ENISA over the last couple of years on their workforce development events, particularly in some of these areas around the ECSF and NIS2. It’s really helping the community understand how they can utilize our training.”

He stresses that most work roles defined in various frameworks didn’t exist five years ago. And these roles keep expanding every year. One of the biggest systemic risks organizations have now, is not having the capabilities or talent base to deal with their workload. That is why the mapping exercises are so crucial. “This is what we have done with ECSF; we have utilized all our experience and knowledge that we have built up with National Institute of Standards and Technology (NIST) and applies that to the European context. This has given the broader community very clear guidance on the learning paths they need to put in place to better support the development of their staff so they can better recruit, develop, and comply with standards and regulations,” O’Keefe said.

Information Sharing Across EU

Another focus of NIS2 is information sharing. “The EU is setting up a collaboration center. “The idea is that if cyber incidents affect citizens, they affect the country in keeping itself protected. So, the 27 EU member states want to partner up. However, there are different political agendas and different levels of maturity, so this is where NIS2 comes in and tries to formalize more information sharing and learning. NIS2 relies on some of the more cyber-mature EU members, like Germany, the Netherlands, France, to share best practices with some of the less mature and resourced states,” said O’Keefe.

Certifications are Key to Compliance

Both Correia and O’Keefe advise organizations to use current frameworks to validate their security posture in preparing for NIS2. “Also, you need to figure out your incident response plans up front,” added Correia. “I see too many organizations burying their heads in the sand on this one, but with the strict reporting requirements of NIS2, you really have to dive in beforehand.” Next, he addressed his hobby horse one last time: certifications. “It’s the ability to validate the skills of your teams. We see it popping up more and more in audits, for example, and organizations also use it to win business. It gives you the means to verify that somebody’s got the necessary qualifications, which is a key point in the industry.”

Best Practices

O’Keefe added that it is very difficult for organizations to understand their in-house capabilities and how they can demonstrate them to the regulators to indicate compliance with necessary legislation, whether NIS2 or anything else. “This is becoming increasingly important but very difficult for organizations. So, the ECSF, our learning paths, and certifications give them very clear opportunities where they can very quickly start to build out capability and demonstrate that they are complying and have the necessary capabilities in-house.” Besides training, SANS also provides much broader resources, stressed O’Keefe, particularly on things like running cyber executive exercises to test their abilities, identifying strengths and weaknesses, and improving and enhancing their incident response plan or building a security awareness program. “Everything comes back to frameworks, building out learning paths, and effectively testing abilities and response plans. This is not a one-off check the box exercise. Organizations must continue to test their capabilities and that responsibility lies with the board.”  

Which Organizations Are Essential or Important?

Screenshot_2024-05-06_at_11.26.33_AM.png

Essential Entities: Large organizations operating in a sector from Annex 1 of the NIS2 Directive.

Key entities: Medium-sized organizations operating in an Annex 1 sector and medium and large organizations operating in an Annex 2 sector.

An organization is considered large based on the following criteria:

  • a minimum of 250 employees, or
  • An annual turnover of €50 million or more and a balance sheet total of €43 million or more.

An organization is considered medium-sized based on the following criteria:

  • 50 or more employees, or
  • An annual turnover and balance sheet total of €10 million or more.

In this series on NIS2, we highlight the new directive from different angles so CISOs, cybersecurity practitioners, and their organizations can gain insight into how to deal with NIS2.

Compliance is a journey, and every journey needs a roadmap. SANS’s dedicated learning paths and certifications provide a clear route to NIS2 compliance, tailored to your organization’s unique needs. Begin your journey at www.sans.org/mlp/nis2.

As SANS maps out industry preparedness for the new EU Commission's NIS2 Directive, your insights are invaluable. Please take a moment to complete the NIS2 survey to contribute to our research. Your feedback will help us provide the guidance and resources needed for this and future directives.

Continue reading in Part 2 of our NIS2 Compliance series here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cybersecurity Leadership

Related Content

Blog
leadership blog image.png
Cybersecurity Leadership
May 13, 2024
A Visual Summary of SANS Cybersecurity Leadership Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS Cybersecurity Leadership Summit 2024
No Headshot Available
Alison Kim
read more
Blog
NIS2_-_Blog_-_Transforming_SOC_Challenges_Into_Opportunities_340_x_340.jpg
Cybersecurity Leadership
May 12, 2024
NIS2: Transforming SOC Challenges Into Opportunities
To address NIS2 requirements, organizations must ensure they can detect and respond faster and quicker.
370x370_Maxim-Deweerdt.jpg
Maxim Deweerdt
read more
Blog
NIS2_-_Blog_-_The_Ripple_Effect-_NIS2_s_Impact_on_Cybersecurity_Practices_Across_the_EU_340_x_340.jpg
Cybersecurity Leadership
April 23, 2024
The Ripple Effect: NIS2's Impact on Cybersecurity Practices Across the EU
The new NIS2 Directive increases the scope of organizations that must comply.
370x370_Bojan-Zdrnja.jpg
Bojan Zdrnja
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn