However, the arrival of the NIS2 directive does not mean that companies should panic. There is plenty of time to get in place – if you get started now.
In NTT DATA Business Solutions, we have chosen to use the same approach as when we had to implement GDPR. With the establishment of a cross-organizational unit, we ensure that we cover every challenge, making the necessary additions and adaptations to our already existing programs, and at the same time ensure a foothold in all relevant parts of the organization. An approach that the audit company PwC has recognized as a best practice. Read more about PwC’s approval of the GDPR implementation program in 2018 here.
Provisional operating model for NIS2
NTT DATA Business Solutions has in that regard carried out a mapping of the requirements to which technical, organizational and communication processes must either be strengthened or established, and has on that basis established a provisional operating model for NIS2.
“Although we obviously don’t know the specific requirements of the future sector requirements, we can nevertheless use those we know from, for example, the pharmaceutical industry, the financial sector and the supply industry as a starting point at an overall level”, says Martin Hallengreen, Compliance Manager, NTT DATA Business Solution
“The key to a successful implementation also lies partly in being able to present customers with a NIS2 program concept, which they can step directly into, similar to compliance with the GDPR, without having to deal with a lot of details about NTT DATA Business Solutions’ internal processor and controls, and without having to concern whether these controls are continued in relevant supply chains” says Martin Hallengreen, Compliance Manager, NTT DATA Business Solution
Time is of the essence
One of the important requirements in NIS2 will be the very short reporting obligation notice for incidents.
Therefore, a strongly interacted program through the supply chain becomes crucial for the implementation, both in terms of having continuous monitoring and having a competent emergency response team that is trained to react correctly. Therefore, NIS2 can never become a program that can be implemented without the involvement of its suppliers.