NTT DATA Business Solutions
NTT DATA Business Solutions | december 7, 2023 | 4 minutes

NIS2: Provisional Program Ready for Clients

 

Are you ready for NIS2?

The new cybersecurity directive NIS2 will come into effect in less than a year, bringing new challenges and opportunities for companies in various sectors.

In this article, we explain how NIS2 will affect your business, and how we at NTT DATA Business Solutions are preparing to help you comply with the new requirements – based on best practices and insights from our successful implementation of GDPR, which serves as a model for our approach to NIS2.

NIS2 goes into effect in less than a year

Preparing for a new standard of cybersecurity with NIS2

It’s now less than a year to the new cybersecurity directive NIS2 goes into effect. The directive is in the process of being implemented as legislation, but there is no reason to wait for the release to get started on preparing to be compliant.

Increased responsibility and requirements with NIS2

Many companies must prepare for a new reality with increased requirements for cybersecurity and for handling information security risks both internally and in the supply chain. Failure to comply with the requirements can result in quite significant sanctions.

A decisive point in NIS2 is that the responsibility for cybersecurity in the affected companies now clearly moves to the board and management. In addition, non-compliance can be costly. So there is every reason to take the task seriously.

In Denmark, 1079 companies across critical sectors are covered by the new complex requirements for IT-security procedure and data control, according to Dansk Industri

Existing programs adapted to NIS2

However, the arrival of the NIS2 directive does not mean that companies should panic. There is plenty of time to get in place – if you get started now.

In NTT DATA Business Solutions, we have chosen to use the same approach as when we had to implement GDPR. With the establishment of a cross-organizational unit, we ensure that we cover every challenge, making the necessary additions and adaptations to our already existing programs, and at the same time ensure a foothold in all relevant parts of the organization. An approach that the audit company PwC has recognized as a best practice. Read more about PwC’s approval of the GDPR implementation program in 2018 here.

Provisional operating model for NIS2

NTT DATA Business Solutions has in that regard carried out a mapping of the requirements to which technical, organizational and communication processes must either be strengthened or established, and has on that basis established a provisional operating model for NIS2.

”Although we obviously don’t know the specific requirements of the future sector requirements, we can nevertheless use those we know from, for example, the pharmaceutical industry, the financial sector and the supply industry as a starting point at an overall level”, says Martin Hallengreen, Compliance Manager, NTT DATA Business Solution

”The key to a successful implementation also lies partly in being able to present customers with a NIS2 program concept, which they can step directly into, similar to compliance with the GDPR, without having to deal with a lot of details about NTT DATA Business Solutions’ internal processor and controls, and without having to concern whether these controls are continued in relevant supply chains” says Martin Hallengreen, Compliance Manager, NTT DATA Business Solution

Time is of the essence

One of the important requirements in NIS2 will be the very short reporting obligation notice for incidents.

Therefore, a strongly interacted program through the supply chain becomes crucial for the implementation, both in terms of having continuous monitoring and having a competent emergency response team that is trained to react correctly. Therefore, NIS2 can never become a program that can be implemented without the involvement of its suppliers.

Gitte de Linde, Senior Director, Head of Managed Services Nordics, NTT DATA Business Solutions: 

”It is important for our customers and business partners, well before the NIS2 legislation comes into force, to be able to confidently trust us as a supplier. We have therefore decided, in line with our approach to GDPR, to have an independent 3rd party audit statement produced that establishes our compliance with the requirements. This audit report will be a supplement to our existing ISAE 3402 Type II and ISAE 3000 (GDPR) Type II.”

Read more about NIS2:

EU NIS2 Directive Calling for Attention to SAP Application Security

PwC approves NTT DATA Business Solutions GDPR-program

Dansk Industri: 1079 companies across critical sectors are covered by the new complex requirements for IT-security procedure and data control