Can you hear me, is this working? Okay, great. First of all, it's always difficult to, at the first sentence, to contradict your CEO because it's not a regulation, it's a directive, which is a problem. So we just, we need to find that out. We have 20 minutes. I have lots of slides, too many slides to read out and to go through. So I kindly ask you to read through them afterwards. I will always highlight what's on that slide and continue because it's a lot of that.
If you want to leave for lunch now, my idea for the talk is, please make sure that you understand your NIST 2 compliance and you might be subject to NIST 2, that this is a journey for your organization. Everyone who tells you I can help you in that, I have a blueprint that works for you, don't trust them, including us. Beware of easy paths, short look at the agenda for today, NIST 2 in a nutshell, I have to explain what it is, at least a bit. I'm not a lawyer, unlike Fabian, I'm not an auditor, but I'm a practitioner, so I want to help you in achieving, doing the right things.
Oh, and not that quick. Then from focus to implementation, what should you put focus on when you look at NIST 2 apart from what you're already doing, and how to implement that, and in the end, how to implement NIST 2 for your organization, that is what I'm aiming at. There is no silver bullet, I don't have the crystal ball, but I want to help you in finding the right decisions. I like that sentence, you have read that I think many times, but it's so true also for NIST 2, for every complex problem there is an answer that is clear, simple, and wrong. And that's true for NIST 2 as well.
NIST 2 in a nutshell, first of all, what is it? NIST 2 implies that there is a NIST 1, which is NIST, that is the Network and Information Systems Directive, not a regulation, and that there is a main difference for that. First of all, who issues it? The EU. Where does it apply?
Hey, EU. So these are the organizations that are in scope, and especially organizations that come to our mind when we think of critical infrastructures, and that is closely related to that as well. So it's economy, society, energy, transport, banking, health, I read it out as well, digital infrastructure, public administrations, and others, and I've put some icons here just to show the breadth of what actually is included there, and that maybe gives a hint on, hey, we can't do everything for everybody the same way. When does it come into force? That's my favorite question. Three answers.
A, NIST 2 is in force. It came into force on the 16th of January, 2023. Why don't we do anything?
We should, but it doesn't apply for us now because member states have to incorporate that into national law. That's the difference between a regulation, DORA, and NIST 2, that needs to be translated into law, and that will imply changes for every member state country in the EU. And actually, when does it need to be complied to? No matter what the member states do, it needs to be implemented in the next 21 months, starting from this effective date that is in answer one. So 21 months, not too much, gives a bit of this GDPR vibe, if you remember back then. So there is a lot to do.
Quick look at the text. It's always good to look at the text, especially true for NIST 2. Article one is this thing that says it's not actually enforced right now. It needs to be translated. That's what is underlined here, or at least highlighted here, if you look. Member states adopt national cybersecurity regulations and strategies into their laws. So it needs to be translated. That's first. So second is, who is in focus? Who needs to comply? Which are the companies? There are three terms in here, and I don't explain them in detail.
I only say there are different levels of criticality that apply to organizations, and you should identify, A, are you subject to NIST 2 at all? I guess so, but I don't know. And what is the level of criticality that applies to you? We have the difference between essential, important, and critical. Most of us would think these are synonyms. They aren't in that context. So you need to understand which level of criticality applies to you as an organization.
So first, are you? Second, what are you in the context of NIST 2? That's the step that needs to be taken. Now you understand why I'm running through these slides. Focus is on medium-sized and large companies. When we think of NIST and of critical infrastructure, there were a set of companies that we could all think of who is relevant for CRITUS and who should be in scope.
Lufthansa, easy. Big banks, easy. Pharmaceutical companies, some aspects of that. This changes dramatically. There is a massive tightening of requirements, especially for medium-sized companies. And if you look at the definition of medium-sized behind me, this is not medium-sized. This can be rather small, 50 employees or 10 to 50 million euro turnover. It's not that much. So that's a really expanding scope that needs to be looked at.
Again, are you in scope? That applies as well to identify whether you are in scope. The right industry and the right size and the right processes that you deal with, that might be already the case that you are around those who need to do something right now. Start doing things. NIST 2 is very specific and not in telling you what you need to do. So specific and generic requirements, again, a look at the final look at the text. If you look at the list to the right and just skim it a bit, there's a lot to do.
This is Article 21, and it starts from policies, having the right policies in place at the foundation layer to achieve what you want to achieve. Very important is the aspect of incident handling. We come back to that. Business continuity planning, again, and I look at that. If you look at the last two CSLS events that we did in Berlin, we had a workshop on incident management, and we had a workshop on business continuity management, and here we go again. Here it is, and it is demanded for. So this is something that is really important, and it goes down to final aspect. This I like.
They ask for multi-factor authentication, getting rid of passwords. I think this is the most tangible requirement, which is in NIST 2 itself, because in any other case, it reflects to other regulations, other frameworks, other standards. Which sectors are affected? There is a long list included in some of the appendices, or the annexes, sorry for that. So you should really check the list of industries that are in scope, and also the more detailed descriptions whether you are in scope. The first step for your NIST 2 compliance is understanding what you need to do.
So I don't read the list out, but I think everything that's more or less critical infrastructure is involved, and more, and also the smaller ones. If you are a supplier to an organization that is considered to be critical, chances are good that you are involved, but I'm not a lawyer, ask Fabian. The enforcement, upholding standards, and now we get to slides. We all hate, just a short side note, we all hate smart art in Word or in PowerPoint. We have lots of text and transfer that into something that's not that ugly as plain text, nobody reads it.
So we have four slides or five slides of that type, which I just quickly walk through, and I kindly ask you to read them afterwards, because there's a lot of information in there. This is the slide about the enforcement, about what the EU needs to do, what member states need to do, and there is a lot of that. It starts with oversight by the EU and the nation state countries. They implement sanctioning power, and quite drastic sanctioning power, comparable to GDPR. If you know the figures that are in GDPR, this is the ballpark where we are dealing with.
There will be, and there are, supervisory bodies, and there will be cross-border collaborations, or EU member states will work together, and organizations are expected to work together, also cross-borders. And everything down to public-private partnership.
As I said, I can't read it out all, but these are the enforcement principles that are built into NIS2. So lots of enforcement, so don't expect to go under the radar. I don't expect that to happen. From focus to implementation was my next headline of this three-point agenda, and the question is, what should we focus on? This means, for me, that we understand what NIS2 adds to what you have not yet done.
Again, there is an old proverb, I've tried to find that out, and I've found it, misfortunes never come singly. And the same is true for regulations, standards, certifications, and directives. So the good thing is, you have this big block of already implemented frameworks within your organization. You can reuse that, and NIS2 asks you to do so, to identify what you're already doing. And if you're missing something, so this is a portfolio analysis, then you need to find out what you're not doing. So NIS2 doesn't tell you to do anything else than multi-factor authentication, that's NIS2.
Anything else that's, OK, look at ISO 2701, that's fine, look at NIST, look at everything that you have, BAIT, if your financial organization should do well, and if you think of the presentation from the colleague from Bundesbank, he said, if you implement DORA, you're NIS2 compliant. I like that statement, have not heard yet that, but that sounds good to me, because it's the same kind of regulations. What is missing, typically, when we think of this Lego or building block thing that we have seen before, I've put out four aspects.
First of all is risk, risk management, risk assessment, risk mitigation, and emergency plans. Second is incident management, that is somewhere in these regulations, but it's not as good as it is required by NIS2. If you look at that over there, 24 hours initial reports to everybody who is affected. Define affected, 24 hours, this is a challenge, this demands for good processes. And 72 hours with an analysis of what has happened in an incident. Next supply chain, you are not alone, you are depending on your peers and they are delivering services to you.
So you need to understand that they are NIS2 compliant as well, you need to prove as a small supplier that you are compliant to your upper elements in the supply chain. And finally, cyber hygiene, including security access control and other measures. So these are the aspects that I would like to focus on. This is not a comprehensive list, but this is why usually organizations are not that good, even if they are ISO 27001 compliant or have a TSAC certification, etc. So all of this might be something where you want to have a little focus on. How to implement that?
So cyber hygiene is always a way to move forward. So that is a road. And I go back to the guiding principle of risk management, because this is at the bottom of everything that NIS2 asks for. NIS2 promotes a risk-based approach, which is nicely put, and at the end you can see beyond encouragement there is a mandated comprehensive risk assessment and mitigation strategy for all covered entities. So in the beginning it says, you are encouraged to do so, and the end says, yeah, you have to. So risk management and understanding your individual risks is at the core.
And again, I've put these six icons here, it's the same list as before. Risk for energy is different than risk for public administration, it's different to the risk of banking. So the risk assessment is at the core. And what does NIS2 ask on top of that?
Again, smart art, you know, I'm just quickly going through that. We want to move from risk to cyber resilience, so it's not only achieving cyber security.
Oh, there's a danger, switch it off. No, you need to continue to run. That's a critical approach that you know of. So there need to be mandatory security measures, continuous improvement, and you need to be ready for incident. You need to be ready for incident handling and for reporting applications that includes sharing incident information with your peers and with other involved parties. That includes anonymization, for example, of incident information, because you want to share it, you have to share it.
This is something that many organizations are not yet well prepared, and that's the reason why I have a special slide for that, because it goes more into detail regarding these requirements. I kindly ask you to download the PDF that is this slide deck, because there's a lot of information there, and you can drill down from that. It's not comprehensive. So you need to define your incidents. You identify your reporting protocols, whom to talk to, who are the usual suspects to talk to. That's what, again, Fabian mentioned.
Talk to the right people, have the proper communication in place, but also information sharing, even across confidentiality concerns. Final step, that's the left corner of this four-point bullet diagram that I had, extending the security perimeter. Your supply chain is in scope, and again, if you look at other cybersecurity events that we executed in the last years, cybersecurity supply chain risk management, long acronym, was something that was on our radar well before, and here we go, here it comes again, and now it's mandated for.
So do a vendor assessment, not only once, but all the time, continuous monitoring, incident response coordination, when you have a cloud provider and you are using that, maybe you want to talk to them. Not just web provider, that's simple, although it might be a shop, but also cloud platform, lift and shift applications. Information sharing, and ideally being proactive and having some strategic partnerships within your supply chain and beyond. Having to check the watch, OK, but yeah, I've inherited a few minutes, so sorry for that, but I'm speeding up.
NIST 2 for your organization, what does that mean? Now that we've heard what it is, at least in a nutshell, a big nutshell, but a nutshell, and on the other hand, what should we focus on when we want to move to NIST 2 on top of what we already have? You're not starting from scratch. Here we go with beware of simple solutions. If you look, I've just this morning started my LinkedIn and I got a big announcement, as big as my smartphone display could present it. We help you in being NIST 2 compliant by improving your access governance.
OK, nice stance. Sure helps. It's a building block of one of these Lego blocks that was on that slide before, but it will not help you in achieving NIST 2 compliance, but we'll make sure that you don't fail it, but this is not sufficient at all, but it will help, so be careful.
Of course, we will always see these things now with built-in NIST 2 compliance, yet these are tools that help you, but that's it. So these new regulations, directives, come with the promise of a gold rush for all people involved, vendors, analysts, consultants, everybody, because they say, OK, there is business there, and it is, and we need to act, and we need to act, yeah, soundly, properly, appropriately. And like a good ransomware attack, high potential penalties, tight deadlines, and a lack of clarity improve the pressure. Now you have to act. That's the way how ransomware attacks work.
No pun intended here. You really need to make sure that you do the right thing at the right time. So what should you need to do? Be careful with what you implement. Start from the risk assessment, we will get back to that, and don't trust one size fits all solutions. So one size does not fit all, I'm quite sure. So you need to understand what is relevant for your own organizations. You will have a unique cyber ecosystem.
You will require tailored security controls derived from these standards, derived from that framework, but appropriate for your use case, so that the auditor can come and say, OK, what are you mitigating and why? Can you prove that this is really useful, that this really mitigates your risk? That is what we're aiming at. So you need to be flexible in your own strategy, and we, as analysts, consultant companies, individual freelancers, need to understand that they need to fulfill the needs of the individual customer, the individual organization, beyond box-taking.
Specific aspect, SMEs, we have seen this medium-sized definition, 52-something. They will have a different way of dealing with that, because they cannot afford everything. They have all these constraints that are here. So resource constraints, knowledge and skill gaps, how do they deal with that? They need a tailored strategy. There is no easy answer that I can say, OK, SMEs need to do that way, and bigger companies can do it that way.
No, it needs to be based on a risk assessment and the right proper measures in place, and that is where we want to move forward with. Final slide, and that is the good thing. Good for us as cybersecurity experts. That is the first sentence, and this is for me the core of this presentation. NIST 2 finally puts an end to the notion that compliance is a matter of taking a few steps and periodically ticking off the controls that have been implemented. That time is over, finally, at least with NIST 2. That's over. We need to take a new approach. We need to start with risk in the beginning.
We need to understand what is really behind that, and then embark on that journey implementing that. And NIST 2 compliance is not a simple thing. It requires a well-thought-out strategy, and we should start yesterday. Thank you.
