First of all, thank you, Stefan. You have set a good ground for my presentation here, and I will also be using NIS 2.2 as an example to walk through my presentation. So I'm here today to talk about a compliance navigator. This is something KuppingerCole is working on, since we have a lot of expertise in governance. We have an idea of the best trends going on in various areas of cybersecurity. And as we are in advisory as well, we realize that there are a lot of use cases around compliance, specifically talking about how to deal with compliances in a multi-regulatory environment.
So talking about the problem statement. Well, when you talk about compliance, these are coming from various different sources that are diverse, let's say different countries, different industries, and there are new regulations coming up every year. We already saw the example in the previous presentation. And when you look into these regulations and details of frameworks, you realize that a lot of these are complex. The level of information in each of these frameworks is quite different.
And if you are from an end-user organization or an enterprise, you might have the problem of trying to analyze if what you already have as measures or controls in place enough to already suffice the new regulations that are in the market. We saw the example with NIS2 already. And on top of that, there are other factors as well that talk about the longevity. How are these compliances going to hinder any development within the company? Because they are here to stay for a long period of time. So when we talk about diverse sources, we talk about different regional regulations.
Some of them are stemming from different industries, such as health. We have HIPAA, or we have DORA for finance. There are new regulations or frameworks thrown into the mix every year. And then there's a lot of dependencies as well on their implementations based on which country they're coming from. If you take an example of NIS2 and the European Union, even though NIS2 is an overarching framework for the entirety of the European Union, the implementation for every member state could differ, especially because they need to align with their country's existing cybersecurity laws.
So that's where you have to realize whether the difference for NIS2 in one country is the same for others. When we look into two different, for example, regulations, let's take NIST and NIS2, you see that some of these are quite complex and quite exhaustive, while others are quite vague. They might give you the list of requirements, but they do not tell you how to materialize them into measures. There's a lot of inconsistency in technical specifications, and sometimes the guidance is quite high-level, although their coverage might be quite broad.
As you saw in NIS2, it's already just in Germany applicable for 30,000 enterprises. Now, we're talking about end-user organizations. But there's not so much of clarity on how to implement these measures.
There is, of course, reference to other international standards or industry best practices such as NIST and ISO 27001, but still there's this vagueness to how to, at the end, materialize this. And if we add more complications to the mix, when we talk about implementations, there might already be measures in place that are partly covering these new requirements. Some of them are quite specific, like ISO 27001, that talk about what measures you need to implement in several different areas of cybersecurity.
There might be overlaps with ISO 27001 and NIS2, for example, but there might also be differences. And who is to say that NIS2 is asking more or less? What you have in place, is that already enough? So identifying the gaps and then working on it might again be, let's call it, an extra work with every new regulation. On top of that, most of these frameworks might have a dual nature. If we talk about ISO 27001, yes, it has requirements, but then it gives you very specific controls on how to put them in place. But this is not the case, again, with NIS2.
And every time there is a new mix into the compliance, there is a new mix of requirements in this multi-regulatory world of compliance, we also feel that there is quite a lot of hindrance when we talk about the longevity of these compliance, because they are here to stay. What happens is, when there is new technology, or there's a new tool in the market, or there are new principles, such as now you have zero trust, who is to say if the new tool or technology will also adhere to these existing compliances? Because then they need to be assessed again.
So that's why a lot of times they say that compliance does hinder further growth or modernization. I think these are some of the use cases or problem statements that some of our clients had mentioned.
And we, as Copenger Coal, thought of a solution in that sense of how can we simplify this a bit. So the experts in our company came up with the idea of putting all the requirements in one place, having a central database, and seeing if they can sort of make one big list of requirements, try to map it, and find the overlaps between these different regulations to make it easier to realize if there is extra work needed or not with the mix of new regulations. Talking about the process development of Compliance Navigator, what we have right now.
We have collected data of many, let's say, industry best practices, such as NIST and most prominent regulations, such as DORA, also NIST this year, GDPR, DORA. And we have put them into one big list of requirements. We have abstracted, we have broken them down. And on the other hand, we broke down the different areas of cybersecurity, such as IAM, or vulnerability and threat management, and made a list of comprehensive list of measures that are in each of these different modules of cybersecurity. We broke them down into a tree at a macro level and then went deeper at a micro level.
And then we created a unified view where we cross-referenced every requirement with different measures that we listed down in this taxonomy. This is a very big, boring matrix to look at. That's why it's not on the screen today. But it's a very helpful matrix. This is our groundwork, which we call the Compliance Navigator. Because this, again, now is helping us make different catalogs. We can now, due to the cross-referencing and utilizing the taxonomy we have, we are creating detailed catalogs and controls for each set of requirements.
I will show you with an example how now we can utilize Compliance Navigator. This is something that we have already done as, let's call it, a test run. We took two requirements out of the NIS2 legislative. I took the example of two requirements. If you saw in the slides before, this was mentioned, MFA and Continuous Authentication Solution and Access Control. What we did is, because it was also mentioned in the NIS2 document that a good reference would be ISO 27001 and NIST, we took the various controls mentioned within these two regulations and mapped them with these two requirements of NIS2.
So this would be the controls are from NIST and ISO 27001, and the requirements are from NIS2. Keep in mind, this is an example for SMEs, so not enterprises, so it's not that detailed. And then we mapped. We also connected different other areas which might be related to these controls. For example, risk analysis or basic procedures of cyber hygiene, which are then other requirements within the NIS2. So that's where the taxonomy, this middle layer of taxonomy, really helped us to map.
And now what we can do is we can go and check which different controls need, what are the different measures for each control, and then before the broke them down into functional, organizational, and technical. Where functional is basically activities and mechanism designed to ensure operational processes, technical, by technical I mean technology, tools, and systems, and organizational is more around governance and basically everyday things that help around everyday activities.
And we broke them down, and now for many end user organizations, they can either check if they already have these implemented, is this enough, or if they need to create new controls within their organization to fulfill what NIS2 requires. I do not have to explain why that is required, there are a lot of penalties and other things of course, but this is the groundwork that we have created already. We also list the different other related controls in the areas of NIS2 that might be related and are interconnected of course.
And this is an example or a groundwork which helps us understand where can we apply our compliance navigator when it comes to the different specific enterprise use cases, because it might be different for different industries, HIPAA might be healthcare, it might be different, but for an OT environment, it might be different for finance, it's another complicated world. But now we can use basically compliance navigator to help our clients realize the impact of certain regulations, control the portfolio, evaluate their control portfolio, and see if they're ready for a certain compliance.
How can we do that? There are different things as you can see from the previous example that I mentioned. We can assess the overlap if two or more requirements are already fulfilling, for example MFA, and if this is already a specific control. We can identify these and avoid redundant work to streamline, and this really streamlines compliance processes. And on the other hand, we can also identify certain gaps. The controls that we already have at the enterprise level, are they enough? Or is there something that needs to be added?
Are there bespoke controls that can be developed to meet the requirements? And most importantly, this taxonomy and control system can be integrated within the ISMS of the company to make sure that there is continence compliance management happening within it. There is a terminology, a common terminology with different tools, and this sort of enables to streamline compliance. This is just the groundwork, of course.
Being an advisory, I can say this is something that leads to a lot of clarity when you make decisions, having roadmaps as to which controls or which gaps need to be fulfilled first, so prioritization. What are the low-hanging fruit? That is something that we can help with advisory, but this is definitely the groundwork that we are working on. If you have any specific questions which talk about industry-specific regulations, of course you can come to us and we can work on that specifically. And that brings me to the conclusion of the presentation. Thanks a lot, Alejandro. Back to you.
Was I on time? On time, yes. We have maybe one minute if there's any questions from the audience.
Yeah, that looks spended. Have you got a tool that can automate it? We are still working on it, not yet. ChagGPT is my best friend right now, but it's not that easy. We have started the mapping, started manually mapping NIS2 with ISO 27001, and NIST, that has worked. We've already worked with certain clients on that part. If there is any new regulation that needs to be thrown in the mix, and especially if we want to be completely updated and fine-grained and have visibility, then of course automation is something that would really help us there.
Thank you, Shiga. Thank you.
