Article 21 paragraph 2 sub a: policy on risk analysis and security of information systems

Performing a risk analysis is the first step in improving the cyber resilience of your company or organization. It is an essential first step in gaining the necessary insights. A risk analysis reveals which risks are the most serious and where security measures are most needed.

Risk Analysis Policy

A risk analysis policy plan describes how your organization performs risk analyses. This plan helps you systematically and purposefully improve your digital security. Every organization is unique, with different processes and risks. However, there are some elements that often recur in a risk analysis policy. Use these as a guideline when drafting your policy document:

• Purpose and scope: Define the purpose and scope of your risk analysis. The scope determines which internal stakeholders are involved.
• Frequency: Determine how often you will perform risk assessments. This may be a requirement for certification or contractual obligations. If not, perform a risk assessment annually.
• Roles and responsibilities: Define who is responsible for conducting the risk analysis.
• Decision outcomes: Identify and analyze risks. There are four options for analyzed risks: accept, resolve, transfer, and stop. Set risk acceptance criteria in advance to avoid discussions during the analysis.
• Effectiveness and revision: Test and revise the policy plan periodically. Take into account changes such as new systems, processes, threat assessments and current threats.

Making a risk analysis

Digital threats can pose major risks to your organization's services. It is therefore important to be well prepared. Further information on creating a risk analysis can be found in general risk management guidance.

Article 21 paragraph 2 sub i: security aspects regarding personnel, access policy and asset management

Organizations that take their cybersecurity seriously pay attention to security aspects of personnel, access policies and asset management (hardware and software). Who has access to which information and with which rights? By taking these security aspects seriously and implementing appropriate measures, you improve cybersecurity and increase the resilience of your network and information systems.

Staff

An organization’s workforce is the first line of defense against cyberattacks. Employees play a critical role in maintaining the security of systems and data. It is essential that an organization ensures that employees understand and can apply their cybersecurity responsibilities in their work through appropriate education or training. These responsibilities can vary by role.

Procedures for new employees, job or role changes and termination of employment

Access to systems and networks often depends on the role or function within the organization. NIS2-relevant organizations must have procedures for initiating, terminating, or changing access to business units. These procedures must be documented and maintained.

Important Procedures:

• Assigning Roles and Rights: Provide insight and management of employees who are assigned new roles and rights.
• Revoking Roles and Rights: Make it clear and manageable which employees lose their roles and rights.
• Change Roles and Rights: Keep track of which employees have changes to their roles and rights.

Consider key principles such as managing access to data and services for more information.

Screening

An effective way to limit risks is to screen the reliability of employees before they are hired. Screening involves an employer requesting information about an applicant or employee to assess their reliability. A well-known example of this is requesting a Certificate of Good Conduct (or equivalent background check). For certain positions of trust, screening might be mandatory. Data protection authorities provide more information about the procedures and regulations surrounding screening.

Access Policy

A good access policy is essential to ensure the availability, integrity and confidentiality of your network and information systems. This policy determines who has access to which systems and with which roles and rights. Due to the dynamics of new employees, departing employees and job changes, careful administration of access rights is necessary.

Authorized access

In an access policy you ensure that:

• Only authorized employees can grant access.
• Access is only granted to users for whom it is relevant.
• Access is granted for the required period.
• Specific rights are issued according to the principle of least privilege and a rights matrix.
• When access is granted to external parties (such as suppliers or IT service providers), clear agreements are made about access and security requirements.
• There is a procedure for adjusting access rights in the event of job changes or departures.
• Granted access rights are kept in a register.
• Logging is applied to access rights management to know who granted and received which rights and when.

Guidance on organizing identity and access management is crucial. This includes physical access security as well as digital identity.

Continuous attention to cyber awareness

Most cyber incidents are caused by human error. Cybercriminals cleverly exploit common human vulnerabilities. Awareness of cyber risks is therefore very important for preventing incidents. Ensure continuous attention to cyber awareness.

Privileged Accounts

User accounts with elevated privileges, such as admin accounts and system accounts, have access to sensitive information and can change system settings. Restrict access to these accounts to those who really need it. Make sure that:

• Specific accounts are used only for system administration tasks.
• User accounts with elevated privileges are individualized and limited.
• Logging is applied to the management of elevated rights.
• Access rights are periodically reviewed and adjusted.
• Administrative actions by users with elevated rights are logged.
• Security measures such as multi-factor authentication (MFA) are required.

Authentication

Use strong authentication methods to verify the identity of individuals requesting access. Multi-factor authentication contributes to the cybersecurity of your systems and data. For access to higher classified systems, you can impose additional requirements, such as longer passwords or logging in via a specific network.

Asset Management

Before you can manage assets, you first need to gain insight into them. By identifying which matters are crucial to your organization and service provision, you can take the right measures to protect these interests. Examples of important assets are customer data, production methods, employee data, financial data and the reputation of your organization.

Practical tools and guidance can help organizations map their critical assets at a tactical level. This mapping can then be used for risk analysis and to identify technical assets needing protection at the network and information systems level.

Asset management consists of a number of steps

Inventory of Assets: Asset management begins with inventory. This involves keeping a record of all the material, such as hardware, software, and the data that these assets contain. This inventory helps identify and manage potential vulnerabilities. NIS2-relevant organizations must also have procedures in place for the secure disposal of assets at the end of their life to prevent data from falling into the wrong hands.

Classification of Sensitive Information: Define and document a classification for sensitive information. This allows you to link the right authorization and have better visibility on who has access to this information. For the degree of confidentiality (e.g. public, for internal distribution only or confidential), use classifications derived from relevant legislation, international agreements or internationally accepted strategies for information exchange, such as the Traffic Light Protocol (TLP).

Asset management and network and information security

Ensure proper management of assets throughout their lifecycle: from acquisition, use, storage, transport to disposal. Provide all assets with a classification level to determine the required availability, integrity and confidentiality. This is also called the 'BIV classification' (or CIA in English - Confidentiality, Integrity, Availability). Based on this classification, you determine the appropriate measures for digital resilience.

The policy should also address the safe use, storage, transportation, and disposal of assets. Equipment, hardware, software, and data should only be transferred to off-site locations after approval by authorized personnel. Determine in advance who within the organization is responsible for which steps.

Effectiveness and revision

Personnel and access policies and asset management should be tested, reviewed and revised periodically. Take into account changes within the organization and current risks. Include the test results in the revised policy documents.

Article 21 paragraph 2 sub c: business continuity, such as backup management and contingency plans, and crisis management

Long-term outages of primary business processes are unacceptable for most companies. A business continuity plan (BCP) helps you be resilient to unexpected events such as power outages, cyber incidents and attacks. With a BCP, you can minimize the impact of disruptions on business operations.

Create a BCP in 4 steps

A BCP is a document that describes how a company deals with serious disruptions or calamities. The goal is to protect personnel, vital processes and primary business processes and to ensure that they continue to function during and after an incident. It contains procedures and instructions to remain operational during a serious disruption. The content of a BCP can differ per organization, but here we focus on digital business processes. Without IT and OT systems, many business processes come to a standstill, so cybersecurity plays an important role in a BCP.

• Step 1 - Risk analysis as a starting point: The basis of a BCP is a risk analysis. This helps to identify vital and primary processes and to estimate the impact of long-term failure. Refer to risk analysis guidance for a concrete step-by-step plan.
• Step 2 - BCP Framework: With the risk analysis, you have laid the foundation for your business continuity plan. You now know which disruptions you want to focus on and which business areas require attention. A BCP usually contains the following components: Purpose and Scope (Consider outage scenarios such as power outages, extreme weather, location access, and cyber crises), Activation and Deactivation (Describe when the BCP comes into effect and when it can be deactivated again), Incident Response Plan (Describe the roles, tasks and responsibilities of involved employees and service providers. An incident response plan is a key component), Internal and External Communication (Map the main contacts and communication channels and describe the mandatory communication with competent authorities), Effectiveness and Review (Periodically test and review the BCP for effectiveness and adapt it in the event of changes in the organization or threat assessment).
• Step 3 - Backup or Redundancy Plan: A backup plan describes how often you make backups, where you store them, and when you test them. A redundancy plan describes which additional components or systems you use to replace failed systems.
• Step 4 - Contingency and Recovery Plan: A disaster recovery plan, also known as a Disaster Recovery Plan (DRP), describes procedures for using fallback and disaster recovery facilities and returning to normal. It focuses on restoring IT processes and describes the procedure for dealing with disruptions to networks, servers, and devices.

Article 21 paragraph 2 sub b: incident handling

The consequences of disruptions, failures, data leaks or cyber attacks can be serious. That is why it is crucial to respond adequately to an incident to limit negative consequences. An Incident Response Plan (IRP) helps your organization with this.

Create an Incident Response Plan

Incident response is the process of management and mitigation that you go through when an incident occurs. It is better to plan your actions in advance, without time pressure. An Incident Response Plan (IRP) ensures that coordinated action can be taken during an incident.

The plan contains instructions to help employees detect security incidents, respond to them and recover from potential damage. This is essential in the event of disruptions, data leaks or digital attacks. The goal is to respond quickly, calmly and adequately to limit damage and minimize recovery efforts.

For more guidance on where to start with incident response, consult cybersecurity best practices and frameworks.

Article 21 paragraph 2 sub g: basic cyber hygiene practices and cyber security training

To increase your organization’s cyber resilience, you start with a risk assessment. An important next step is to implement basic cyber hygiene practices. Training employees to adhere to these basic practices is essential to your organization’s resilience.

Cyber Hygiene Policy

• According to cybersecurity guidelines (like NIS2), employees must be trained in cybersecurity. They must recognize cyberthreats and know how to respond. Encourage safe behavior to prevent damage from infected USB sticks, weak passwords or phishing emails.
• Before you can create a cyber hygiene policy, it is important to define the basic principles. Cyber hygiene means that an organization adheres to the basic principles of cyber security. By incorporating these practices into the cyber security policy, you ensure that all employees adhere to the same agreements.

Training for employees

Cyber-aware employees are essential for your organization. Many cyber incidents are caused by human error. There are several ways to make employees aware of cybersecurity, such as awareness programs, onboarding courses and e-learning. Offer cybersecurity training, organize awareness campaigns and hold cyber crisis exercises. This helps employees act safely and prevent threats. Well-trained employees are the key to a safe working environment.

Develop a program that makes every employee aware of cyber risks and promotes safe behavior. Consider training that covers practical and effective topics, such as:

• Clear desk and screen policy
• Use of strong passwords and multi-factor authentication (MFA)
• Secure email usage
• Anti-phishing
• Backup practices
• Performing updates

These themes can be tailored to your organization's specific risks and policies.

Awareness

Employees must be aware of basic cyber hygiene agreements. Continuous attention to awareness programs and training is essential. Ensure that all employees know where and how to report potential incidents, which contacts to approach and where to find additional information.

Further reading on promoting safe digital behavior of employees can be found in resources discussing cybersecurity awareness beyond standard e-learning.

Article 21 paragraph 2 sub e: security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities

Many companies and organizations depend on network and information systems for their primary business processes. If you do not have access to these systems or if information becomes public, this can have major consequences for the organization.

Policies and Procedures

Policy and procedures for network and information systems ensure that appropriate measures are taken. The basis for this policy is risk analyses that are translated into risk management decisions.

Consult guidance on how to manage effective information security.

Network and Information Systems Policy

According to cybersecurity guidelines, an organization must have a policy for the security of acquiring, developing and maintaining the network, as well as for dealing with vulnerabilities. Here are some important topics:

Network security

An organization must have a policy for the design of the corporate network and the security measures applied. Monitoring is crucial to detect and address unwanted activities. Document and keep the network architecture up to date. In addition, measures must be taken to protect the corporate network from unwanted external traffic, such as firewalls or data diodes. Make policy choices about allowing managed devices or 'Bring Your Own Device' (BYOD).

Network segmentation

Apply network segmentation to prevent viruses or attackers from spreading within the corporate network. Separate important information and systems and protect the network from unauthorized software and use of corporate devices. General guidance on protecting systems, applications, and devices is relevant here.

Configuration management

A good configuration management policy is essential for the correct configuration of corporate networks, systems, hardware and software. Make sure that default passwords of new routers are always changed and unnecessary options are disabled. This process, known as 'hardening', helps to disable unnecessary functions. Technical security guides often offer resources on hardening and configuration management useful for various organizations.

Change management

Change management describes how an organization deals with implementing and monitoring changes, repairs and maintenance. A consistent procedure is crucial. The change management process should include at least the following points:

• Request for the change
• Potential risks and impact of the change
• Criteria for Prioritizing Changes and Requirements for Testing
• Requirements for rollbacks
• Logging of the changes

Choose safe settings

A secure network provides protection against external attacks and leaks from within. Consider carefully when configuring your network, NAS devices, routers, and firewalls.

Patch management

To minimize vulnerabilities, it is important to install security updates (patches) as soon as possible. This is a basic principle of safe digital entrepreneurship. Security updates improve software and close security holes, which increases digital resilience. In the patch management policy, you describe under which conditions security updates are installed. Which systems do you update immediately and which can wait? Test patches before installation in a test environment and check them for integrity and reliability. Follow the change management process when implementing patches. Note: Hardware and software products in your network may be End-of-Life (EoL), meaning they are no longer patched. Have a policy in place for dealing with EoL products. A sample patch policy template can serve as a basis. Also, gain insight into risks of legacy systems.

Vulnerability management

Every day new vulnerabilities are discovered in software. As an organization you want to be aware of security holes in the software you use. That is why it is important to monitor these vulnerabilities. You can keep track of this yourself for the products you have purchased from suppliers. Support for this can come from security advisories from relevant cybersecurity authorities and information sharing communities. There should be a procedure to assess the impact of a vulnerability on the organization and to take mitigating measures. As part of vulnerability management, you can create a policy for coordinated vulnerability disclosure (CVD) or responsible disclosure. Refer to guidance on improving vulnerability management.

Secure Development Life Cycle

The Secure Development Life Cycle (SDLC) policy aims to ensure that software and systems are developed in a secure manner. Security must be an integral part of every development phase. This means that the development environment is secured and that software and systems are tested for vulnerabilities at an early stage, an approach known as security by design. It is also advisable to apply the principles of secure coding during the development phase.

Purchasing Policy

During the procurement process, new vulnerabilities or incorrectly configured systems can be introduced into the organization. Therefore, organizations should pay attention to cybersecurity in their tender or procurement process to reduce risks at an early stage. Consider: Including security requirements in the 'program of requirements', Security Update Guarantee, A manual or training on the correct configuration settings. Guidance on mapping direct suppliers can be helpful.

Operational Technology

Operational Technology (OT) encompasses a variety of systems used to manage operational processes in the physical world, such as controlling and monitoring industrial equipment. OT equipment, such as robots, security cameras and cash register systems, plays a crucial role in various industries, including manufacturing, chemicals, water boards, transportation and energy. Risks of Internet Connection: OT systems are increasingly connected to the internet, which facilitates remote management. However, this accessibility also brings risks. Insufficient security measures can give unauthorized persons the opportunity to abuse and gain access to your OT systems. If your business process relies heavily on OT, ICS or SCADA, run a security check for process automation to assess the status of your OT security. Get started improving your OT or ICS security right away. Relevant guidance on securing OT/IACS is available.

Map your network

After creating a policy for network and information system security, it is important to map your network. Only by knowing and understanding your network can you take the right measures to improve digital resilience. Follow these steps to map your network:

• Create a view of your network with all IT assets, including IoT devices.
• Map out the purpose of the different systems.
• Determine which network and information systems depend on each other.
• Zoom in on the systems in your network.
• Process details of each system and device, such as the OS version.
• Identify physical threats to your network.
• Assess where important information resides within your network.
• Map the information flows between network components.

By following these steps, you will gain a clear picture of your network and be able to assess whether it complies with your organization's network security policy.

Further information on maintaining security controls can be beneficial.

Article 21 paragraph 2 sub d: the security of the supply chain, including security-related aspects relating to the relationships between each entity and its direct suppliers or service providers

Companies often depend on the products or services of suppliers. Digital connections between companies increase this dependency; a security breach at one organisation can have major consequences for the connected organisations. That is why the NIS2 directive (and similar regulations) requires relevant companies to take measures to secure the supply chain.

Risks in the chain

There are significant differences in digital resilience between companies, sectors and chains. Even if your own digital resilience is in order, you run risks if your supplier or IT service provider is vulnerable to cyber risks. This can jeopardize the availability, confidentiality and integrity of your business processes and information. That is why supplier risks must be included in the risk analysis and risk management decision-making.

Examples of Digital Supply Chain Risks

Here are three scenarios that could impact your business:

• A supplier that is relevant to the proper functioning of your network and information systems no longer delivers due to a digital attack.
• Your IT service provider has been hacked, which may give the attacker access to your systems.
• A critical vulnerability has been discovered in a product or service you use.

Major cyber incidents, such as the one affecting the port of Rotterdam in 2017, highlight the severe impact of supply chain vulnerabilities.

Supply Chain Security

Gaining visibility and control over cybersecurity risks in the supply chain is not easy. For a strong cybersecure chain, you need to establish a policy that maps dependencies with direct suppliers and service providers. Also focus on the IT supply chain to limit potential risks. As a NIS2-relevant organization, you are responsible for identifying and limiting risks, including those arising from the supply chain. Make good agreements to keep track of the risks and limit them to an acceptable level where necessary.

Guidance is available on how to map direct suppliers and how to strengthen supplier resilience.

Supply Chain Policy Plan

A supply chain management plan is a strategic document that describes:

• How to select and contract suppliers.
• How to map dependencies.
• How to classify risks and dependencies.
• How you manage risks or dependencies.
• How to evaluate and revise this periodically.

When purchasing services or products from suppliers, cybersecurity guidelines require insight into the following matters:

• Can a supplier demonstrate compliance with the imposed cybersecurity specifications?
• Risk classifications of the IT services or products provided.
• A coordinated risk assessment of critical suppliers, as required in regulations like Article 22 paragraph 1 of the NIS2 Directive.

Article 21 paragraph 2 sub h: policy and procedures regarding the use of cryptography and, where applicable, encryption

Cryptography is the technique of encrypting or decrypting data so that only authorized persons can read the data. It forms the basis for protecting the confidentiality and integrity of your company data and assets. Encryption is a cryptographic method of scrambling data based on a cryptographic algorithm.

Cryptography Policy

The purpose of cryptography and encryption policies and procedures is to ensure the confidentiality, integrity, non-repudiation, authenticity, and authentication of data. In a policy document, you describe the techniques and measures you have implemented to protect the confidentiality and integrity of information.

Parts of the policy document

• Configuration Management: Use only approved encryption standards across the organization. Policy should specify a minimum key length per asset and standard.
• Required Encryption Standard: Based on the risk analysis and asset classification, the requirements for the encryption standard per security level must be determined.
• Required Key Length: The recommended key length depends on the encryption standard chosen. Consult the documentation of the encryption standard used for advice.
• Key Management: Policies for the entire lifecycle of cryptographic keys are essential. These include procedures, roles and responsibilities for: Generating and distributing keys, Destroying or withdrawing keys, Archiving keys, Backuping keys, Logging key management activities, The issuance and acquisition of certificates, if applicable.

Effectiveness and revision

The cryptography policy should be periodically tested and revised, taking into account changes in the organization and current risks. The test results should be included in the revised version of the policy document.

General information about what encryption is can provide foundational knowledge.

Article 21 paragraph 2 sub j: where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communications systems within the entity

For secure business processes, it is essential that users, devices, and other assets are authenticated with multiple factors of authentication (MFA) or continuous authentication mechanisms to access the organization's networks and information systems.

Classification of assets

The level and strength of authentication must match the classification of the assets to which access is granted. You inventoried this classification in the risk analysis. Additional authentication prevents an attacker from gaining access to an account by guessing the password or finding it out via, for example, social engineering or phishing.

What is MFA?

Multi-factor authentication (MFA) requires the use of two or more different factors to verify your identity or authority. These factors may include:

• Something you know: For example, a password or a personal identification number.
• Something you have: For example, a cryptographic identification device or tokens.
• Something you are: For example, biometric data such as an iris scan or handprint.

An example of MFA is a password combined with a token. Another example is using a fingerprint combined with a one-time code that you receive on another device.

Understand the benefits of using Two-Factor Authentication (2FA) or MFA.

Apply MFA

Use two-factor authentication (2FA) or multi-factor authentication (MFA) in any case when:

• Accounts accessible from the internet
• Accounts with administrative rights
• Accounts on critical systems

Although 2FA, two-step verification, and MFA are technically different, they are all used to make access to accounts and digital systems more secure. If you are considering using an MFA method, tips for choosing and using an MFA application can be helpful.

VPN

For secure communication, an organization can use a Virtual Private Network (VPN). A VPN makes it possible to set up a secure connection between two devices over an existing network, such as the internet. This connection, a VPN tunnel, encrypts the data traffic. You can purchase a VPN as a service or set up a VPN server yourself.

Article 21 paragraph 2 sub f: policies and procedures to assess the effectiveness of cybersecurity risk management measures

Assessing the effectiveness of cybersecurity measures is essential. It helps manage risk, ensures compliance with legislation such as the NIS2 directive (and similar), and identifies areas for improvement. This process builds stakeholder confidence and enables adaptation to emerging threats.

Start with a risk analysis

Performing a risk analysis is the first step to increase the digital resilience of your organization. This analysis identifies the existing risks, after which you can determine and implement the necessary measures. As a second step, you implement these control measures where necessary. After implementation, it is crucial to know whether the measures are effective and cover the intended risks. This requires structured and systematic testing, which must be included in the organization's policy. One of the ways to test the effectiveness of measures is via a security test.

Policy to assess effectiveness

The policy for assessing the effectiveness of measures varies from organization to organization, depending on the measures taken previously and specific processes. Here are some elements that are often included in this policy:

• Purpose and Scope: Define the objectives of the testing and evaluation. The objective should include whether the appropriate measures have been taken to keep the risks within acceptance criteria and whether applicable regulations are met. Determine the scope of the test based on these objectives.
• Frequency: Include the frequency of the assessment in the policy. Several security frameworks, such as ISO 27001, require annual audits. If there is no specific frequency requirement, determine the frequency based on a risk management assessment.
• Methods of Testing: Testing can be done via audits, risk analyses, pentests, code reviews or security scans. Choose the most suitable form of testing based on the purpose and scope of the test.
• Roles: Determine which function will be responsible for the assessment. This can be done by an internal or external party, but ensure that the party is independent for an impartial assessment.
• Outcomes: Describe how the outcomes are reported and to whom. For independence, it is advisable to report to the board or management. Use the outcomes as input for updating the risk analysis.

The policy plan for testing the effectiveness of measures must be periodically tested and revised, taking into account changes in the organization and new risks. Include points for improvement in the revised version of the policy plan.

How do you perform a security test?

General guidance on performing security tests usually involves the following steps:

• Determine the goal: Define what you want to achieve with the security test.
• Determine the means: Determine the testing method and scope in an assignment description.
• Take control of the implementation: Make clear agreements with the external party that carries out the test.
• Secure the improvements: Evaluate the results, discuss and secure the points for improvement. Use the results as input for the next risk analysis.