Exigence Blog

Why robust IR planning is critical for NIS2 compliance

Written by Noam Morginstin | Dec 22, 2024 5:56:26 AM

As the world becomes more connected, organizations see that their IT and OT infrastructures become increasingly integrated, whereby the potential of physical cybersecurity incidents is growing. As a result, the NIS2 Directive underlines the EU’s motivation to put cybersecurity at the forefront of the agenda.” (KPMG)

 

NIS2 is here

In January 2025, The Network & Information Security Directive (NIS2) goes into effect. This Directive requires organizations across the EU and those that serve EU customers to strengthen their cybersecurity posture, mandating:

  • Stricter security protocols
  • Comprehensive incident and business continuity planning
  • Immediate incident reporting

 

Affected organizations

Under NIS2 companies in “essential” and “important” sectors must comply:

Essential entities Important entities
Energy
Transport
Banking
Financial market infrastructure
Health
Drinking water
Wastewater
Digital infrastructure
ICT-service management
Public administration
Space
Postal and courier services
Waste management
Chemical production and processing
Food
Manufacturing
Digital providers
Domain name providers

It’s important to note that even if a company is based outside of the EU, this Directive still applies if it offers critical services within the EU.

 

The 10 minimum requirements

Both essential and important entities are subject to the ten minimum requirements of NIS.

The difference lies in that essential entities will be subject to direct supervision under NIS2, while important entities will face post-event oversight, with authorities taking action if evidence of non-compliance arises.

Risk
assessments
Evaluating the effectiveness of security measures Incident response planning Business continuity planning Multi-factor authentication
Procedures 
for cryptography
Procurement security Procedures for access to sensitive or important data Cybersecurity training Security around supply chains

 

 

The high cost of non-compliance

Incident readiness has always been a strategic priority for organizations. However, with the introduction of NIS2, the repercussions of being unprepared for an incident will be considerably more severe.

Non-compliance could lead to substantial fines and even the dismissal of executives, where NIS2 may hold leadership personally liable if gross negligence is proven after a cyber incident.

Steep fines for non-compliance

Essential entities Important entities
€10M or 2% of the global annual revenue, whichever is higher €7M or 1.4% of the global annual revenue, whichever is higher

 

Why incident planning matters

Under NIS2, organizations that fail to adequately prepare for security and operational incidents face not only extended downtime, damaged reputations, and costly recovery efforts, but also increased fines and the potential for significant repercussions on individual careers.

The importance of readiness through robust planning cannot be overstated. This is why it is critical to comply with the NIS2 mandate for formal incident response (IR) with the creation of a comprehensive IR plan that also incorporates business continuity measures.

Implementing a well-structured IR plan is a fundamental pillar for NIS2 compliance.

 

How Exigence supports IR readiness for NIS2 compliance

“Exigence streamlines NIS2 compliance by enabling structured incident planning and simplifying the generation of reports required to meet legal obligations,”  Nicola Fusco, Security Operations Auditor, Arcasafe.

Exigence helps organizations ensure NIS2 and incident readiness with a platform that brings template-based incident response planning.

This structured and guided approach makes incident plan creation and testing fast, easy, reliable, and documentable.

The platform’s intuitive interface with pre-defined forms, checklists, and timers, walks users through the different sections of the IR plan, helping them to fill them in quickly and accurately.

This way, when an incident hits, every responder can determine immediately who to reach, how to reach them, and what everyone’s roles and responsibilities are, without having to sift through pages and pages of static documents.

The platform also provides guided tabletop testing that engages all relevant incident response stakeholders in testing the IR plan, processes, and procedures, to make sure that the plan works and that everyone knows what to do during the moment of truth.

And, when an incident hits, the Exigence platform remains fully accessible and operational, as it functions out-of-band, unaffected by disruptions to the organization's network infrastructure.

Furthermore, in being multi-tenant, service providers, such as MSPs and MSSPs, can seamlessly create and provide incident response plans and tabletops to a great number of different customers.

 

In conclusion

Compliance with NIS2 is not just a legal requirement—it’s a strategic imperative for risk mitigation and resilience.

With template-based IR planning from Exigence, organizations can avoid the risk and ensure they are ready for NIS2 and beyond.

To learn more about how Exigence can help you be incident ready and NIS2 compliant, we invite you to book a demo by clicking here.