NIS2 Compliance FAQs

1. Risk Management and Security Measures:
   • Requirement: Organizations must implement appropriate and proportionate technical, operational, and organizational measures to manage risks posed to the security of network and information systems.
   • Impact: Organizations must enhance cybersecurity frameworks by integrating comprehensive risk management and incident response strategies. They will also need to deploy advanced security technologies, conduct regular security assessments, and continuously update security policies and procedures to mitigate risks effectively.
2. Incident Reporting:
   • Requirement: Organizations are required to report significant incidents to the relevant national authorities within a specific timeframe.
   • Impact: Establishing robust incident management processes is essential. Organizations must be capable of swiftly detecting, responding to, and recovering from security incidents, to minimize potential damage and operational disruptions.
3. Supply Chain Security:
   • Requirement: NIS2 mandates that organizations address security risks within their supply chains and service providers.
   • Impact: Organizations will need to extend their cybersecurity efforts beyond internal systems, involving vetting suppliers, implementing contractual security requirements, and continuously monitoring third-party compliance. This ensures that vulnerabilities introduced through external partners are effectively managed.
4. Governance and Accountability:
   • Requirement: Organizations must establish clear governance structures for cybersecurity, including appointing responsible individuals or teams for managing and overseeing cybersecurity measures and compliance with NIS2.
   • Impact: Organizations need to designate specific roles and responsibilities for cybersecurity, potentially appointing a Chief Information Security Officer (CISO) or forming dedicated cybersecurity teams, to ensure proper oversight and adherence to the directive’s requirements.
5. Cooperation and Information Sharing:
   • Requirement: The directive encourages cooperation between member states and obliges organizations to share relevant information about threats, incidents, and risks with national authorities and other stakeholders.
   • Impact: This requirement promotes a collaborative approach to cybersecurity, encouraging organizations to share threat intelligence and best practices. 

Article 21 of the NIS2 Directive mandates several cybersecurity risk-management measures, including: 

• Risk analysis and information system security policies 

• Incident handling 

• Business continuity and crisis management 

• Supply chain security 

• Security in network and information systems acquisition, development, and maintenance 

• Cyber hygiene practices and cybersecurity training 

• Use of cryptography and encryption 

• Human resources security, access control policies, and asset management 

• Multi-factor authentication and secured communication systems 

Determining whether your organization falls under the scope of the NIS2 Directive involves assessing several factors, including the sector you operate in and the size of your organization. Here’s how you can identify if your organization is affected:

Tools and Resources to Determine Scope:

1. Sector Coverage:
   • Essential Sectors: NIS2 applies to sectors such as energy, transport, banking, healthcare, and digital infrastructure. If your organization operates in any of these sectors, you are likely within the scope.
   • Important Sectors: The directive also covers other critical services like water supply and distribution, public administration, and digital services such as online marketplaces and cloud computing.

Note: Read this blog post for a more in-depth overview of impacted sectors.

1. Size Criteria:
   • Medium and Large Enterprises: Generally, NIS2 targets medium and large enterprises, defined as those with at least 50 employees and/or an annual turnover or balance sheet total of at least €10 million.
   • Exemptions: Small enterprises might be exempt unless they provide essential services in critical sectors, where their operations could have significant impacts.
2. National Competent Authorities:
   • Guidance from Authorities: Each EU member state has designated national competent authorities responsible for implementing and enforcing NIS2. These authorities provide guidelines and tools to help organizations determine their compliance obligations.
   • Official Documentation: Review the official NIS2 documentation and related national regulations available on government websites and from industry bodies.
3. Self-Assessment IT Compliance Tools:
   • Online Checklists and Tools: Several online resources and checklists can help you evaluate if your organization meets the criteria set by NIS2. These tools often involve answering questions about your organization’s size, sector, and services provided.
   • Consulting Services: Engaging with consulting firms that specialize in cybersecurity and compliance can provide a tailored assessment and ensure that you meet all necessary requirements.

If your organization will be required to comply with NIS2, we recommend the following steps:

• Review Sector Lists: Check if your industry is listed under the essential or important sectors as defined by NIS2.
• Evaluate Organizational Size: Determine if your organization meets the size criteria specified in the directive.
• Consult National Guidelines: Refer to guidelines provided by national competent authorities for detailed compliance requirements.
• Use Self-Assessment IT Compliance Tools: Utilize available online resources to conduct a preliminary assessment of your organization’s compliance status.

Seek Professional Advice: Consider consulting with cybersecurity and compliance experts to ensure thorough evaluation and adherence to NIS2 requirements.

The Network and Information Systems Directive 2 (NIS2) and the Digital Operational Resilience Act (DORA) differ significantly in their focus and scope. 

NIS2 aims to enhance cybersecurity across a broad range of sectors, including energy, transportation, banking, health, and digital infrastructure, by mandating comprehensive security measures and ensuring uniform standards across the EU. In contrast, DORA specifically targets the financial sector, including banks, insurance companies, and investment firms, to bolster their digital operational resilience against cyberattacks. 

While NIS2 requires member states to transpose its directives into national laws, leading to potential variations, DORA is a regulation that is directly applicable in all member states, ensuring uniform implementation. DORA’s stringent requirements for operational resilience, including mandatory resilience testing and management of third-party risks, are tailored to the financial sector’s unique needs, making it more specialized compared to the broader approach of NIS2​.

For more information about DORA, read our guide, Understanding NIS2 in Finance.

According to information found on ISMS.online and PwC UK, the UK’s approach to the NIS2 Directive differs significantly from that of the EU. 

Following Brexit, the UK will not be implementing NIS2 but instead plans to update its own NIS regulations. These changes are expected in 2024 and will include expanded regulation of digital service providers to encompass managed service providers (MSPs), which were previously not covered under the EU’s original NIS directive.

The UK’s revised regulations will maintain a focus on sectors critical to national infrastructure, such as energy, transport, and digital services. However, there will be a greater emphasis on flexibility and a risk-based approach to cybersecurity, rather than the more prescriptive measures seen in NIS2. This means that while the UK aims to enhance cybersecurity resilience, the specifics of the regulatory framework will diverge from the EU’s approach, potentially creating different compliance obligations for businesses operating in both jurisdictions.

Article 21 of the NIS2 Directive outlines several critical measures that organizations must implement to protect network and information systems from incidents. Here’s how Lansweeper can assist in meeting these requirements:

21(a): Policies on Risk Analysis and Information System Security

• Requirement: Develop comprehensive policies for risk analysis and information system security.
• Lansweeper Solution: Lansweeper’s discovery and risk insights enable organizations to conduct a thorough risk analysis and identify misconfigurations such as missing antivirus installations, lack of encryption, unauthorized local admins, outdated certificates, and outdated software/drivers. This detailed inventory is crucial for executing an effective incident response plan.

21(b): Incident Handling

• Requirement: Establish robust incident handling procedures.
• Lansweeper Solution: Comprehensive asset visibility is crucial during incident handling as it allows incident response teams to quickly identify affected assets and understand the broader impact of an incident. Knowing the exact hardware, software, and configurations involved accelerates both the detection and remediation processes. Lansweeper’s integration with security and ITSM/CMDB tools helps in more accurate threat detection and faster incident resolution.

21(c): Business Continuity and Crisis Management

• Requirement: Ensure business continuity through backup management and disaster recovery.
• Lansweeper Solution: Lansweeper’s discovery features provide an inventory of backup agents and their versions, ensuring that backup and disaster recovery services are always enabled and up-to-date.

21(d): Supply Chain Security

• Requirement: Address security-related aspects of relationships with direct suppliers or service providers.
• Lansweeper Solution: Lansweeper’s discovery is crucial for tracking and managing the assets provided by external parties, ensuring that all components are accounted for and that their origins are known. Risk insights and lifecycle information in Lansweeper allow you to conduct thorough risk assessments of suppliers by identifying and tracking any vulnerabilities in the hardware or software provided by them.

21(e): Security in Network and Information Systems Acquisition, Development, and Maintenance

• Requirement: Implement security measures during acquisition, development, and maintenance of systems, including vulnerability handling.
• Lansweeper Solution: Organizations can leverage Lansweeper’s Risk Insights for proactive vulnerability management, ensuring that all systems are secure throughout their lifecycle.

21(g): Basic Cyber Hygiene Practices and Cybersecurity Training

• Requirement: Implement basic cyber hygiene practices and provide cybersecurity training.
• Lansweeper Solution: Lansweeper can be used to monitor the use of data encryption, antivirus installations, and up-to-date software and any number of additional security configuration items to ensure adherence to cyber hygiene practices. SIEM/SOAR and many other security-focused integrations can be utilized for enhanced security. ITSM integrations can be utilized to create workflows for incident response.

21(h): Use of Cryptography and Encryption

• Requirement: Establish policies and procedures regarding the use of cryptography and encryption.
• Lansweeper Solution: Lansweeper can be used to monitor the usage of data encryption tools like BitLocker and certificates, ensuring that cryptographic measures are properly implemented and maintained.

21(i): Human Resources Security and Access Control Policies

• Requirement: Develop human resources security policies and manage access control.
• Lansweeper Solution: Lansweeper Lansweeper’s detailed asset inventory and user tracking features can help HR and IT departments understand who has access to what combining IT and user information allows for more efficient HR and IT onboarding/offboarding management, better access control management and easier compliance enforcement. ITSM and CMDB integrations allow for the improving existing or creating new automated workflows that aid HR and IT.

By leveraging Lansweeper’s robust features, organizations can effectively meet the requirements set forth in Article 21 of the NIS2 Directive, ensuring enhanced security and compliance.

While most features demonstrated in the NIS2 webinar are available on-premises, advanced capabilities like risk insights and network diagrams are exclusive to the Cloud version. A hybrid setup, combining cloud and on-premises solutions, offers the best of both worlds with enhanced capabilities, flexibility, scalability, improved security, compliance, and optimized performance. This approach ensures you can fully leverage Lansweeper’s strengths to meet all your cybersecurity needs effectively.

At this time, there are no plans for on-premises Risk Insights.

Lansweeper excels in integrating with a wide range of systems to ensure seamless compliance processes. Its robust integration capabilities include connections with SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) tools, which enhance security monitoring and incident response. Additionally, Lansweeper integrates with ITSM (IT Service Management) systems and CMDB (Configuration Management Database) solutions, streamlining asset management and incident tracking. These integrations facilitate a cohesive approach to compliance by ensuring that all security and IT management processes are interconnected and automated. This unified system helps organizations efficiently manage compliance with regulatory requirements, like NIS2, by leveraging comprehensive data from various security and management platforms.

Several organizations have successfully used Lansweeper to enhance their compliance and IT management capabilities. Here are a few notable examples:

1. Radisson Hotel Group: Radisson implemented Lansweeper Cloud to consolidate IT asset data across all its properties, which led to significant time and cost savings and provided unprecedented insights that optimized IT spend and performance across the enterprise. The comprehensive visibility into their IT assets ensured compliance with various regulatory requirements, enhancing overall cybersecurity and operational efficiency.
2. Fagus-GreCon: In the manufacturing sector, Fagus-GreCon integrated Lansweeper with TOPdesk to optimize security and IT efficiency. This integration allowed them to maintain an accurate and up-to-date IT asset inventory, crucial for meeting compliance standards and improving their overall IT governance.
3. University of York: The University of York used Lansweeper to save approximately £300,000 annually in IT spending. By improving IT procurement, management, and security, the university ensured compliance with regulatory frameworks and significantly enhanced its IT operations.
4. Bekaert: Bekaert, a leading global company, leveraged Lansweeper to improve cybersecurity and reduce costs by maintaining accurate asset data. This helped them ensure compliance with industry standards and regulations, while also streamlining their IT management processes. 

Lansweeper’s powerful reporting engine can capture and report on every single collected datapoint. This flexibility means that regardless of the specific compliance details required by NIS2, Lansweeper can generate the necessary reports. Whether it’s detailed hardware inventories, software compliance, network vulnerabilities, or incident tracking, Lansweeper’s customizable reports ensure that all aspects of NIS2 compliance are covered.

To generate a customized NIS2 report, follow these steps:

1. Access the Reporting Module: Log into your Lansweeper dashboard and navigate to the “Reports” section. This is where you can create, customize, and manage all your reports.
2. Select or Create a Report Template: Lansweeper offers a variety of pre-built report templates that can be customized to meet specific compliance needs. Choose a relevant template or start a new report from scratch.
3. Customize Data Points: Utilize Lansweeper’s capability to report on every single collected datapoint. This includes hardware and software inventories, network configurations, user access logs, and more. Customize your report to include the specific data points required by NIS2, such as every single hardware, software, user and configuration data point is available.

1. Apply Filters and Criteria: Apply filters and criteria to focus the report on specific assets, time frames, or compliance metrics. This ensures that the report is tailored to the NIS2 requirements pertinent to your organization.
2. Save and Run: Once customized, simply click “Run Report.” Lansweeper will compile the data and present it in a comprehensive format.
3. Review and Export: Review the generated report for accuracy and completeness. You can export the report in various formats (PDF, CSV, Excel) for further analysis or to share with stakeholders and regulatory bodies.
4. Schedule Regular Reports: To maintain ongoing compliance, schedule regular reports. Lansweeper allows you to automate the generation of reports at defined intervals, ensuring you always have up-to-date compliance documentation.

Lansweeper on-premises offers comprehensive audit trails and logs essential for maintaining security and compliance:

• Asset Changes: Logs all changes to hardware and software assets, including installations, removals, and modifications, providing a detailed history of asset management.
• User Activity: Tracks user logins and administrative actions within Lansweeper, such as configuration changes and report generation.

Through Lansweeper integrations with SIEM/SOAR systems, logs and events are enriched to provide crucial context for more comprehensive threat detection and SOAR automations can be improved by detailed asset data.. 

Lansweeper provides complete visibility into your entire IT estate, helping you spot anomalies, misconfigurations, active vulnerabilities and more, so you can quickly identify and classify incidents and potential threats. Through integrations with SIEM/SOAR and ITSM systems, Lansweeper makes it easy to set up procedures for reporting incidents, including who to contact and how to escalate issues, as well.

With Lansweeper detailed discovery, teams can identify potential weak spots like missing antivirus software, lack of encryption, unauthorized local admins, and outdated certificates and software. This data is crucial for isolating affected systems and preserving evidence during an incident, making containment and mitigation much more effective.

Communication is key in any incident response, and Lansweeper supports you in setting up clear protocols for notifying stakeholders, including management, legal teams, regulatory authorities, and affected parties. Its robust reporting features ensure that all the necessary information is communicated clearly and promptly. After an incident, Lansweeper’s detailed logs and reports help you analyze what happened, learn from it, and improve your processes. 

As the saying goes, “You can’t protect what you don’t know.” Lansweeper’s discovery and risk insights are vital for thorough risk analysis and enhancing your information system security. By identifying vulnerabilities and keeping your systems updated, Lansweeper ensures you’re ready to tackle any incident head-on, protecting your assets and maintaining smooth operations.

Read our blog for A Deep Dive Into Incident Handling with Lansweeper. 

Lansweeper supports business continuity by: 

• Creating an inventory of backup agents and versions to ensure backup services are always up to date. 

• Monitoring disaster recovery systems to ensure they are enabled and operational. 

• Providing insights into the state of backups to guarantee data availability in case of an incident. 

 For more information, read our blog post: Business Continuity, or How to Prepare for the Worst Case Scenario. 

Lansweeper promotes cybersecurity training and basic cyber hygiene by monitoring the usage of data encryption and antivirus installations, ensuring that all software and systems are up-to-date and properly configured. It identifies administrative privileges, helping to prevent potential security breaches. 

For more information about keeping your network clean, check out our Cyber Hygiene Checklist.

Lansweeper enhances access control and asset management by discovering all IT assets and Active Directory users and groups, providing a comprehensive inventory of the organization’s digital resources. This detailed visibility allows for the implementation and enforcement of proper access control policies, ensuring that only authorized individuals have access to sensitive information and systems. 

Lansweeper manages and tracks all assets, helping to prevent unauthorized access and maintain security compliance. By keeping an accurate record of all assets and their associated users, Lansweeper supports robust security measures and helps organizations meet regulatory requirements. 

Learn more about access control by reading our blog, A Guide to Access Control.

Lansweeper helps manage cryptography and encryption by monitoring the usage of data encryption technologies, such as BitLocker, to ensure that encryption policies are enforced across all devices and systems. It provides visibility into the state of encryption on all network assets, ensuring that all sensitive data remains secure and protected. This comprehensive monitoring and enforcement help maintain robust data security and compliance with regulatory requirements.  

For more information, read our guide on Exploring Cryptography, Encryption, and Data Security. 

Lansweeper supports vulnerability management by quickly identifying vulnerabilities in network and information systems, ensuring that potential security risks are promptly addressed. It links risk insights directly to device inventories, allowing for immediate identification and assessment of risks associated with specific assets. Lansweeper also facilitates coordinated vulnerability disclosure processes with third parties, ensuring that all stakeholders are informed and involved in the remediation process. 

Lansweeper provides tools to manage and remediate vulnerabilities effectively, as well. These help organizations to maintain a robust security posture and comply with a range of regulatory requirements. This approach ensures that vulnerabilities are identified and managed efficiently, reducing the risk of security breaches. 

Read our Guide to Risk-Based Vulnerability Management with Lansweeper to learn more.

Lansweeper plays a crucial role in managing cybersecurity risks within smart cities by providing comprehensive Operational Technology (OT) discovery to identify all connected devices within urban infrastructure. Using Lanweeper, city administrators can maintain a complete and accurate inventory of all digital assets, including those in critical areas such as transportation networks, water supply systems, waste disposal facilities, and building lighting and heating systems. 

By maintaining a detailed overview of these systems, Lansweeper helps to identify potential vulnerabilities and outdated firmware that could be exploited in cyberattacks, allowing for proactive mitigation measures to be implemented.

Lansweeper offers detailed insights into the state of digital utilities, as well, helping city administrators understand the current security posture of their infrastructure. This information is vital for developing and enforcing robust cybersecurity policies for protecting smart city systems from large-scale cyber threats. 

By supporting the creation of these policies, Lansweeper ensures that smart cities can defend against potential cyberattacks that could cause significant disruption and harm. 

Learn more by reading Artificial Intelligence: The Future of Cybersecurity.

It is crucial to recognize that while NIS2 sets a baseline for cybersecurity across the EU, each member state has the authority to implement additional requirements. Therefore, organizations should use self-assessment tools developed for their specific country to ensure they meet all local and EU regulatory standards. Tools like the Cyfun assessment in Belgium and the NIS-2 NL tool in the Netherlands are tailored to these unique national requirements, providing a more accurate compliance assessment. 

In addition to these, other EU countries are developing or have developed their own self-assessment tools to aid businesses in achieving NIS2 compliance, such as Germany’s readiness assessment tools and broader compliance frameworks discussed by KPMG and PwC.

Using these tools ensures that organizations can effectively gauge their compliance status, identify gaps, and take necessary actions to meet the stringent requirements of NIS2, ultimately enhancing their cybersecurity posture and regulatory adherence.

For more detailed information, you can visit the respective resources on the ENISA and KPMG websites, as well as other national cybersecurity authority sites.

• Community forums and resources: https://community.lansweeper.com/
• Knowledge base and documentation: https://community.lansweeper.com/t5/knowledge-base/ct-p/KB_Main
• Contact support: https://www.lansweeper.com/contact/contact-support/