NIS2 Cybersecurity Policies

The following is a personal summary and translation of the required cybersecurity policies in article 21 of NIS2 - Directive (EU) 2022/2555.

The following policies are a minimum requirement for entities subject to NIS2.

Required Policies

• Risk analysis and information system security.
• Incident handling.
• Business continuity, such as backup management and disaster recovery, and crisis management.
• Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
• Basic cyber hygiene practices and cybersecurity training.
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption.
• Human resources security, access control policies and asset management.
• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

References

• NIS2 - Cybersecurity Policies - Directive (EU) 2022/2555

Similar posts

• Information Governance
• Enterprise governance and risk management
• NIS2 Reporting Obligations
• Study Notes: CCSK Identity, Entitlement, and Access Management
• Study Notes: CISSP Security Concepts