A risk-based approach – deploying the security measures required by NIS 2

The NIS 2 directive promotes a risk-based approach to cybersecurity. Rather than imposing a fixed list of technical controls, it requires companies toassess their risks and implement appropriate security measures to reduce them(NIS2 Requirements | 10 Minimum Measures to Address). This offers a degree of flexibility (each entity adapts to its own situation), but also sets a minimum base of best practices that everyone must respect. In short, NIS 2 defines what needs to be achieved, not necessarily how – it’s up to the organization to identify and deploy the right solutions to secure its systems. This philosophy calls for a genuine risk management culture within IT departments.

Security measures: where do companies stand?

Before NIS 2, many companies (outside the regulated sectors) had no clear reference framework for the security measures they needed to implement. As a result, the level of protection varied enormously from one company to another, even those of the same size. Some were at the cutting edge (24/7 SOC, Zero Trust, intensive encryption), while others were lagging far behind (simple passwords, lack of network partitioning, etc.). For example, 40% of companies have not yet deployed a Zero Trust architecture or advanced segmentation ([Infographic] NIS2 : les entreprises entre confiance et défis), and 80% have no DRP/testing as previously seen(Resilience : 80% of companies have no real DRP!). Similarly, whole areas of security are sometimes neglected: control of system administration rights, supervision of access logs, protection of non-IS data (printouts, IoT…).

NIS 2 has therefore listed a dozen security areas that must be addressed as a minimum(NIS2 Requirements | 10 Minimum Measures toAddress). These areas include

• Carrying out regular risk analyses and establishing security policies for information systems.
• Mechanisms to assess the effectiveness of security measures in place (review, audit, tests).
• Appropriate use of cryptography, including encryption of sensitive data and communications.
• Implementation of an incident management plan (see previous article).
• Security in theacquisition, development and maintenance of systems: security taken into account right from the design stage, vulnerability management (updates, patches).
• Employee training and awareness of cybersecurity and goodcomputer hygiene practices.
• Robust access control measures, especially for staff with access to critical data or systems (principle of least privilege, account review, etc.), as well as asset mapping to know precisely what needs to be protected(NIS2 Requirements | 10 Minimum Measures to Address).
• A business continuity plan that includes regular, tested backups, and ensures that essential functions are maintained/resumed in the event of an incident(NIS2 Requirements | 10 Minimum Measures to Address).
• Use ofmulti-factor authentication and other advanced security mechanisms (continuous authentication, voice/video encryption, secure emergency communications) where appropriate(NIS2 Requirements | 10 Minimum Measures to Address).
• Supply chain security (see article 3).

This list largely overlaps with classic cybersecurity best practices, as codified in standards such as ISO 27002 or the NIST Cybersecurity Framework. In other words, NIS 2 institutionalizes these practices: what was recommended becomes, in a way, mandatory.

For CIOs, the challenge is to check that all these families of measures are properly covered within the company, and to identify any gaps that need filling. Many organizations have weaknesses in certain areas. For example, it’s not enough to have a paper security policy: it has to be implemented and monitored. Similarly, you can have sophisticated detection tools, but if no one looks at the alerts at weekends, their effectiveness is limited.

A frequent difficulty is the lack of resources (human, financial) to do everything at once. Hence the importance of a risk-based approach: prioritizing resources where the identified risks are most critical. NIS 2 insists on this point: measures must be “proportionate to the risks”. This means being able toassess the level of risk on each perimeter: what presents the greatest danger to the company (e.g.: a production stoppage? a leakage of customer data? financial fraud?) in order to apply the necessary reduction measures as a matter of priority.

Priorities and best practices for strengthening security

In light of NIS 2, here are the priority actions that CIOs/CIOs should consider to improve their security posture in a comprehensive and sustainable way:

• Formalize a risk management program: If you haven’t already done so, institute a regular cyberrisk analysis process. Identify your major threat scenarios, assess their impact and probability, and determine the treatment measures (reduction, transfer, acceptance) for each. Keep an up-to-date risk register, presented periodically to the risk committee. This process must involve the business lines in order to fully appreciate the business impact. It will serve as a compass for directing your security efforts where they will bring the greatest risk reduction.
• Raise the level of basic controls: Make sure that the fundamentals of security are in place throughout the company. For example: all sensitive accounts have two-factor authentication; all machines are covered by antivirus/EDR with automatic updates; sensitive data is encrypted at rest and in transit; critical backups are made daily and stored off-site; a patch management system applies security patches in a timely manner (within days for critical flaws). This cyber-hygiene must be virtually automated to guarantee consistency.
• Fill in the gaps in policies and procedures: Review all your security policies. Are they complete, up-to-date and, above all, enforced? For example, do you have a policy on the use of SaaS software? On telecommuting security? If certain topics are not covered, draw them up. Then turn these policies into clear operational procedures. NIS 2 also requires you to assess the effectiveness of the measures(NIS2 Requirements | 10 Minimum Measures to Address): so think about setting up internal controls or regular audits to check that they are being applied correctly (e.g.: biannual audit of effective access rights vs. principle of least privilege).
• Invest in architecture modernization: Take advantage of the NIS 2 momentum to modernize your security architecture. For example, migrating to a Zero Trust architecture (systematic verification of every access, network micro-segmentation) may seem ambitious, but it’s an inevitable trend in the medium term to counter the lateral movements of attackers. Similarly, the implementation of privileged access management (PAM) solutions to control administrator accounts, or the deployment of behavioral analysis (UEBA) to detect anomalies, are advanced measures to be considered. Of course, these projects will need to be justified by risk analysis: target first those areas where the current architecture has gaping holes.
• Reinforce resilience and BCP/ERP: An area often overlooked is business continuity in the event of a major incident. As we’ve seen, 80% of companies don’t have a proper BCP(Resilience: 80% of companies don’t have a proper BCP!), which is incompatible with NIS 2. It’s imperative to build or update your Recovery and Continuity Plans, and above all to test them (many discover when testing that full restoration would take days, which is too long). Resilience also includes redundancy: identify single points of failure (single server without backup, dependence on a single critical supplier…) and look for workarounds (technical redundancy, alternative suppliers in the event of a problem, etc.).
• Continuously raise staff awareness: Since people are the first line of defense (or weakness), you need to instill a culture of security. Make sure every employee knows the right reflexes (strong passwords, phishing detection, incident reporting). In addition to one-off training courses, create a climate in which security is part of everyday life: poster campaigns, reminders at in-house seminars, surprise exercises (phishing simulation). Measure the effectiveness of these actions (click-through rate to phishing scams, etc.) and adjust accordingly. NIS 2 requires training, including for management: don’t leave anyone out of the effort, from trainees to CEOs.
• Keep up with developments and adapt: Finally, bear in mind that security is a dynamic field. Threats evolve (new attack techniques, new vulnerabilities like Log4Shell yesterday or something else tomorrow), and so do best practices. Keep abreast of technological and regulatory developments. Participate in industry groups or ANSSI/ENISA events to share feedback. Regularly update your security roadmap to take account of new developments. NIS 2 is not set in stone either: implementing acts will specify certain technical requirements between now and the end of 2024, so be ready to take them into account. In short, make your ISMS (security management system) part of a continuous improvement process.

In short, the risk-based approach advocated by NIS 2 calls on companies to methodically structure their cybersecurity. It’s not a matter of installing a few tools in a hurry and saying “we’ve done the job”, but of building a coherent system where each security measure responds to an identified risk, is managed over time and verified. For many organizations, this means increasing their security management maturity, which can take time. Hence the importance of starting now, not just to comply with the law, but to really reduce the likelihood and impact of future incidents.

Smart Global Governance for an effective risk and compliance approach

The Smart Global Governance platform is specifically designed to support a comprehensive and continuous approach to risk management and security compliance. Thanks to its integrated modules, it enables CIOs/CIOs to centrally manage all security measures, ensuring that no area is left to chance and that everything is aligned with actual risks.

Here’s how Smart Global Governance helps you deploy and monitor the measures required by NIS 2:

• Centralized risk management: Smart Global Governance’s Risk Manager module tools your risk analysis process from A to Z. You can document your assets, threats and scenarios, assess impacts and probabilities via customizable matrices, and obtain a dynamic risk register. Each risk can be linked to security controls/measures within the tool. So you can immediately see which measures mitigate which risks, and where loopholes remain. This direct risk -> control traceability is a major asset for prioritizing your efforts in line with NIS 2.
• Library of security controls: The platform offers a library of controls aligned with the main standards (ISO 27002, CIS Controls, etc.) and NIS 2 requirements. You can select the controls relevant to your context, then assess your level of implementation of each. For example, an “MFA authentication for remote access” control may be marked as 80% implemented (if there are still a few applications to be covered), with an associated action plan. At a glance, you can see which best practices are not yet fully in place. This structured view prevents you from forgetting any: it covers all subjects (from network to removable media management to continuity).
• Action plans and compliance monitoring: for each security measure to be deployed, Smart Global Governance lets you create actions assigned to responsible parties with deadlines. For example: “Implement data encryption on server X – responsible: system admin – deadline: 06/30”. The platform tracks these actions and automatically reminds managers of any delays. You can view the list of open, closed and overdue actions at any time. This granular management ensures that reinforcement projects make concrete progress and are not forgotten once the meeting is over.
• Effectiveness evaluation: Smart Global Governance integratesinternal audit and continuous monitoring functions. You can schedule periodic assessments of certain controls (e.g. quarterly audits of inactive account management). The tool keeps track of results and non-conformities detected, and monitors their correction. This corresponds to the NIS2 Requirements| 10 Minimum Measures to Address. In addition, the platform can connect to some of your technical tools (vulnerability scanner, SIEM) to retrieve technical indicators (e.g.: % of patches applied on time) which feed into the assessment of controls. This gives you an almost real-time view of your actual security level.
• Centralized documentation: everything from policies and procedures to audit reports can be stored and versioned in Smart Global Governance. This facilitates the work of the CISO, who has all the pieces at hand to demonstrate compliance with requirements. For example, if the authority asks for “proof of employee security training”, all you have to do is pull up the awareness campaign report documented in the tool. Centralizing proof of each measure (who was trained, when the last restoration test took place, etc.) protects you in the event of an audit, and saves you a huge amount of time in building compliance files.
• Multi-repository alignment: A key feature of Smart Global Governance is the ability toalign multiple repositories. If you’re subject to NIS 2 but also to other standards (e.g. ISO 27001, RGPD for the data part, PCI-DSS for the payment part), the platform avoids having to manage everything separately. Many controls overlap – the tool maps between repositories. For example, the “regular backups” control is required by both NIS 2 and ISO 27001: you document it once, and it covers both. According to our observations, this integrated approach reduces the operational complexity associated with cross-compliances by 50%. You gain in efficiency and overall consistency.

By adopting Smart Global Governance, the company acquires a real nervous system for its cybersecurity. Rather than piecemeal, ad hoc efforts, you’ll be piloting a structured, measurable and adaptable program. The platform helps you stay the course over time – which is essential, because security is not a static state but a continuous journey. You can demonstrate at any time where you stand in terms of risk management, and justify the measures in place in relation to threats. This is exactly the spirit of NIS 2: security that is managed rationally, justified and continuously improved. Smart Global Governance supports you on this path, providing you with the tools to transform obligations into concrete actions, and actions into tangible results in terms of risk reduction.