Sharing is caring – NIS360’s prescription for stronger cyber risk management

As many jurisdictions scramble to transpose the NIS2 directive into national law across the EU, the European Union Agency for Cybersecurity (“ENISA”) recently released the NIS360, a first-of-its-kind assessment giving cyber practitioners the lay of the land on the maturity and criticality of selected NIS2 sectors

It is, essentially, a report card regarding cyber risk management practices of different sectors of high criticality, or Annex I sectors, designed to help EU member states and national supervisory authorities identify compliance gaps, and re-apportion resources accordingly. 

Who’s doing well and why?

Unsurprisingly, the electricity, telecoms, and banking sectors stand out with “higher level[s] of maturity”. ENISA cites robust regulatory oversight, global investments, and strong public-private partnerships as factors that contribute to their success. The report also emphasises the increased extent of collaboration and information-sharing between organisations in these sectors and national and supra-national regulators, for example through national and EU-level  ISACs, or Information Sharing and Analysis Centres, and relevant industry associations.  

Who needs some more help?

In contrast, other sectors are called out as needing more resources to build and bolster their cyber risk management practices. Specifically, ICT service management, space, public administrations, maritime, health and gas are described as slightly less mature on the cybersecurity scale. Though there are a variety of sector-specific reasons for this, the NIS360 report generally describes the cross-border nature of the sectors, in-sector diversity of operators, and a lack of practical guidance from authorities (whether EU or national), as factors contributing to the challenges that these sectors face with implementing NIS2. 

What can organisations do in the meantime?

Although not directly aimed at essential entities, the NIS360 sketches out what good looks like for sectors of high criticality and provides some early pointers on what regulators may prioritise. 

In the short term, there are some basic steps the report mentions that organisations should take to strengthen their own cybersecurity practices, including:  

• Compliance with any existing tailored/sector-specific guidance can ensure that companies are meeting any existing cybersecurity standards.
• Cybersecurity training for personnel can help companies gain a deeper understanding of the sector-specific risk landscape, which the NIS360 report states can generally lead to the creation of stronger response systems in case of a cyber attack.
• Creating company-wide plans and testing them can help increase preparedness for a cyber attack.
• Keeping on top of patching and updating outdated technology will help organisations mitigate vulnerabilities that could leave them exposed. The recent ICO fine against ICT provider Advanced Computer Software Group (link to blog) also demonstrates that failure to patch can lead to regulatory fines. 

The report also discusses collaboration and information-sharing with other organisations, and engaging with regulators, which can facilitate discussions around common threats and solutions. 

In the long term, this focus on engagement and collaboration seems to be the name of the game. Coordinating with other sectoral entities and authorities (both at the national and EU level) will be important. In these conversations, it may be helpful not only to discuss common challenges, threats, and responses, but also to push for substantial cybersecurity guidance and resources to address existing gaps. Ultimately, it seems like working with regulators to ensure an appropriate level of sectoral oversight will be key. 

NIS360 may be ENISA’s new product, but the main takeaway seems to build on an old proverb about going farther by going together. 

Important entities, on the other hand, will have to wait for future iterations of the NIS360 study because its expansion to Annex II sectors is, disappointingly, not planned for the near term.

With many thanks to Aakshi Chaba for her work in preparing this blog post.