Meeting NIS2 Compliance with Cyver Core
NIS2 or the Network and Information System Security Directive 2 is an EU directive designed to help so-called important companies to assess and improve their IT security. Risk and vulnerability management and the key issues, with reporting requirements, management held personally liable for breaches, and stricter penalties for firms that fail to comply. It also affects nearly 100,000 EU companies that are not currently compliant now, which means implementing a cybersecurity program and security becomes more important than ever.
Managing that cybersecurity program to ensure compliance means organizing cybersecurity requirements, taking a risk-based approach to cybersecurity, and implementing your plan.
Chances are you’re aware of that, you may even have written up the nearly 30 new documents you need for NIS2 compliance.
What you don’t have is a way to track and manage cybersecurity activities across teams to manage vulnerabilities and risks as they are disclosed.
With a pentest management platform like Cyver Core, you can implement your cybersecurity program to stay compliant with EU regulation and directives like NIS2 and DORA with central pentest management, oversight of vulnerabilities, and oversight of remediation.
What Are NIS2 Cybersecurity Requirements?
NIS2 is a EU directive, which means that every member state (country) establishes its own guidelines.
NIS2 requires organizations to implement better penetration testing and risk-based vulnerability management, as well as scans, automated penetration testing, and vulnerability scanning. In Article 20, organizations that must be NIS2 compliant must:
- Have approved cybersecurity measures that need to be implemented for the company
- Must oversee implementation
- And can be held liable if cybersecurity is not implemented properly
You can check articles 32 and 33 for further reference on how liability works.
In addition, under the NIS2 cybersecurity has to incorporate technical, operational, and organizational measures. That means implementing policies, creating processes, and using technology for cybersecurity.
A Risk-Based Approach to Cybersecurity
The second requirement for NIS2 cybersecurity compliance is taking a risk-based approach to cybersecurity. That means having policies in place to measure and mitigate risks, to handle vulnerabilities, and to disclose them.
For cybersecurity, that specifically includes:
- Policies on risk analysis and information systems security
- Incident handling
- Development, maintenance, and acquisition security in network and information systems including vulnerability handling and disclosures
- Cyber hygiene practices/cybersecurity training
Meeting NIS2 Compliance with Cyver Core
Cyver Core is a pentest management platform delivering a streamlined dashboard where you can manage and schedule cybersecurity activities.
- Onboard teams and stakeholders with access control in place
- Schedule pentests and scans with a clear calendar across all assets
- Add and manage assets including associated risks and vulnerabilities
- Manage vulnerabilities with vulnerabilities linked to assets, scored for criticality, with status, time-to-fix data, and remediation all tracked
- Dashboards to show time-to-fix data, criticality data, vulnerabilities across assets, etc.
- Easy report generation for compliance purposes as well as for easily generating reports to show stakeholders and managers exactly the information they need to know
- Integration with tools, so scans and vulnerability data import into the platform with minimal manual work so your cybersecurity team saves time
- Raise security incidents to pentest teams so compliance and IT officers can request testing for specific issues
Essentially, you move pentesting and vulnerability scanning into the same place as your vulnerability management, can immediately alert stakeholders like devs or compliance officers when a vulnerability is flagged, and can track remediation and risk management across your environment.
Depending on your organization, you may also have to pen test and track vulnerabilities specific to each vendor or supplier. You can track that in Cyver Core as well, by adding that supplier’s assets into the platform and running a test on them. All found vulnerabilities will be logged in the platform and linked to that asset, making it easy to track and show compliance.
If you’d like to know more about how you can use Cyver Core to manage NIS2 compliance for pentesting and cybersecurity, book a demo, we’re happy to help.