Security risk management under the new European directive NIS2

The recently published NIS2 security directive devotes a large part of its articles to security risk management, with particular emphasis on third-party risk management.


The NIS2, to be transposed into local national regulations by EU member states by October 2024, establishes that a culture of risk management should be encouraged and developed, including risk assessments and the implementation of cybersecurity risk management measures.

These security measures implemented by critical or important organizations(*) shall ensure an adequate level of security in relation to the risks involved, and shall include at least the following elements:

  • Security of the supply chain and the entity-supplier relationship.

  • Policies and procedures to assess the effectiveness of cybersecurity risk management.

  • Encryption policies and procedures.

  • Continuity of the organization's activities, from backup management to disaster recovery and crisis management.

  • Information systems security policies and risk analysis.

  • Human resources security, access control and asset management.

  • Security in the acquisition, development and maintenance of networks and information systems.

  • Basic cyber-hygiene practices and mandatory cybersecurity training for senior management.

  • Security incident management.

  • Implementation and use of multi-factor authentication solutions, secure communications and secure systems for emergency communications.

Security audits

The directive also establishes that competent authorities may subject entities to periodic and specific security audits, or request evidence of the implementation of cybersecurity policies. The results of the security audits conducted by a qualified auditor and the corresponding underlying evidence will serve as evidence of compliance. The costs of these audits will be borne by the audited entity.

(*) To learn more about the entities considered essential and important, download this document that provides an in-depth breakdown of the changes brought by NIS2

Cybersecurity rating as a compliance tool

Cybersecurity rating offers a solution to three essential aspects:

  • For the management bodies, the rating of the services provided by the organization accredits their due diligence in the control and monitoring of the effective implementation of the security measures to be implemented for proper risk management.

  • For the organization itself, it can use it before competent authorities as proof of implementation of cybersecurity policies and to show the result of audits, carried out by a qualified auditor.

  • To manage supply chain risks, by requesting, to the organizations involved, the appropriate level of rating for their own services, and thus ensure compliance with the same cybersecurity policies.

Do you need more info about NIS2?

All you need is LEET!

Suscribe to receive our newsletter