In this third and final part of the series, I’ll provide some tips on how to set up your roadmap and effectively demonstrate compliance without overburdening your teams. 

If you’re just joining the fun now, in our two previous editions we covered who NIS2 applies to and what requirements it sets out. Be sure to have a look at them if you need any additional context. 

How to set up the roadmap to comply with NIS2? 

Now that you know how NIS2 applies to you and have a good understanding of what the requirements look like, it’s time to set up your roadmap for compliance. 

Here are our tips on how to get started:

1. Perform a gap analysis: Now that you understand the controls that NIS2 prescribes, you should identify the requirements you’re already meeting,which ones you still need to implement and which ones requireimprovement.
2. Define action plans: Write detailed action plans on how you are going to implement/improve processes and controls to meet NIS2 requirements. Don’t complicate it: don’t be afraid to start small and build upon it. For instance, you don’t need to dedicate a lot of time and resources to automation at the first step. Instead, you should focus on laying down a good foundation for processes and controls and work later on automation.
3. Set up the schedule: From the above you have a list of items to work on with a detailed plan. Prioritize them based on complexity, criticality and effort. Identify quick wins (those items that can be easily implemented or improved) and scale up your security posture.
4. Conduct assurance checks: Once action plans are implemented, conduct an assessment or audit to guarantee that controls were correctly implemented and are operating effectively. This can be done either internally (internal audit, compliance teams) or by external assessors (external auditors and consultants).

After you complete your roadmap, you’re ready to start demonstrating your compliance and showcasing it to the world and your stakeholders. Let’s see how to do that.

How do you demonstrate NIS2 cybersecurity compliance in an effective manner ? 

If you’re in scope for EU NIS2, my bet is that you already maintain numerous control frameworks across your business to ensure compliance across all business lines. You probably have different audits throughout the year (maybe with different auditors as well) which bring a heavy burden on compliance and operational teams.

EU NIS2 does not provide for the possibility of self-attestation. You’ll need to get certification or accreditation from an approved certifying body in order to demonstrate your compliance with the Directive.

While this might seem like a routine process  that simply involves having (another) audit, the compliance landscape is continuously growing for European businesses and  international companies that want to do business in the European Union market. EU NIS2 adds to the already existing regulations and the ones to be adopted in the near future, coupled with industry certifications already held by companies (e.g. ISO27001). This brings complexity to the mix and results in many different audits to fulfill similar requirements.

Trying to ease this burden for companies in such context, the EU and ENISA have started the EU Cybersecurity Certification Scheme on Common Criteria (EUCC), which will provide an EU-wide certification scheme for companies to certify and claim compliance with different regulations, based on the Assurance Level and/or Protection Profile they choose to adhere to.

My advice would be to take advantage of that and get your EUCC certification. The idea to “test-once-and-comply-to-many” is very much welcome since the regulatory environment is becoming increasingly more difficult to navigate.

Watch this space though. Scheme candidates will be formalized and more details will be provided by ENISA in the near future.

How Canonical can help you in NIS2 cybersecurity compliance?

Canonical can help you with your compliance needs related to EU NIS2. Our solutions portfolio is designed to deliver trusted open source to  all parts of your tech stack,  backed by the stability of Long term support. Canonical is also committed to compliance with EU Regulations, such as NIS2 and the CRA.

Some products that might interest you are:

Ubuntu Pro: Your subscription to security and compliance updates on top of every Ubuntu LTS release. Up to 12 years of coverage for over 36,000 packages, with the option of automated hardening tools and security patching.  Couple that with our enterprise-grade Support services and you’ll have peace of mind.

Landscape: Our solution to manage your Ubuntu fleet, be it desktops, servers or devices. Automate security patching, auditing, access management and compliance tasks across all your Ubuntu estate, leveraging our SaaS or Managed Landscape solutions, or deploy in your own premises (either in well-connected or air-gapped environments). Landscape is available with a Ubuntu Pro subscription.

Ubuntu Core: Your choice for embedded Linux. Ubuntu Core is a minimal, secure and strictly confined operating system powering devices around the world. Leverage only what  you need from Ubuntu and reduce your attack surface, a perfect choice for devices. You can also manage your Core fleet using Landscape.

Everything LTS: We build distroless docker images to spec for you and provide security maintenance for them, including for upstream components not packaged in Ubuntu. These custom-built containers are supported on other platforms (including RHEL, VMware, or major public cloud Kubernetes) with a 12 year commitment to security patches. 

Learn more about simplifying security and compliance with Canonical  and contact us to know more. 

Further resources about EU regulations and Compliance

Thank you for reading! Below you will find more resources on EU Regulations and how to achieve security and compliance using an Infrastructure Hardening approach.

• Check out our previous posts about NIS2: Read Part I and Part II. 
• Get started with our series on the Cyber Resilience Act (CRA). 
• Watch a webinar with an Introduction to the CRA or understand implications for device manufacturers 
• See our Infra Hardening whitepaper to understand a little bit more on how to approach hardening.