NIS2 Requirements: 10 Ideas in Which Asset Management And ITSM Can Help

Celeste Mottesi May 17, 2024
- 10 min read

NIS2 requirements range from Risk Management measures to business continuity insurance – and they must be effectively implemented by October 17, 2024, to avoid penalties. Since this is a cybersecurity framework, IT Asset Management (ITAM) can greatly help implement it.

In a nutshell, ITAM software checks most of the NIS2 obligations since it provides full visibility of your organization’s assets and its relationships, and allows you to configure security alerts to act upon vulnerabilities faster and more efficiently. 

Plus, if you connect it to your service desk or IT Service Management (ITSM) solution, its value expands even more. For instance, you could build workflows and create an incident category to report security breaches specifically.

If this caught your attention, keep reading to discover how these solutions can help you out!

The EU NIS2 directive, in a nutshell

The NIS2 framework was adopted by the European Union in 2023 to strengthen cybersecurity resilience across the region.

The final deadline to implement the regulation is October 17, 2024, and the penalties for non-compliance include non-monetary remedies, administrative fines, and criminal sanctions.

Even though the EU directive points specifically to sectors such as transport, energy, healthcare, and banking, its ultimate goal is to ensure a high transversal level of network and information security.

NIS2 and Asset Management

One of the main differentiators with the original Network and Information Security (NIS) regulation is that NIS2 encourages a proactive approach to incident reporting and Risk Management.

So, the fact that this is a proactive cybersecurity regulation goes hand in hand with what IT Asset Management can do for your organization.

At its core, ITAM helps organizations to:

  • Build and maintain an updated software and hardware inventory.
  • Map CI relationships to ensure business continuity.
  • Manage assets throughout their lifecycle, from acquisition to disposal.
  • Monitor IT asset configurations to verify adherence to the security standard.
  • Set out alerts and automation to make Risk Management easier.
  • Report and monitor performance continually.

As you can see, these areas are crucial to NIS2 compliance. And since you might already have an ITAM strategy implemented in your company, it only makes sense to leverage it towards the EU framework implementation.

NIS2 and Service Management

But that’s not it. We’ve gone over the benefits of combining ITSM and ITAM, but in this case, it’s highly recommended.

Connecting your ITAM solution to your help desk expands its capabilities and allows you to:

  • Create workflows that automate parts of your NIS2 needs.
  • Build a specific service category to report security incidents that collects all the data you need right at the submission point.
  • Unify reporting capabilities to mix and match incidents with assets.

Even though ITAM is the most relevant practice to take advantage of here, ITSM elevates your NIS2 implementation by adding automation and simplifying processes.

NIS2 requirements – and how to address them with ITAM and ITSM

Now it’s time to examine the cybersecurity framework’s requirements and how ITAM and ITSM can address them.

Risk Management

 

 

The first NIS2 requirement is Risk Management. According to the official site, organizations “must take measures to minimize cyber risks,” including Incident Management, stronger supply chain security, enhanced network security, better access control, and encryption.

How ITAM and ITSM can help

  • ITAM provides you with a CMDB that maps your entire IT infrastructure, meaning you will know how your IT assets are connected and how secure your network is.

  • It also lets you track the assets’ configuration so you can ensure they adhere to security standards and policies mandated by NIS2. This includes monitoring configurations for vulnerabilities and ensuring that security controls are properly implemented.

  • In addition, you can support risk assessment activities by providing data on the security posture of IT assets and identifying potential risks to the organization's network and information systems. This information enables proactive risk mitigation strategies to align with NIS2 requirements.

  • Furthermore, it helps you detect unauthorized software installations and act on them, or label outdated software and deploy patches to avoid exploits.

  • On the other hand, you can build a service category within your self-service portal so employees can report a security breach or incident (either digital or physical). With this customization, you can collect all the information you need to address the problem right at the ticket creation stage (including pictures or screenshots).

  • Lastly, since all the assets assigned to the person who creates the ticket are attached to the request, you can detect any patterns and proactively contact other users who might have the same issue but haven’t realized it yet.

Corporate accountability

As per the second NIS2 requirement, corporate management has to “oversee, approve, and be trained on the entity's cybersecurity measures and to address cyber risks.”

How ITSM can help

  • In addition to generating a security incident category to simplify notification, the knowledge base is a great way to train corporate management. You can add NIS2-related content and cybersecurity standard procedures to your internal knowledge base so that your employees and managers can refer to this information as many times as they need.

  • You can also establish approval instances on any security-related service desk workflow to ensure and track validations in adherence to the NIS2 directive.

Reporting obligations

Next, organizations “must have processes in place for prompt reporting of security incidents with significant impact on their service provision or recipients.” 

How ITAM and ITSM can help

  • You can leverage service desk SOPs to design standard workflows to address security incident reports.

  • Complementary, you can see all affected assets and areas by any security incident within your CMDB. This way, you can adjust and notify accordingly to ensure business continuity.

Business continuity

 

 

Lastly, companies must create a plan to ensure business continuity in case of major cyber incidents that contemplates system recovery actions, emergency procedures, and the existence of a crisis response team.

How ITAM and ITSM can help

All the ideas shared above contribute to maintaining business continuity. Your ITSM and ITAM solutions should display your cybersecurity standard operating procedures, so that they can be easily found as soon as an incident occurs.

They can be attached to your asset profiles, published as knowledge base articles, or even automated into help desk workflows.

Extra measurements

The NIS2 framework lists ten baseline security measures, including risk assessments, vulnerability policies, and policies for data access. Here are some additional ideas to use ITAM and ITSM software to address these:

  • Perform routine internal audits to ensure your IT infrastructure is secure and compliant.
  • Build dashboards to constantly monitor your IT infrastructure performance and spot any irregularities as soon as they happen – they are also a great way to demonstrate your organization’s adherence to regulations.
  • Segment user privileges to ensure no unauthorized personnel access sensible information.

To sum up

NIS2 requirements encompass a wide range of areas, and it’s almost impossible to address all of them manually. Enters ITAM and ITSM. These practices can help you oversee a considerable part of them. 

The core of the EU cybersecurity directive is to be more proactive about security measures. Proactiveness is part of the essence of ITSM and ITAM. With them, you don’t need to wait until something goes wrong; you can have systems in place to help you detect problems before they arise.

Read other articles like this : ITAM, InvGate Insight, Cybersecurity