Enterprise Risk Management and NIS-2: A New Era of Cyber Resilience

NIS-2 delivers new rules regarding the cybersecurity in companies. To comply with the key “protection against cyber attack” requirements of the NIS2 Directive, it is clear that there might be needed a revision of ERM systems – or as The Institute of Risk & Risk Management defines it, “an integrated and joined up approach to managing risk across an organisation and its extended networks.”

Several of the areas of NIS-2 overlap with functionalities of enterprise risk management systems, for example:

• Identity management and authentication – IAM ensures that only authorized users can access sensitive systems and data. The NIS-2 directive, with its emphasis on managing supply chain risks, requires organizations to secure not only their internal systems but also external stakeholders (vendors, contractors), which increases the importance of robust Identity and Access Management (IAM) solutions.
• Access permission control – Implementing access control concepts like single sign-on SSO or role-based access control (RBAC)  is viital to address supply chain integrations. 
• Moreover, NIS2 requires the implementation of new methods for reporting and auditing, which are a part of IAM solutions – with the emphasis of NIS 2 on supply-chain management security it requires organizations to control more identities than just their own. 

It is clear that managing risk is more critical than ever for organizations across all sectors – though it still raises the question of how one should come about it. 

Gap analysis might clear out complexity

By integrating NIS-2 into an existing ERM framework, organizations can ensure they are meeting the directive’s mandates while also considering cybersecurity risks in the context of their overall risk portfolio. EY recommends that entities conduct a gap analysis to identify areas where their existing controls may fall short of the directive’s requirements. Aon provides a case study of a manufacturing company that used a gap analysis to interpret and implement the controls required by NIS-2 as part of its ERM program. 

While the integration of ERM and NIS-2 holds great promise, it is not without its challenges. Organizations will need to navigate issues such as allocating adequate resources, obtaining the necessary expertise, and managing the regulatory complexity of the directive (White & Case). 

NIS-2 as opportunity to leverage ERM systems

Despite these hurdles, experts see NIS-2 as an opportunity to strengthen cybersecurity and resilience across the EU. SANS notes that the directive’s requirements around breach reporting and incident response can drive organizations to enhance their security practices.

In conclusion, the intersection of ERM and NIS-2 represents a new era in risk management and cybersecurity. As Deloitte notes, NIS-2’s focus on strengthening security postures to address emerging threats could lead to a significant impact on risk management practices in the years to come.

Author: Oldřich Příklenk

Picture: chatgpt.com