Training programme: NIS 2 Lead Implementer

Day 1 – morning: introduction and regulatory framework

Definition of NIS 2

• Aim of the NIS 2 Directive
• Why NIS 2 after NIS 1, what differences?
• Transition from services concerned to entities concerned
• Increase in the number of sectors concerned
• End of the principle of State designation
• Tougher sanctions
• Default perimeter
• Principle of self-assessment

Entry into force mechanism for NIS 2

• Position of NIS 2 within the European legislative landscape concerning information security (DORA, REC, RGPD, EIDAS, IA, CRA, DSA, DMA, etc.)
• Principle of transposition into national law
• Focus on intra-European jurisdiction
• Principle of implementing acts and how they relate to national transpositions

Structure of the directive

• Grounds of the directive
• Definitions and annexes
• Articles for States and associated requirements
• Articles for entities and associated requirements

Day 1 – afternoon: implications of NIS 2 and risks of non-compliance for your information system security

• Governance: approval of risk-management measures and training of management bodies (Art 20)
• Database of domain name registration data (Art 28)
• Notification of incidents to the national authority (Art 23 and Art 30)
• Implementation of technical and organisational measures (known as “risk-management measures”: Art 21)
• Risk assessment
• Principle of presumption of compliance
• Scope of application of the measures
• Reasons behind the 10 measures listed in Art 21

Day 2 – morning: the different possible approaches in terms of compliance upgrade in order to evaluate which is the most appropriate for your organisation.

• The “Good Enough” approach: minimal and pragmatic compliance
• The “Exhaustive” approach for critical measures + “Best Effort” for low-risk aspects: a balanced strategy
• Identification of the appropriate approach for your organisation based on resources and regulatory obligations
• Practical workshop: capacity self-assessment and effort prioritisation

Day 2 – afternoon: development of a conformity upgrade action plan

• Key principles of an effective plan
• Structuring the action plan:
  • Identifying the actions needed to comply with NIS 2 requirements
  • Prioritising actions based on the Risk Assessment
• Advantages of a structured plan: better visibility, reduced risks and compliance with regulatory deadlines.

Day 3 – morning : Gap Analysis

• Gap Analysis outlining:
  • Definition of High-Level Requirements (HLR) and adapting them to Low-Level Requirements (LLR)
  • Assessment of current compliance for each requirement
  • Evidence of compliance documents available
• Why Gap Analysis is useful:
  • Identification of shortcomings (‘gaps’) in existing processes or tools
  • Use of essential information to draw up an action plan

Day 3 – afternoon: ecosystem mapping and stakeholder management

• Mapping of customers of essential services:
  • Identification of their security and compliance expectations
  • Identification of evidence of compliance to provide
• Mapping of third-party contributors:
  • Nature of their contribution and impact on security
  • Definition of actions to put in place internally and actions required of subcontractors

Day 4 – morning: implementation of organisational and technical measures

• Deployment of organisational measures:
  • Establishment of security governance aligned with NIS 2 obligations
  • Structuring of internal risk management and cybersecurity policies
  • Documentation and traceability of actions taken
• Implementation of the technical measures stipulated by Art 21 of the NIS 2 Directive:
  • Infrastructure security and access
  • Security incident detection and handling
  • Constant supervision and incident reporting

Day 4 – afternoon: oversight and compliance monitoring

• Determination of monitoring and oversight indicators:
  • Definition of compliance and cybersecurity performance KPIs
  • Introduction of monitoring dashboards
• Action plan and continuous improvement:
  • Organisation of internal audits and compliance reviews
  • Integration of continuous improvement cycles (Plan – Do – Check – Act)
• Benefits of an Information Security Management System (ISMS):
  • Understanding how an ISMS structures compliance and optimises efforts
  • Connection between NIS 2 and the ISO 27001 standard
  • Transition from ad hoc compliance to a sustainable compliance approach
• Resource management and outsourcing:
  • Choice between insourcing and sub-contracting compliance upgrade actions
  • Choosing service provides that comply with NIS 2 requirements
  • Managing third-party relationships while ensuring continuing oversight

Day 5 – morning: assessment and continuous improvement of compliance upgrade

• Assessment and analysis of the actions put in place: how to measure progress and structure monitoring?
• Compliance monitoring tools: dashboards, reporting, regular updates, etc.
• Assessment of the effectiveness of NIS 2 measures: KPIs, response time, requirement coverage rate
• Audits and controls: internal/external audit plan, assessment methodology
• Evidence of compliance and deviation management: how to justify non-compliance and define a Security Assurance Plan (SAP)?

Day 5 – afternoon: implementation workshop

• Development of a structured action plan and application of the skills learned during the course:
  • Step 1: Case study, identification of NIS 2 obligations and key stakeholder mapping.
  • Step 2: Development of an action plan, action prioritisation, resource allocation, definition of indicators.
  • Step 3: Presentation and feedback, group discussions to optimise strategies.