NIS2 and Third-Party Risk Management

Non-Compliance with NIS2

The EU has defined specific areas of non-compliance with NIS2 that could lead to penalties:

• Failure to Report Incidents: Not reporting cybersecurity incidents within the 24-hour initial window and providing follow-ups within 72 hours.
• Inadequate Risk Management: Failing to implement proper risk management measures, including third-party risk management.
• Non-Cooperation with Authorities: Obstructing investigations, refusing audits, or withholding information from regulators.
• Poor Security Practices: Failure to comply with required technical and organizational cybersecurity measures.

Penalties for NIS2 Non-Compliance

NIS2 introduces significant penalties for organizations that fail to comply with its requirements. The penalties are designed to ensure organizations take cybersecurity seriously, especially in critical and essential sectors.

Types of Penalties

Fines: Non-compliance with NIS2 can result in substantial financial penalties, varying depending on the severity of the breach and the organization's size. For serious breaches, fines are typically calculated as a percentage of the organization's global annual turnover, up to €10 million or 2%, whichever is higher.

Administrative Sanctions: Regulators can impose other sanctions, such as issuing binding instructions to address deficiencies, orders to comply with specific cybersecurity measures, or, in extreme cases, suspending operating licenses.

Authorities consider several factors when determining the penalty, including the nature and gravity of the breach, intent, or negligence or if there have been previous violations. Demonstrated efforts to mitigate risks, such as implementing corrective measures or cooperating with authorities, may reduce penalties.

Notably, NIS2 explicitly holds senior management accountable for ensuring compliance. Lack of oversight or negligence at the executive level can result in personal liability, including potential legal action.

Although each EU member state is responsible for enforcing NIS2 within its jurisdiction, cross-border cooperation between national authorities exists for entities operating in multiple member states, ensuring consistent enforcement.

To avoid penalties, organizations should conduct regular risk assessments, engage their leadership and board, prepare for reporting, and train staff on sound cybersecurity practices.

Best Practices for NIS2 Third-Party Risk Management Key Requirements

The NIS2 Directive includes specific recommendations and requirements for organizations to manage third-party risks effectively.

Establish Supply Chain Security Policies

Organizations are required to establish comprehensive policies that address security-related aspects concerning their relationships with direct suppliers and service providers. This includes assessing the security posture of third parties and ensuring they adhere to appropriate cybersecurity standards. To address this requirement, develop a comprehensive framework for managing third-party risks, addressing:

• Risk identification and prioritization
• Periodic security assessments and audits
• Policies to ensure third-party alignment with your organization's cybersecurity standards

As part of this, provide training and resources to your third parties to help them understand and comply with NIS2 security requirements. Encourage collaboration and knowledge-sharing about emerging threats and best practices.

Conduct Risk Analysis and Assessment

Entities must conduct thorough due diligence and risk analyses to identify potential vulnerabilities third parties introduce. This involves evaluating the criticality of third-party services and their potential impact on the organization's operations. Assess the third party’s cybersecurity posture, compliance with industry standards, and incident response capabilities. Then, classify vendors based on their criticality to operations and potential risk impact.

To simplify the process, look for third-party risk management (TPRM) solutions that automate and streamline assessments and establish a centralized repository for vendor data, including risk ratings, compliance status, and historical assessments.

Ensure Sound Incident Handling and Reporting Procedures

Organizations should have clear procedures for managing incidents that involve third parties. This includes timely detection, response, and reporting of incidents to relevant authorities, ensuring that third-party incidents are handled with the same rigor as internal ones. To address this requirement, establish a unified incident response plan that includes third-party coordination. This should involve:

• Defined communication channels for reporting incidents
• Joint investigation and resolution processes
• Post-incident reviews to improve risk management practices

Consider cyber insurance to manage residual risks in incidents involving third parties and evaluate whether third-party insurance policies adequately cover supply chain risks.

Continuously Monitor and Evaluate Third Parties

Ongoing monitoring of third-party security practices is essential. Organizations should regularly assess the effectiveness of their third-party risk management measures and adapt them as necessary to address evolving threats. To address this requirement, implement ongoing monitoring of third-party activities, including:

• Regular cybersecurity assessments or penetration testing
• Real-time monitoring for abnormal behavior
• Updates to risk assessments based on new threats or changes in the vendor’s operations

Enforce Contractual Obligations

Include clear, enforceable cybersecurity requirements in contracts with third parties. Key elements may include:

• Compliance clauses: Vendors must adhere to applicable NIS2 security requirements.
• Incident reporting obligations: Vendors must report cybersecurity incidents promptly.
• Audit rights: Enable regular audits of third-party security practices.
• Termination clauses: Allow termination of contracts for non-compliance or poor security performance.

This ensures that third parties are contractually bound to maintain appropriate security measures and report incidents promptly.

By embedding these practices into your organization’s third-party risk management strategy, you can ensure compliance with NIS2 while minimizing the risks posed by external vendors and suppliers.

How Mitratech Can Help Address NIS2 Third-Party Risk Management Requirements

Part of the Mitratech Enterprise Risk Management Platform, the Prevalent TPRM solution automates the assessment, monitoring, and management of third-party risks in concert with your broader cybersecurity and enterprise risk management program. With the Prevalent solution, your team can:

• Build a world-class third-party risk management program backed by dedicated experts, policies, workflow, and dedicated NIS2 reporting.
• Centralize third-party contracts’ distribution, discussion, retention, and review to ensure that key requirements are included, agreed upon, and enforced.
• Gauge inherent risk to inform third-party profiling, tiering, and categorization – and to determine the appropriate scope and frequency of ongoing due diligence activities.
• Automate the risk assessment and remediation process across every stage of the third-party lifecycle using a large library of more than 750 questionnaire templates tuned to multiple best practices frameworks and built-in remediation guidance.
• Continuously track and analyze external threats to third parties by monitoring the Internet and dark web for cyber threats and vulnerabilities and incorporating those insights to validate third-party service provider controls.
• Automate incident response capabilities to mitigate third-party incidents before impacting the business.

For more on how Mitratech can simplify NIS2 third-party risk management compliance, request a demonstration today.