BifrostConnect Blog
BifrostConnect's Blog
NIS2’s 10 Core Requirements – And Where to Begin
NIS2’s 10 Core Requirements – And Where to Begin
The NIS2 Directive raises the bar for cybersecurity across the EU, replacing NIS1 with stricter, more comprehensive rules. But these aren’t just “legal chores” – they’re proven best practices that reduce downtime, build trust and harden your supply-chain. Before diving into detailed compliance, it pays to ask: Why start where you do? Because a well-chosen first step creates momentum, shows quick wins and buys credibility for the harder work ahead.
Why Your Starting Point Matters
- Quick Wins = Stakeholder Buy-In
Demonstrable improvements (faster incident response, tighter access controls) convince management that security pays off.
Risk-Driven Effort
Focus on areas with the highest threat or impact first (e.g. your customer-facing APIs).
Scalable Foundations
Laying basic governance and tooling early makes it far easier to tackle the remaining requirements.
Where to find help:
Not sure if you fall under NIS2? (for Danish entities)
NIS2 scope assessment (SikkerDigital): https://www.nis2tjek.sikkerdigital.dk
CFCS NIS2 guidelines: https://www.cfcs.dk/da/opgaver/nis2/nis2-vejledninger/
ENISA’s NIS2 Hub
ENISA maintains a dedicated NIS2 page with:Explanatory materials (infographics, video)
A public “Implementation Guidance” PDF that in its Annex I maps out each Member State’s transposition status and frameworks enisa.europa.eu
The 10 Core NIS2 Requirements
1 . Risk Management & Information Security Policies
Define processes and ownership for identifying, assessing and mitigating your top IT risks.
2. Incident Handling & Reporting
Establish clear detection, escalation and reporting procedures – initial notification within 24 hours, full report within 72 hours.
3 . Business Continuity & Crisis Management
Maintain plans to keep critical services running or recover them rapidly after major incidents.
4 . Supply-Chain Security & Due Diligence
Evaluate and monitor your vendors’ security posture to ensure they meet your standards.
5 . Secure Development & Vulnerability Handling
Integrate security into procurement, development and operations – including regular vulnerability scanning and coordinated disclosure.
6. Evaluation of Controls
Regularly test and verify that your policies and technical measures actually work (pentests, tabletop exercises).
7. Cyber Hygiene & Training
Ongoing staff awareness programs covering phishing, password best practices and your internal security policies.
8. Cryptography & Encryption
Enforce strong encryption for data at rest and in transit; manage keys and certificates through defined lifecycles.
9. Asset Management & Access Control
Keep an up-to-date inventory of hardware and software; implement Role-Based Access Control (RBAC) so everyone has only the rights they need.
10. Multi-Factor Authentication (MFA)
Require at least two independent factors (e.g. password + mobile push or token) to access critical systems.
WHERE TO START? A 3 step kick-start guide ->
1. Governance & Accountability
Who? Appoint a CSO/CISO or equivalent.
Do? Schedule monthly or quarterly security reviews with senior leadership.
2. Risk-Based Quick Check
Identify your “crown-jewel” systems and data flows.
Assess their threat exposure and impact in a 1-page risk matrix (High/Low).
3. Light-Touch Core Controls
Implement these five foundational measures first:
- RBAC + MFA for all critical accounts.
- Incident SLA: 24 h initial notification, 72 h full report.
- Encryption: data at rest & in transit.
- Logging: central log collection, basic SIEM alerts.
- Annual Risk Review including top-tier vendor due diligence.
