Cybersecurity and compliance with NIS2 and ISO/IEC 27001

In October 2024, the NIS2 directive became effective in the EU, expanding the scope of cybersecurity requirements to a significantly larger number of sectors than its predecessor. This means companies working with European clients or as part of their supply chains must bring their systems and processes into compliance with the new standards. Simultaneously, the international standard ISO/IEC 27001 remains a fundamental tool for building and maintaining an effective information security management system.

Key NIS2 requirements and their impact on business

The NIS2 directive aims to enhance the overall level of cybersecurity in the EU, covering a wide range of critical sectors such as energy, transport, banking, healthcare, digital infrastructure, waste management, and manufacturing. Key requirements include:

• Risk Management: Development and implementation of risk analysis and management policies.
• Incident Response: Establishment of procedures for detecting, analyzing, and responding to cyber incidents, along with mandatory reporting of significant incidents.
• Business Continuity: Disaster recovery and crisis management plans.
• Supply Chain Security: Assessment of cybersecurity risks in relationships with suppliers and service providers.
• Encryption and Multi-Factor Authentication: Utilization of modern data protection and access control methods.
• Training and Awareness: Regular cybersecurity training for personnel.

Non-compliance with these requirements can lead to significant fines and reputational damage, making adherence a priority for many companies.

ISO/IEC 27001: Foundation for building an information security management system

The ISO/IEC 27001 standard defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its application allows organizations to systematically manage the confidentiality, integrity, and availability of information. Key aspects include:

• Risk Assessment: Identification, analysis, and evaluation of information security risks.
• Control Measures: Implementation of appropriate control measures to mitigate risks (e.g., security policies, access control, cryptography, physical security, network security).
• Continual Improvement: Regular monitoring, review, and updating of the ISMS.
• Independent Audit: The possibility of obtaining independent certification, confirming compliance with the standard.

Certification according to ISO/IEC 27001 is a strong argument for clients, especially in sectors with high data security requirements, demonstrating a company’s maturity in information security matters.

Synchronizing NIS2 and ISO/IEC 27001

Although NIS2 is a directive and ISO/IEC 27001 is an international standard, they share many commonalities. An ISMS built in accordance with ISO/IEC 27001 can serve as a robust foundation for meeting NIS2 requirements. Many controls implemented for ISO/IEC 27001 certification directly contribute to fulfilling NIS2 obligations, particularly regarding risk management, incident response, and business continuity. An integrated approach helps avoid duplication of efforts and optimize resources needed to achieve compliance with both standards.

Expert comment

Mykhailo Vyhovsky Co-owner, Member of the Supervisory Board, Intecracy Group

Implementing NIS2 and ISO/IEC 27001 is not merely about formal compliance, but a strategic investment in operational resilience. From my experience, success lies in deeply integrating cybersecurity into the overall business strategy, rather than treating it as a standalone IT project, which not only helps avoid penalties but also opens up new markets and partnerships.

Member company solutions and technologies

Intecracy Group members offer comprehensive services and solutions for ensuring cybersecurity and compliance with regulatory requirements:

• Softline, as a system integrator with extensive experience, provides cybersecurity services, including the development and implementation of comprehensive information protection systems (KSZI) for Ukraine’s public sector. This encompasses vulnerability analysis, security architecture design, and certification process support.
• SL Global Service specializes in cybersecurity for cloud environments, offering Identity and Access Management (IAM) services, SIEM and DLP system implementation, and data encryption solutions. The team assists clients in migrating infrastructure to the cloud while adhering to high security and compliance standards.
• IQusion offers IT services and solutions for the public sector, including IT consulting on cybersecurity matters and the implementation of comprehensive information protection systems for government organizations, local self-government, and the defense sector.
• Softengi, certified according to ISO/IEC 27001, applies these standards in its custom development of enterprise software, AI systems, and IoT solutions, ensuring a high level of data protection throughout the product lifecycle.
• Nectain, with its HQ in Austin, TX, maintains a SOC 2 Type I control environment and compliance with ISO/IEC 27001 and HIPAA, underscoring its focus on data security in intelligent document processing through its AI-powered Document Management System.

Compliance with NIS2 requirements and the ISO/IEC 27001 standard necessitates a systematic approach and continuous investment in technologies and processes. Integrating these standards into the overall cybersecurity strategy not only helps avoid regulatory risks but also enhances trust with clients and partners, ensuring business resilience in the face of growing cyber threats.