NIS2 Compliance Advice from Luxembourg’s Regulatory Authority

NIS2 Compliance Advice from Luxembourgs Regulatory Authority
Francisco Fonseca
Written by Francisco Fonseca
SVP, National Cybersecurity

NIS2 is a transformative directive reshaping how organizations across Europe and the globe approach cybersecurity, supply chain management, and operational resilience. A lot has been written about compliance strategies, but what does NIS2 mean in practice?

We’ve asked the Institut Luxembourgeois de Régulation (ILR), Luxembourg’s national regulatory authority responsible for overseeing the implementation and enforcement of NIS2 in the country. The Supervisory Authorities answering the questions below are practitioners at the forefront of translating the directive into actionable strategies. If you’re a CISO or GRC leader grappling with supply chain security, reporting obligations, or risk management, this conversation is for you.

Q: What are the main challenges organizations are encountering in the implementation of NIS2?

A: The challenges differ from company to company, depending on the sector and the maturity level or experience in the domain. Some sectors and entities were already in scope by NIS1, and thus NIS2 is mainly just an addition to the work done under NIS1.

For entities impacted by NIS1, securing the supply chain is a challenging task. For new entities, it seems that the main challenge is to know where to start and not being afraid to jump into the topic. NIS2 might sound very complicated, but everyone needs to take it one step at a time. That’s why it’s important for us at the ILR to provide guidance and help them set priorities towards a higher maturity in cybersecurity.
 

Q: In your opinion, which specific NIS2 Security requirement (Article 21) poses the greatest challenge for companies to address, and why?

A: It really depends on the company, and supply chain cybersecurity is a hot topic here. However, what also seems to become challenging is the level of involvement and knowledge needed from the board, including how to train them so that they are able to make the best possible decisions when it comes to cybersecurity.

Q: What recommendations would you offer to companies that are in the process of deploying NIS2? 

A: It’s always good to just get started. To that end, the ILR has published a set of six fundamental measures

Do not wait until a perfect plan and strategy is finalized, because an incident could happen at any time. Identify the crown jewels and see what you can do quickly to improve your security. Setting priorities is crucial, as one cannot work on everything at the same time. 

Right from the start, the ILR has been following a collaborative approach, encouraging information sharing with entities, and also within and among sectors. Only together we are able to increase our level of cybersecurity. 

Informed governance is another key word here. Risk assessments should no longer be an individual effort; they should leverage a common understanding of threat vectors and vulnerabilities, so that decisions regarding treatment plans are consistent across similar scenarios, regardless of who is doing the assessment. A common understanding and wider knowledge of how to evaluate a certain risk needs to be established.

Q: NIS2 introduces the risk assessment of supply chain security as a new area. What do you foresee as the main challenges that companies will face regarding this topic?

A: Entities will have to start negotiations on the level of cybersecurity with their suppliers. This can be a disadvantage for smaller entities that have to do this exercise with large multi-national companies.

Q: From a national authority or regulator perspective, what do you consider to be the most significant changes introduced in NIS2 compared to the original NIS Directive?

A: The removal of the identification process for essential or important entities (entities falling by default under NIS2) and the liability of the management board are the biggest changes in our view.

Beyond Compliance: Strengthening Cyber Resilience with NIS2

Just like the Portuguese National Cybersecurity Centre (CNCS) in their country, the ILR plays a pivotal role in shaping Luxembourg’s compliance strategy, guiding critical and essential entities through the directive’s requirements. As the regulatory body, they ensure that NIS2’s objectives are met, from bolstering supply chain security to strengthening incident reporting and risk management practices

The path to compliance starts with understanding the directive and breaking it into achievable steps. The insights shared in this blog reveal the real-world challenges of compliance and uncover the opportunities for organizations to turn NIS2 from a regulatory obligation into a cornerstone of cyber resilience. To learn more, download our NIS2 Compliance Playbook.

Vendor Risk Analysis - Key Findings Image

See how Bitsight can help address NIS2 requirements around supply chain security. Discover supplier risk insights, supplier critical vulnerabilities, and more.