Functional Mapping of NIS 2 and Microsoft 365

You might have missed it, but something called NIS2 is coming. This Directive from the EU will take effect on October 17, 2024, and country specific legislation on the exact implementation will follow later. This does not mean that you have a delay for the implementation of the NIS2 guidelines.

After an intensive study of the directive, the first thing that stands out is that about 15% of the content is related to IT and the rest to organization, behaviour, agreements, approach, control, and reporting obligations. I’m sure I’ve forgotten a few, but after 73 pages, it all starts to get a bit dizzying. Since I have an IT background and have worked at Microsoft for 32 years, I wanted to find out what minimum IT functionality you need to comply with NIS2.

As a first step, I have put all the articles where IT could play a role, including references to the paragraphs, in an Excel sheet to then investigate which Microsoft 365 and/or Azure functionality you need to comply with NIS2. Note that implementing Microsoft 365 does not automatically mean you comply with NIS2. The remaining 85%, non-IT related matters, must also be in order!

The mapping is available in Dutch, English, Italian, French, Norwegian, German, Spanish, Greek and Swedish and I am working on more languages.

Do I need to do something with that NIS2 thing?

A frequently asked question with a grey area as an answer. It is clear which organizations must comply with NIS2; the guidelines are in the Directive of the EU. However, there is an area where there is still uncertainty, and that is the supply chain dependency. If you search for “supply chain,” you come across this 23 times. So, it seems evident that you must do something with it. After all, the weakest link determines the strength of the chain.

A hypothetical example.

The Waterboards in the Netherlands are a critical and strategic organisation and must comply with NIS2. They must ensure that we keep our feet dry and that, for example Schiphol, which is at -5.40 meters below sea level, does not get flooded. The pumping stations are responsible for this, and around such a pumping station, there are many activities from chain-partners such as the pump supplier. This supplier must also comply with NIS2, according to my conviction.

Do you have a clear picture of this?

The solutions. Microsoft has a good presentation on the various solutions that can help with the implementation of NIS2. You can download it here. It is still quite a puzzle to figure out exactly what is needed from this PowerPoint. To keep it simple, I have put the most important functional requirements in an overview, with a translation to Microsoft 365 and the required add-ons. With only Microsoft 365 Basic, Standard, Business Premium or Microsoft 365 E3, you cannot realize the technical implementation of NIS2 on all fronts. You will need to expand this with 3rd party solutions or Microsoft’s add-ons. In some cases, you cannot avoid Microsoft. The table below makes it clear what functionality is missing in the different Microsoft 365 suites.

I did not include Basic and Standard in the comparison because Business Premium is the minimum requirement.

The biggest challenge is particularly related to proactively identifying cyberthreats and responding adequately. This is only possible if you have a SOC, but this is not feasible for many organizations due to the costs and the need for 7/24 monitoring. Therefore, you must outsource these services to a managed SOC service provider.

There is a lot of work in the mapping and therefore I ask a small fee for access to the Mapping. 5 euro for individuals and 25 euro for companywide use.

Order

Hans van der Meer

www.peoplecentric.nl