By 17 October 2024, European Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
To bolster Europe’s resilience against current and future cyberthreats, the NIS2 Directive introduces new requirements and obligations for organizations in four overarching areas: risk management, corporate accountability, reporting obligations, and business continuity. The Directive also sets out 10 minimum measures that needs to be implemented across a range of sectors including energy, health, finance, digital/infrastructure providers, manufacturing, space, public administration and more.
In order to implement the 10 minimum measures, each organization needs trained and competent professionals at all levels. The matrix shown below links how decision makers (non-technical), IT Operations, Security Operations, and Technical Security Leaders can gain the training that they require to design, implement, configure, manage and maintain a secure posture aligned to the NIS2 minimum measures.
CompTIA solutions can be accessed in a range of formats, including self-paced e-learning, hands-on-labs, and live-online-training. It is critical that employees are confident that they have assimilated the necessary knowledge and skills to establish confidence and competence, therefore they should be encouraged to take appropriate assessments e.g. certification exam.
A Security Culture will encompass several stakeholders that will ultimately identify the organizational needs and implement the necessary NIS2 measures across people, process, and technology. For the matrix below, we have defined them as:
Decision Makers – These are non-technical stakeholders within the organization that contribute to the organization's resilience by overseeing and challenging the IT Operations and Security Operations teams to implement the necessary controls. Whilst they may not be technical, they need to understand key concepts that enables them to equate business goals with technology resource allocation. Decision makers such as the CEO/Managing Director, CFO/Finance Director, security awareness leaders, board members, and non-executive board members would comprise of this group.
IT Operations Team (ITOps) – this would comprise of the IT Support Technicians, Systems and Network Administrators, Network and Cloud Engineers, and Database Administrators that are responsible for designing, implementing, securing, maintaining and supporting the organisation’s technology investments. With a wide remit and changing technology landscape, they are the first line of defence to ensure network and information systems resilience.
Security Operations Team (SecOps) – Security Operations may be a separate function or it could include individuals that hold certain cyber security responsibilities who sit within the IT Operations Team. The goal of this team is to manage, monitor, test, and report on the organisation’s cyber security resilience. This would include Security Administrators, Cyber Security Analysts, and Penetration Testers.
Technical & Security Leadership – this could be leaders that oversee the IT Operations and Security Operations teams such as CTO and CISO. It can also include team leaders, managers, and directors. They will be responsible for the overall implementation and reporting requirements of the NIS2 directive, as well as ensuring continuous improvement of the organisational security posture, and horizon scanning for any emerging cybersecurity opportunities and threats.
CompTIA certifications are vendor neutral, have global recognition, and are aligned to key job roles. Hence it is recommended that organisations implement a pathways- based approach that would contribute to a Learning Culture and instill continuous professional development.
For example, a pathway for a Cyber Security Specialist would be as follows:
| Beginner | Intermediate | Advanced | Expert |
| CompTIA A+ | CompTIA Network+ CompTIA Security+ | CompTIA CySA+ CompTIA Pentest+ CompTIA Cloud+ | CompTIA CASP+ |
| NIS2 Minimum Measures
| Decision Maker (non- technical) | IT Operations Team (ITOps) | Security Operations Team (SecOps) | Technical & Security Leadership |
| Risk assessments and security policies for information systems | Cloud Essentials+ | A+ Network+ Cloud+ TestOut Routing & Switching Pro | Security+ | CASP+ |
| A plan for handling security incidents | Cloud Essentials+ | A+ Network+ Cloud+ | Security+ CySA+ | CASP+ |
| A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident. | ITF+ | A+ Network+ Cloud+ DataSys+ Server+ Linux+ TestOut Hybrid Server Pro: Advanced TestOut Routing & Switching Pro | Security+ CySA+ | CASP+ |
| Security around supply chains and the relationship between the company and direct supplier. Companies must choose security measures that fit the vulnerabilities of each direct supplier. And then companies must assess the overall security level for all suppliers. | Security+ PenTest+ | CASP+ | ||
| Policies and procedures for evaluating the effectiveness of security measures. | Cloud Essentials+ | Network+ Cloud+ TestOut Hybrid Server Pro: Advanced | Security+ PenTest+ | CASP+ |
| Security around the procurement of systems and the development and operation of systems. This means having policies for handling and reporting vulnerabilities. | Security+ CySA+ | CASP+ | ||
| Cybersecurity training and a practice for basic computer hygiene. | ITF+ Cloud Essentials+ | A+ Network+ Cloud+ DataSys+ Server+ Linux+ TestOut Client Pro TestOut Hybrid Server Pro: Core TestOut Routing & Switching Pro | Security+ CySA+ PenTest+ | CASP+ |
| Policies and procedures for the use of cryptography and, when relevant, encryption. | ITF+ | A+ Network+ Cloud+ DataSys+ Server+ Linux+ TestOut Client Pro TestOut Hybrid Server Pro: Core TestOut Hybrid Server Pro: Advanced TestOut Routing & Switching Pro | Security+ | CASP+ |
| Security procedures for employees with access to sensitive or important data, including policies for data access. The company must also have an overview of all relevant assets and ensure that they are properly utilized and handled. | ITF+ | A+ Network+ Cloud+ DataSys+ Server+ Linux+ TestOut Client Pro TestOut Hybrid Server Pro: Core TestOut Hybrid Server Pro: Advanced TestOut Routing & Switching Pro | Security+ CySA+ | CASP+ |
| The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication, when appropriate. | ITF+ | A+ Network+ Cloud+ Server+ Linux+ TestOut Client Pro TestOut Routing & Switching Pro | Security+ CySA+ | CASP+ |
Fill out the form for access to this detailed NIS2 mapping with CompTIA certifications.