Belgium
Denmark
Finland
Germany
Malaysia
Netherlands
Norway
Poland
Sweden
UK
India
Middle East
In its newly released Technical Implementation Guide, ENISA clearly addresses vulnerability management as a key component of NIS2 compliance. Let’s take a look at Section 6.10, which concerns risk management.
Section 6.10
This section describes vulnerability management explicitly, stating the following:
“The relevant entities shall obtain information about technical vulnerabilities in their network and information systems, evaluate their exposure to such vulnerabilities and take appropriate measures to manage the vulnerabilities.”
These entities must also, per the guide, adopt a framework for assessing the severity of vulnerabilities (based on models like CVSS, EPSS, or SANS) and supplement these with environmental and threat metrics as needed.
Evidence requirements
In order to comply with NIS2, in-scope entities must be able to provide evidence that they have taken the measures above. Lack of such evidence can result in fines or other punitive measures.
Evidence of implemented vulnerability management measures include:
- Licences or subscriptions for vulnerability-scanning tools.
- Logs that indicate a critical vulnerability was addressed.
- Logs from vulnerability management tools showing scan schedules, results and follow-up actions.
- Documented technical vulnerability scan reports.
Our solution
We support you all the way
Holm Security offers Next-Gen Vulnerability Management, supporting models like CVSS, EPSS, and SANS, and harnessing additional threat intelligence. We can also drill down on specific threat vectors like ransomware.
Are you a supplier?
NIS2 applies directly to critical sectors such as energy, transportation, health, and digital infrastructure. However, the Directive also introduces supply chain security obligations, meaning suppliers and service providers to these entities must now meet the same cyber security requirements as their in-scope customers even if they’re not directly "in scope” themselves.
Summary
If it wasn’t clear before, it is now: vulnerability management is critical for NIS2 compliance. Why? ENISA recognizes the technology as proven, simple, straightforward, and measurable. Vulnerability management originated 25 years ago and has been iterated and improved in the years since. It not only works, but is here to stay.
Remember: suppliers are also impacted, as in-scope entities under NIS2 will have to impose the exact requirements on you as on their own organization.
Download ENISA’s guideWe recommend looking at pages 101-105 of ENISA’s guide, which you can download here. |
