From systems to strategy: How to create long-term cybersecurity with NIS2 

The NIS2 Directive imposes stricter and more stringent requirements on how organizations protect their information, but also on how they organize their security work. In order to succeed, it is not enough to take isolated measures in individual IT systems. It requires an overall strategy where security is woven into the organization's core processes. This is where a process-oriented approach shows its real strength, as the key to both compliance and long-term resilience. 

The new NIS2 Directive from the EU represents a clear shift in how socially important and digital businesses are expected to work with cybersecurity. The focus is on a systematic and risk-based approach where information security must permeate the entire organization, not just its IT systems. For many, this means a need to move from an application-based approach to a more process-oriented approach, in line with established frameworks such as the ISO/IEC 27000 series. 

Application-based attack approach or process-oriented approach

An application-based approach is usually based on individual technical systems. Risks are assessed on an application-by-application basis and safeguards are often implemented without reference to the overall business objectives or critical processes. This can provide some local control but often lacks coherence and consistency, especially in complex environments where multiple systems interact. 

Instead, the process-oriented approach is based on the core processes of the organization and how information is managed in practice. It is fully in line with the principles of ISO/IEC 27001, which emphasizes the importance of basing information security on business needs, asset importance and the context of risk. Security measures should be proportionate and guided by systematic risk analysis - something also clearly required by NIS2 in Articles 21 and 23, which highlight both technical and organizational measures for business continuity, incident reporting and supply chain security. 

By working in a process-oriented way, it is possible to identify where information is most critical, which actors are responsible for it and how it affects other parts of the business. This creates a clear link between risk, business benefit and responsibility. In accordance with ISO/IEC 27005, risk management can then be integrated into regular decision-making processes, rather than becoming a separate IT initiative. 

Process-oriented security work also facilitates the continuous improvement work required by both ISO 27001 and NIS2. With the help of established management models such as PDCA (Plan-Do-Check-Act), measures can be followed up, evaluated and adjusted over time. In this way, information security becomes a living part of governance, rather than a one-time effort for audit or oversight. 

Application-based approaches, on the other hand, tend to create silos, where security is handled differently depending on the system, without common criteria for risk or impact. This not only makes coordination difficult, but also risks overestimating the protection of some parts of the business while leaving others exposed. 

The choice of approach becomes crucial

NIS2 requires clear management responsibility for security under Article 20, and ISO 27001 advocates an integrated information security management system. A process-oriented approach allows both of these requirements to be met in a structured and resource-efficient way. Linking security to operational realities not only provides better protection, but also better embedding in the organization as a whole. 

A process-oriented approach supports both the regulatory requirements of NIS2 and the established standards represented by the ISO/IEC 27000 series. It lays the foundation for a robust, risk-based and business-oriented security approach that can withstand both internal audit and external oversight. 

Want to know more about how we can support you in your work? Read here: https://www.omegapoint.se/bank-och-finans/