NIS2 Addon

The NIS2 Addon policy pack consolidates four rigorously developed enterprise policies, structured to maximize organizational compliance with the evolving requirements of the European Union’s NIS2 Directive. Each policy functions as a targeted control domain, enabling system-wide adoption of best practices for risk management, security testing, vulnerability disclosure, and secure authentication across diverse business and technology units. P41 – Supplier Dependency Risk Management Policy delivers robust mechanisms for identifying and mitigating systemic supply chain risks. It details how organizations must maintain a supplier dependency register, conduct regular risk assessments, and enforce concentration risk limits, including diversification strategies and contingency planning for critical suppliers. The policy mandates annual reviews and ties supply chain risk directly to business continuity and disaster recovery planning. Governance frameworks require reporting to authorities and escalation when high-risk dependency scenarios or supplier non-compliance occur, fulfilling both regulatory and practical risk management needs. P40 – Security Testing and Red-Teaming Policy structures a comprehensive technical validation program for networks, applications, and infrastructure. It prescribes periodic vulnerability scanning, penetration testing, and red team exercises, covering both cyber and physical domains where relevant. The policy ensures that all tests are properly scoped, authorized, and recorded, and that remediation plans for identified vulnerabilities are tracked and verified. Test findings feed directly into risk treatment, continuous improvement cycles, and are reviewed in management and audit processes – supporting regulatory mandates for effectiveness measurement and technical assurance. P39 – Coordinated Vulnerability Disclosure Policy sets a clear process for accepting, reviewing, remediating, and disclosing vulnerabilities. It specifies safe harbor rules for external reporters (including researchers, partners, and customers), enforces rapid response through a dedicated Vulnerability Response Team, and manages both internal and external communications for advisories. The policy aligns with NIS2 and ENISA guidance, ensuring public channels for disclosure are available, legal protection for good-faith reporters, and that remediation timelines and disclosure practices match international standards. Metrics and post-mortem reviews are integral for continuous process improvement. P38 – Secure Communications and Multi-Factor Authentication Policy (SME type) is designed to be deployable by organizations with simplified security structures and without dedicated security operations centers. It mandates MFA for all access points and privileged accounts, and requires encrypted channels for all internal and emergency communications. The policy includes specific user, IT administrator, and senior management responsibilities, and allows for documented exceptions with compensating controls where technical limitations exist. Continuous auditing and regular training reinforce adoption, while governance ensures rapid updates in-line with regulatory and threat landscape changes. Together, these policies create a strong, defensible NIS2 compliance foundation, tightly mapping to EU legal, technical, and reporting requirements, and offering detailed operational playbooks for teams in IT, risk, compliance, procurement, vendor management, and executive roles.