Една от основните теми в промените на Закона за киберсигурност е въвеждането на подходящи и пропорционални технически, оперативни и организационни мерки за управление на риска. Това е важна формулировка, защото показва, че съответствието с NIS 2 не се свежда до един продукт или една техническа настройка.The organization must assess what risks exist for its network and information systems and what measures are necessary in relation to those risks.Among the main areas that companies should pay attention to are:
These are areas where practical gaps are often identified. For example, an organization may have backups but may not have tested the recovery process. It may have access policies in place but no regular review of user permissions. It may use external providers without having assessed the risks associated with them.That is why the review of NIS 2 readiness should be structured. It is not enough to check only whether technical protection is in place. It is necessary to assess whether the measures are appropriate, proportionate, documented, and applicable in the organization’s actual operations.A professional gap analysis can show exactly that: which requirements are already covered, which are partially covered, and where gaps exist. This gives the company a clear picture and an action plan, instead of a general feeling that “something needs to be done.”
