Abstract: The revised Network and Information Security Directive (NIS2) aims to achieve a high level of common cybersecurity across the European Union. Several stakeholders, including member states, supervisory authorities, and critical infrastructure service providers, are expected to support this effort by ensuring a high level of information security. Part of increasing security levels involves implementing risk management measures by service providers, but also an evaluation of the security situation and its changes is necessary from the perspective of each stakeholder. Previous research has described NIS2-related activities through user stories that encompass six types of stakeholders with their respective goals in relation to the security level evaluation of organizations. In this article, we examine the real-life implementation of these security evaluation user stories and demonstrate how the framework for security level evaluation (F4SLE) can be utilized to achieve NIS2 compliance within this narrowed scope of security level evaluation. The advantage of F4SLE is that the data can be collected once and then reused to satisfy different stakeholders without imposing an additional reporting burden on entities that must be NIS2-compliant.
Authors: Mari Seeba1, Tarmo Oja, Sten Mäses, Maria Pibilota Murumaa, and Raimundas Matulevičius