A multinational logistics company, classified as an 'essential entity' in several EU Member States, uses a centralized security operations center (SOC) in a non-EU country. To comply with NIS 2, the company must ensure its incident reporting obligations are met. Which statement accurately describes the jurisdictional responsibility for reporting a significant incident that affects services in Germany and Poland?
A lead implementer is drafting a cybersecurity policy for a newly classified 'important entity' in the food production sector. The policy must align with the risk management measures mandated by Article 21 of the NIS 2 Directive. Which of the following areas must be included in the policy as a baseline requirement? (Select TWO)
True or False: Under the NIS 2 Directive, the management body of an essential entity can delegate the legal liability for non-compliance with cybersecurity risk management obligations to a third-party managed security service provider (MSSP) through a contractual agreement.
## Case Study: AquaPure Water Services **Company Background:** AquaPure Water Services is a public utility responsible for drinking water supply and wastewater management for a region of over one million people in an EU Member State. They are classified as an 'essential entity' under NIS 2. Their operations rely heavily on an Industrial Control System (ICS) and SCADA network to manage water treatment plants, pumping stations, and distribution networks. This OT network has been historically air-gapped but now has limited, firewalled connections to the corporate IT network for reporting and maintenance purposes. **Current Situation:** During a preliminary NIS 2 gap analysis, the newly appointed lead implementer discovers that AquaPure has no formal business continuity or crisis management plans specifically for cyber incidents affecting the OT environment. The existing disaster recovery plan only covers physical failures like pump malfunctions or power outages. Furthermore, the engineering team that manages the OT network has a separate command structure from the IT department, and there is no integrated incident response plan. **Requirements:** The CEO has tasked the lead implementer with developing a plan to meet the business continuity and crisis management requirements of NIS 2. The primary concern is ensuring the continuity of safe drinking water supply in the event of a significant cyberattack, such as ransomware encrypting SCADA servers. **Question:** As the lead implementer, what is the most critical first step AquaPure should take to develop a NIS 2-compliant cyber crisis management and business continuity capability?
A lead implementer is creating a project plan for achieving NIS 2 compliance. The organization is a large digital service provider. The plan needs to account for all key phases of the implementation. Which of the following represents the most logical sequence of phases for the implementation project? ```mermaid graph TD A[Initiation & Scoping] --> B{...} B --> C[Control Implementation & Operations] C --> D[Monitoring & Continual Improvement] ```
During a review of a draft incident response plan for an 'essential entity', the lead implementer notes that the plan triggers reporting to the national CSIRT only for incidents that have resulted in confirmed data exfiltration. Why is this plan non-compliant with the NIS 2 Directive's definition of a 'significant incident'?
An organization is setting up a program to monitor its NIS 2 compliance. The management body requires a dashboard with Key Performance Indicators (KPIs). Which of the following would be the LEAST effective KPI for demonstrating the effectiveness of the cybersecurity risk management program to the management body?
A public administration body in a Member State is considered an 'essential entity'. It is undergoing a NIS 2 implementation and needs to establish a cybersecurity training program for its management body. What is the primary objective of this training as mandated by the NIS 2 Directive?
A lead implementer is conducting a risk assessment for a digital marketplace platform, which is an 'important entity'. The assessment identifies a critical risk related to a third-party payment gateway provider. The provider has suffered breaches in the past. What is the most appropriate risk treatment strategy in alignment with NIS 2's focus on supply chain security?
When planning the implementation of NIS 2 requirements for a cross-border healthcare provider, the lead implementer must define the scope of the compliance program. Which elements are essential to define in this scoping phase? (Select THREE)