Guldborgsund Forsyning is a municipally owned group that supplies district heating and drinking water and collects wastewater from more than 10,000 households on the Danish islands Falster and part of Lolland.
As IT Administrator, Christopher Larsen has one primary focus area: securing Guldborgsund Forsyning’s IT systems. He’s therefore also responsible for ensuring that the company complies with the requirements of the NIS2 directive and that Guldborgsund Forsyning can document this.
And the EU’s NIS2 Directive is unavoidable for Guldborgsund Forsyning:
As a supplier of district heating, drinking water, and wastewater, the company is part of the critical infrastructure.
An increased level of security requires financial investments – a responsibility that falls on the top strategic leadership to secure funding and ensure implementation.
However, Christopher Larsen doesn’t encounter any bumps in the road here – on the contrary, he feels that NIS2 has really put IT security on the group’s agenda. By focusing on security of supply in relation to deliveries, it has become easier to get a common language with management about why IT security is a high priority:
The aim of the NIS2 Directive is to protect critical infrastructure and EU citizens from cyber-attacks. In doing so, NIS2 sets out a series of minimum requirements to strengthen cybersecurity in the EU.
Christopher Larsen started the process with a gap analysis. Both to uncover the biggest potentials and to investigate which approach would ensure Guldborgsund Forsyning the best possible preparation for NIS2.
“We chose to use CIS18 as a framework for our compliance work, as CIS18 focuses on follow-up controls and guidance. One of our biggest needs afterwards was to find a single point of reference for all our documents, policies and procedures, and anything else that might be relevant to our NIS2 compliance work.”
IT Administrator at Guldborgsund Forsyning
As Christopher Larsen gained an overview of the NIS2 work, he began working with the team and other internal stakeholders to explore different options for driving compliance processes.
The working group considered different approaches to the implementation of NIS2 in Guldborgsund Forsyning, including using software that could support the legal assessments.
The easy choice would be the external consultancy firm, as they had already made a gap analysis and offered a package solution for Guldborgsund Forsyning’s NIS2 policies and internal procedures. Doing the NIS2 work in-house wasn’t out of the question either but meant that outside legal advice would be required to ensure Guldborgsund Forsyning’s compliance with NIS2 legal requirements.
Despite the above considerations, Christopher Larsen had no doubts:
Guldborgsund Forsyning chose to handle NIS2 internally to keep costs down and to develop the necessary competencies in-house. At the same time, they were aware that legal expertise would pose a challenge. Since Guldborgsund Forsyning was already using ComplyCloud for their GDPR compliance, the working group saw an opportunity to leverage a familiar software as an all-in-one compliance tool and the right choice:
Christopher Larsen has found that ComplyCloud not ‘only’ makes the NIS2 process easier and more manageable, but also gives peace of mind for the Guldborgsund Forsyning.
He has realized the value of having a close partner and a tool that can guide him and his colleagues through complex tasks such as risk analysis, policy development and working with suppliers:
“We can clearly see that lawyers have been involved in building the platform. It gives us peace of mind and security to know that the product is built by experts who work professionally with compliance, now also in relation to NIS2.”
The tool is easy to work with, and it has set the framework for how the working group will carry out the work with the NIS2 documentation. Therefore, Guldborgsund Forsyning expects that the use of ComplyCloud will save them a remarkable amount of time in relation to supplier management, risk analysis and more.
“We have saved 4 months of work by using ComplyCloud”
In addition, Guldborgsund Forsyning has benefited from having a lawyer involved in the onboarding phase.
Guldborgsund Forsyning is still in the process of preparing for NIS2 as the documentation is being built in ComplyCloud’s award-winning software.
Want to learn more about how we can also help your organization become NIS2 compliant before the NIS2 Directive is implemented by law in October 2024? Set up a meeting with us here.