PECB NIS 2 Directive Lead Implementer — Question 3

According to scenario 2, as a first step toward the NIS 2 Directive implementation, MHospital decided to conduct a gap analysis to assess its current state of the cybersecurity measures against the requirements outlined in the NIS 2 Directive. Is this in alignment with best practices?

Answer options

• A. Yes, a gap analysis should be initially conducted before taking any further actions to implement the Directive
• B. No, the initial step should have been a risk assessment to identify potential cybersecurity vulnerabilities
• C. No, the initial step should have been a scop assessment to determine the scope of the company’s compliance

Correct answer: A

Explanation

The correct answer is A because conducting a gap analysis is a recognized first step in understanding current cybersecurity measures compared to required standards. Options B and C suggest alternative initial steps, but they do not address the immediate need to evaluate existing measures against the Directive's requirements.