The responsibility of implementing and tracking the use of artificial intelligence at any company is growing more important every day as AI usage increases. In fact, in a survey from McKinsey, 65% of respondents say their organizations are regularly using generative AI in at least one business function, nearly doubling the survey’s last results.  

Interested in developing an AI policy for your company? Read on to learn why it’s important and how to get started. Download the template to follow along. 

Why is an AI policy important? 

Beyond serving as a marker to progress with the trends—like 44% of companies who already have an AI policy in place, according to Litter—AI policies also protect your company from potential lawsuits and liabilities. Using AI-based technologies can put sensitive data at risk or inadvertently cause copyright infringement if not used properly. Plus, these policies are a crucial element for AI frameworks and regulations like ISO 42001 and the EU AI Act. 

Who needs an AI policy? 

Deciding whether your company needs an AI policy doesn’t have to be complicated. Consider whether your company fits into one of these groups: 

• Your company or employees are using AI to some degree in their day-to-day 

• Your company is developing technologies that use AI 

• Your company needs to adhere to frameworks and regulations like ISO 42001 and the EU AI Act 

What should an AI policy include? 

Cover your bases. If you’ve developed company-wide policies before, you might have a framework in mind. Regardless, keep these key elements top of mind: 

• The purpose and scope of the policy 

• Alignment with company goals 

• Process for deviations 

• Risk management 

• Monitoring and reporting 

• External communication and transparency 

Your company’s AI policy should be personalized to your company’s current and future usage of AI. Not every policy will look the same. Plus, this isn’t an exhaustive list. You might want to include monitoring and reporting information or required trainings for your company. 

How can I get started? 

For more, download this AI policy template developed by A-LIGN’s expert auditors to help you get started.

Competing priorities, everchanging standards, and a nonstop audit cycle can make tracking and executing audit plans a challenge. Enterprises are now turning to their audit partners to streamline the process and provide strategic plans through a process called audit consolidation. Read on to learn more from A-LIGN’s 2025 Compliance Benchmark Report. 

According to A-LIGN’s survey, 92% of organizations conduct at least two audits or assessments each year, with 58% conducting four or more audits. So, it should come as no surprise that nearly two-thirds of organizations are spending at least three months per year preparing for audits. This reactive, one-off approach likely has some impact on the available resources dedicated to compliance.   

In this blog, we will share some of the benefits of consolidating audits and auditors and some of the best practices to do so.  

What are the benefits of consolidating audits? 

Audit harmonization can reduce complexity and streamline compliance efforts by creating a close partnership between companies and their auditors. Auditors work with clients to create a compliance strategy that not only meets regulatory standards but also enhances customer trust, reduces risk, improves efficiency, and drives additional revenue. 

Additional benefits of consolidating audits include:  

• Consistency across assessments: By consolidating audits, organizations can ensure a consistent approach to completing multiple assessments. This can help to standardize the audit process, reduce the risk of errors or inconsistencies, and provide a more comprehensive view of the organization’s compliance posture.  

• Conducting multiple assessments with one vendor: Consolidating audits enables organizations to conduct multiple assessments with one vendor. This can help streamline the audit process, reduce costs, and improve communication and collaboration between the organization and the vendor.  

• Reduction in duplicate evidence collection: Consolidating audits can also save time in evidence collecting. By consolidating multiple audits into a single event, organizations can more efficiently collect and organize the evidence required for each assessment, all at one time. This reduces the need to collect the same or similar evidence for different assessments throughout the year, reducing the amount of time and resources required to achieve compliance.  

• Time savings: Consolidating audits can also save time for the auditor reviewing the evidence. By consolidating audits, auditors can more easily identify and review evidence that is relevant to multiple assessments, reducing the amount of time required to complete each audit (and the cost associated with their work).  

In addition to consolidating audits, organizations can also streamline compliance by consolidating their audits with a single provider. 

What are the benefits of consolidating auditors? 

Consolidating auditors involves working with a single provider to manage all of audits, instead of hiring multiple auditors across different areas of focus.  

A-LIGN’s research shows that half of organizations might switch audit service providers for more efficient, less time-consuming processes and 45% would do so for cost savings. Consolidating audit service providers could help realize these benefits.   

By consolidating auditors, organizations can realize several advantages, including:  

More efficient and effective audits: Consolidating auditors can reduce the time and resources required to manage multiple vendors. By working with a single provider, organizations can streamline the audit process and reduce the administrative burden of managing multiple auditors.   

Cost savings: Another significant benefit of consolidating auditors is cost savings. By working with a single provider, you can negotiate better rates and reduce the overall cost of your compliance program. Furthermore, consolidated audits reduce the time spent managing the audit process, which can help reduce costs and increase efficiency.  

Improved communication: Consolidating auditors can help improve communication and collaboration between different areas of your organization. By working with a single provider, you can ensure that everyone is on the same page and that all compliance activities are aligned with your organization’s goals.  

Organizations should carefully consider their options when selecting an auditor and ensure that they are working with a provider that can meet their unique needs. It’s important to choose an auditor that has experience in your industry and understands the specific regulations and standards that you must comply with. Additionally, organizations should carefully review the audit methodology and approach used by the provider to ensure that it aligns with their overall compliance goals.  

Want to learn more? Contact us today to learn how A-LIGN can save you time and streamline your audit process.

As artificial intelligence (AI) continues to position itself as an integral part of business operations in 2025, safeguarding AI systems against security threats is essential. Recognizing this need, HITRUST has launched its own AI Security Assessment, offering organizations a robust framework to address the unique challenges of deployed AI technologies.

What is the HITRUST AI Security Assessment?

HITRUST’s AI Cybersecurity Assessment provides a structured approach to evaluate and manage AI-related risks, ensuring secure, transparent, and ethical AI practices for not only healthcare organizations, but for businesses operating across all sectors.

Based on ISO/IEC 23894:2023 and the NIST AI Risk Management Framework, this assessment includes 51 controls for AI governance to ensure comprehensive risk management without disrupting current and ongoing compliance efforts.

Key features of the HITRUST AI Security Assessment include:

1. Curated security controls: Focused on the distinct challenges posed by AI technologies, these controls are specifically designed to address AI-related vulnerabilities.
2. AI-specific threat requirements: The assessment leverages insights from authoritative sources to establish security requirements that counter emerging AI threats.
3. Control inheritance: Organizations can inherit controls from their AI solution providers, streamlining the assessment process and reducing administrative burdens.

The assessment provides a report with strengths and improvement areas, adaptable for various AI stages, supporting self-assessment or HITRUST validation. Certified entities will receive HITRUST e1, i1, or r2 Certification reports and letters, as well as AI Security Certification reports and letters.

Who can get a HITRUST AI Security Assessment?

Although organizations in any industry can conduct a HITRUST AI Security Assessment, there are certain guidelines that must be met to be assessed.

To achieve certification, organizations must meet the following guidelines:

• Be an AI platform and product provider – this excludes AI developers, users and partners
• Achieve HITRUST e1, i1, or r2 certification prior to the AI Security Assessment
• Achieve the following minimum score on applicable assessments:
  • e1 and i1 assessments: 83
  • r2 assessments: 62

Why should organizations pursue a HITRUST AI Security Assessment?

Businesses across all industries are heavily investing in AI as its use expands rapidly. However, AI systems process sensitive data, making them prime targets for cyberattacks.

With new regulations like the EU AI Act, organizations must proactively manage AI risks to ensure compliance and gain a competitive edge as reliance on AI grows.

Ensuring robust security measures is crucial for protecting data integrity, preventing breaches, and maintaining compliance. The HITRUST AI Security Assessment provides a structured framework to address these challenges, fostering trust and resilience in your AI initiatives.

Additionally, organizations using CSF v11.4.0 or newer can now add the “Cybersecurity for AI Systems” compliance factor through the MyCSF platform. This integration, which requires additional report credits and adheres to standard QA reservation protocols for validated reports, seamlessly integrates with existing HITRUST e1, i1, and r2 assessments.

Partnering with A-LIGN for your HITRUST AI cybersecurity needs

A-LIGN provides comprehensive services to guide your organization through the HITRUST AI Security Assessment process, no matter where you are at on your journey.

1. Advisory services: Our readiness assessments identify gaps and prepare your organization to meet HITRUST requirements efficiently.
2. Comprehensive assessments: We conduct HITRUST AI Security Assessments, as well as HITRUST AI Risk Management Assessments, and handle submission to HITRUST for certification, streamlining your compliance journey.
3. End-to-end support: From preparation to certification, we ensure a smooth process, allowing your team to focus on core business activities.

The HITRUST AI Security Assessment helps to safeguard AI technologies against evolving threats. With A-LIGN’s high-quality audit services and unparalleled expertise, you can confidently navigate this process, enhancing your AI security posture and maintaining compliance with global standards.

Contact A-LIGN and one of our compliance experts will be in touch to start your HITRUST AI security journey.

Achieving Cybersecurity Maturity Model Certification (CMMC) is essential for organizations in the Defense Industrial Base (DIB), yet diving into certification without adequate preparation can lead to costly setbacks. Many organizations rush to hire a CMMC Third-Party Assessor Organization (C3PAO) prematurely, often bypassing essential preparatory steps. This post highlights how leveraging a qualified Managed Service Provider (MSP) with Registered Practitioner (RP) status, like CyberSheath, can help organizations prepare for certification with compliance-driven IT and security services. 

CMMC roles and responsibilities: Qualified MSP/RPs and C3PAOs 

To understand the CMMC compliance process, it’s essential to recognize the distinct roles of MSPs, RPs, and C3PAOs: 

• Qualified MSPs with Registered Practitioner (RP) status: Not every RP is equipped to support CMMC compliance with an operational approach, but those that are also MSPs bring a unique advantage. MSPs like CyberSheath, with strong CMMC experience and RP credentials, offer not only advisory support but also the practical, day-to-day compliance services that meet CMMC standards. Unlike RPs who may only advise, an MSP that also functions as a Registered Practitioner operates in alignment with CMMC requirements through compliance-driven IT and security services—supporting clients’ CMMC compliance goals by maintaining continuous operational alignment. 

• C3PAOs: CMMC Third-Party Assessor Organizations (C3PAOs) are authorized by the Cyber Accreditation Body (Cyber-AB) to conduct official CMMC certification audits. C3PAOs must maintain strict separation of duties to ensure an objective audit—they cannot provide advisory or compliance services as this would compromise the independence required for certification. C3PAOs are limited to performing formal CMMC assessments and mock assessments, helping organizations understand what a real audit entails without impacting the certified environment. 

Common pitfalls in CMMC compliance preparation 

Rushing into the certification process without sufficient preparation can lead to costly missteps. Here are some common mistakes to avoid: 

 1. Engaging a C3PAO prematurely 

Hiring a C3PAO before your organization is fully prepared can lead to failed assessments and unnecessary expenses. Organizations sometimes assume they’re ready simply because they’ve implemented certain cybersecurity controls. However, without thorough preparation and understanding of CMMC requirements, critical compliance gaps are often overlooked. This is why many organizations find that working with a qualified MSP/RP like CyberSheath is beneficial, as it allows them to address compliance needs with operational IT and security services before undergoing the formal assessment. 

2. Skipping the gap assessment 

A gap assessment is a foundational step for effective CMMC preparation. While it’s possible to conduct a self-assessment, qualified MSPs with RP status, such as CyberSheath, provide gap assessments that evaluate an organization’s practices against CMMC requirements, identifying critical areas for improvement. MSPs that serve as RPs not only perform assessments but support day-to-day compliance operations, distinguishing themselves from RPs who only advise. This operational involvement enables MSPs to support clients in maintaining the specific security standards necessary for certification. 

3. Underestimating the importance of compliance-focused operational services 

Organizations sometimes overlook the value of compliance-focused operational services in preparing for CMMC certification. A qualified MSP/RP like CyberSheath offers more than advisory support—it provides ongoing compliance IT and security services that are fundamental to daily operations and directly aligned with CMMC requirements. This goes beyond checklist guidance, as MSP/RPs are responsible for helping DIB clients maintain a compliant environment in their routine operations, embedding compliance into every aspect of IT and security. 

4. Blurring the boundaries between compliance services and certification 

Ensuring separation between compliance services and certification is crucial for an unbiased audit. Leveraging a qualified MSP/RP for compliance support ensures readiness without compromising the objectivity of the C3PAO certification process. Once prepared, engaging an independent C3PAO for the official audit not only meets Cyber-AB’s requirements but also ensures a fair, unbiased certification process. 

Preparing for a successful CMMC audit 

To prepare effectively for CMMC certification, follow these steps: 

1. Start with a gap assessment by a qualified MSP/RP: Begin with a comprehensive gap assessment to identify areas of noncompliance. Working with an MSP/RP provides additional insight into how operational compliance can be embedded into daily activities, minimizing the risk of unexpected issues during the formal audit. 

2. Implement compliance-focused operational services: Compliance services offered by an MSP/RP go beyond basic advisory—they encompass IT and security operations that meet CMMC standards day-to-day. This ensures the organization’s environment is consistently aligned with CMMC requirements, making them better prepared for certification. 

3. Begin C3PAO assessment: Due to timing and a backlog of available assessors, it is recommended to contract with a C3PAO early in the audit process. Then, once implementation and remediation are complete, organizations will be ready to begin the certification audit. Remember, CMMC certification is a three-year cycle, and you’ll need to reassess if any significant changes impact your certified environment. 

Rushing into CMMC certification without sufficient preparation can lead to costly delays. By leveraging the operational compliance services of a qualified MSP/RP like CyberSheath, organizations can ensure their environment meets CMMC requirements before engaging a C3PAO for the formal audit. This strategic approach optimizes resources and maximizes the chances of a successful CMMC certification, establishing a compliant foundation for the three-year certification cycle ahead. 

In business, like in sports, achieving greatness isn’t just about recruiting star players – it’s about building a championship team. Bill Belichick didn’t just assemble a roster of talented athletes, he built champions through rigorous training, discipline, and leadership. At A-LIGN, we follow the same principles. We recruit strong professionals and then coach them to become industry leaders that other teams want in their starting lineup. 

Let’s break down our strategy of building a championship team of audit professionals. 

A-LIGN’s talent philosophy 

Championships aren’t won on raw talent alone. A successful team is made up of individuals with different strengths – from grit and intelligence to a team-first attitude – all guided by effective leadership. These qualities don’t come easy, as some are intrinsically present, while others must be cultivated over time. 

A strong talent development program is the foundation for high-caliber teams. There’s a direct correlation between a team’s effectiveness and its win-loss record, or in our case, the growth of our clients and A-LIGN. With company performance expectations trending higher than ever, it’s no longer enough to simply offer training and development programs. An organization’s game plan must include a talent development strategy that makes its way into every facet of its culture. 

Developing championship talent 

How do organizations stay competitive and maintain a deep bench of talent? By treating talent development like a long-term contract and investing in their future. Just like a winning team trains every player to not only perform at their peak but to lead, innovate, and deliver results, businesses must do the same. 

Technical training programs 

A-LIGN’s technical training programs are designed to develop well-rounded professionals by combining technical expertise with strong leadership skills. Our technical programs are essential for providing a comprehensive overview of the audit lifecycle, enhancing auditors’ technical expertise in regulatory and third-party standards, and integrating real project-related examples into the curriculum. 

These programs allow employees to practice applying technical concepts in meaningful ways, fostering a deeper understanding of their work. By making these learning experiences a core part of our culture, we encourage continuous growth and collaboration, ensuring that our team stays at the forefront of industry standards and innovations.  

Leadership and development curriculum 

Our leadership and development programs teach everything from leader identity, effective communication, emotional intelligence, and successful feedback, to developing strategy and vision.  As with all successful teams, there are coaches who support the players in real time whether in practice or on the field.  At A-LIGN, we have a full-time internal leadership coach who focuses on providing feedback and skill development for employees at every level.  

With the help of our leadership, manager, and player coaches, our professionals are in a continuous growth model. Being technically strong is essential, but the true MVPs are those with the skills to lead their team, adapt on the fly, and make tough decisions when the game is on the line.  

Investing in our industry’s future 

This level of investment in our people comes at a price. When you develop top talent, others take notice and want to recruit your players to join their team. We believe this is a sign of strength – we’ve recruited, grown, and developed the best in the industry. 

Our auditors, trained and tested through A-LIGN’s programs, often get recruited for key leadership roles at other organizations. When they move on, they carry our standards, our values, and our commitment to quality into the broader field. It’s at times like these, that A-LIGN’s coaching tree ensures that generations of auditors, managers, and directors are developed, and maintaining a deep bench for seamless, high-quality service delivery.  

We’re not just building great security and compliance professionals; we are actively investing in the advancement of the industry. Every professional who has been through our system continues to raise the bar wherever they go.   

We welcome this challenge because we’re not just in it to win for ourselves. We’re here to elevate the game for the entire cybersecurity compliance industry. As we continue to recruit, train, and develop top talent we know that our legacy extends far beyond our locker room. 

On October 15, 2024, the Department of Defense (DoD) published the final 32 CFR rule for CMMC 2.0 in the federal register. The long-awaited rule outlines the requirements for defense contractors and subcontractors, defines the levels and assessment types, outlines responsibilities for CMMC third-party assessment organizations (C3PAOs), and sets the implementation timeline. 

Now that the CMMC program rule is finalized, here are the key takeaways you need to know. 

Notable updates on CMMC final rule 

Draft versions of the CMMC rule have circulated for months, providing strong indicators of the direction of the program. But, as expected, there are a few notable changes and updates in the final rule. 

Program timeline 

The effective date for CMMC is December 16, 2024. This is the date when the CMMC program will be live and operating. However, C3PAOs cannot begin certification assessments for organizations seeking Level 2 certification until January 2, 2025. 

Organizations are still waiting for an additional rule, the 48 CFR rule, to be published, which will add CMMC certification as requirement in DoD contracts. That rule is expected to be published in Q2 2025.  

Organizations that get certified ahead of upcoming contractual requirements will be set to meet those requirements without delay. This is one of the many reasons we encourage organizations to get in the queue for certification as soon as possible. 

External service provider applicability 

The biggest difference between the proposed and final rule has to do with external service provider (ESP) certification. In earlier versions of the proposed rule, ESPs, such as managed service providers (MSPs) were required to obtain CMMC certification. Under the final rule, it is not required for ESPs to obtain their own certification. 

However, it is still highly encouraged that ESPs should pursue CMMC certification. If ESPs decide to not pursue CMMC certification, then their assets will be in scope of their client’s assessments by a C3PAO. This means that ESPs could negatively impact their clients’ timelines by adding additional hurdles to review assets. Therefore, it is highly encouraged that ESPs get CMMC certified in order to streamline the process – which many of them were planning to do before the final rule was published. 

Assessment staffing 

The final rule includes an important update on staffing. The CyberAB, the accreditation body behind CMMC certification, has a program for training and certifying the individuals conducting CMMC assessments. There are two levels, certified CMMC professional (CCP) and certified CMMC assessor (CCA). 

The CMMC final rule outlines that three CCAs must be involved in each assessment. Two CCAs will be required on the assessment team and one CCA will be a part of QA review. 

This mandate for trained and certified professionals to conduct CMMC assessments will help to set a standard for excellence. However, it may create challenges for smaller C3PAOs with limited staff resources, resulting in longer wait times for assessments. 

Requirements for CMMC level 2 compliance 

The majority of organizations affected by CMMC will fall into level 2. The final rule defines the requirements for level 2: 

• If you store, transmit, or process Controlled Unclassified Information (CUI), then you will need to obtain Level 2 Certification via assessment from a C3PAO 

• Organizations Seeking Certification (OSCs) will need to implement the 110 practices outlined in NIST 800-171 and meet all 320 practice objectives 

• While the DoD contract requirement rollout will begin likely in 2026, it is possible for primes to begin placing CMMC requirements to their subs before then 

Get started with CMMC now 

If you haven’t gotten started on your plan for CMMC compliance, now is the time to start. Once CMMC requirements show up in DoD contracts, if you are not CMMC certified, you risk being left out of the defense contractor ecosystem. 

A-LIGN is a globally recognized cybersecurity and privacy compliance provider that offers a single-provider approach for organizations. With more than 1,000 federal assessments completed, A-LIGN is an accredited C3PAO and FedRAMP 3PAO with extensive experience across NIST frameworks.   

Contact us today to secure your spot in line. 

The European Union has introduced the NIS2 Directive—an evolution of its cybersecurity strategy to safeguard essential services and networks. Once the directive is transposed into law by the EU member states, the penalties for non-compliance will follow soon after. For businesses operating within the EU, understanding this directive is crucial for compliance and enhancing their cybersecurity posture. 

This blog post will guide you through the intricacies of the NIS2 Directive, discussing who needs to comply, its purpose, coverage, requirements, and timeline. By the end, you’ll know how to prepare your organization for this pivotal shift in cybersecurity governance. 

What is the NIS2 Directive? 

The NIS2 Directive, a successor to the original NIS (Network and Information Systems) Directive, marks a significant step forward in the EU’s approach to cybersecurity. It aims to address the growing complexities and sophistication of cyber threats that can disrupt essential services. While the original NIS Directive laid the groundwork for cybersecurity measures across member states, NIS2 expands on these foundations, introducing more stringent requirements and a broader scope. 

The directive establishes a harmonized framework for cybersecurity across the EU, covering 18 critical sectors. It aims to bolster the EU’s resilience against cyber threats. By enforcing higher cybersecurity standards, NIS2 seeks to protect critical infrastructures and sectors vital to modern society’s functioning. From energy and healthcare to transport and finance, the directive ensures that all essential services maintain robust cybersecurity practices to safeguard against potential disruptions. 

NIS2 is not just about setting rules but about fostering a cybersecurity awareness and action culture. The directive encourages organizations to take proactive measures in identifying and mitigating cyber risks, ultimately leading to a more secure and resilient European digital landscape. 

When and how will NIS2 be enforced? 

The deadline for the NIS2 Directive to be transposed into national laws by all EU member states was originally established as 17 October 2024. As of May 2025, the European Commission issued formal warnings to 19 member states for failing to notify full transposition, giving them two months to comply or face potential referral to the Court of Justice of the European Union. 

Once transposed, member states are responsible for enforcing the directive through designated national authorities, which must implement supervisory and enforcement measures, including penalties for non-compliance. 

Who must comply with NIS2? 

The NIS2 Directive casts a wide net, encompassing a broader range of sectors and entities than its predecessor. While the original NIS Directive focused primarily on operators of essential services (OES) such as energy, transport, and health, NIS2 extends its reach to include digital infrastructure providers, public administration entities, and other critical sectors. 

Organizations that fall under the directive’s scope must comply with its requirements. This includes private and public entities providing essential services or operating critical infrastructure within the EU. Small and micro enterprises are generally excluded, unless they are deemed critical.

Organizations must assess whether they fall within the directive’s scope and understand their obligations. Compliance with NIS2 is not optional. Failure to adhere to its requirements can result in significant penalties and reputational damage. Therefore, organizations must proactively align cybersecurity practices with the directive’s mandates. 

What is the purpose of NIS2? 

The NIS2 Directive is designed to enhance the EU’s cybersecurity resilience and protect its digital landscape from evolving threats. The directive aims to ensure that essential services and critical infrastructure remain operational and secure, even in the face of cyber threats. 

One of NIS2’s primary objectives is to foster a harmonized approach to cybersecurity across EU member states. The directive seeks to eliminate fragmentation and inconsistencies in cybersecurity measures by establishing common standards and practices, ensuring that all member states work collaboratively to address cyber risks. 

Furthermore, NIS2 aims to enhance information sharing and cooperation between member states. This collaborative approach enables member states to pool their resources, expertise, and knowledge, strengthening the EU’s cybersecurity posture. 

What does NIS2 cover? 

The NIS2 Directive covers a wide range of sectors and entities. Its scope includes traditional critical infrastructure sectors, such as energy, transport, and healthcare, digital service providers, public administration entities, and manufacturing industries. 

Within these sectors, the directive applies to organizations that provide essential services or operate critical infrastructure. This includes entities responsible for maintaining the security and availability of network and information systems that underpin these services.  

The directive also emphasizes the importance of supply chain security. With cyber threats often exploiting vulnerabilities in the supply chain, NIS2 requires organizations to assess and mitigate risks associated with their third-party suppliers and service providers. 

What are the NIS2 requirements? 

The NIS2 Directive establishes requirements for organizations to achieve their objectives. These requirements cover various aspects of cybersecurity, including risk management, incident reporting, and governance. 

Firstly, organizations are required to implement robust risk management practices to identify and mitigate cyber risks. This includes conducting regular risk assessments, implementing appropriate security measures, and continuously monitoring their network and information systems for potential threats. 

Secondly, the directive mandates timely incident reporting. Organizations must issue the initial notification to the relevant national authorities within 24 hours, followed by an intermediate report within 72 hours and final report within one month. Timely incident reporting facilitates information sharing and collaboration between member states, enabling a coordinated response to cyber threats. 

Lastly, NIS2 emphasizes the importance of cybersecurity governance. This includes appointing a designated person or team responsible for overseeing cybersecurity measures and ensuring compliance with the directive’s requirements. 

What are the minimum measures for NIS2? 

Beyond the key requirements, NIS2 mandates the following baseline security measures: 

• Policies and procedures to assess the effectiveness of cybersecurity risk management measures 

• Security in system acquisition, development and maintenance, including vulnerability handling and disclosure 

• Risk analysis & Information system security 

• Supply chain security 

• Policies on appropriate use of cryptography and encryption 

• Incident handling 

• Basic computer hygiene and trainings 

• Business Continuity measures (back-ups, DR, crisis management) 

• HR security, access control policies and asset management 

• Use of MFA or secured voice/ video/text comm & secured emergency communication 

What are the penalties for non-compliance? 

Failure to comply with NIS2 can result in financial penalties for an organization. The actual amount will be determined by each EU member state once they transpose the NIS2 Directive into local regulations.

However, the directive offers guidance ass to what those penalties should be. The dollar amount of fines will be based on an organization’s classification. Essential entities are large companies (250+ employees or €50M+) that operate in sectors of critical importance. Important entities are large companies operating in the other sectors or medium-size companies (50-249 employees or €10M-50M) operating in any of the sectors in scope. 

For essential entities administrative fines can be up to €10,000,000 or at least 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher. 

For important entities, administrative fines can be up to €7,000,000 or at least 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the critical entity belongs, whichever amount is higher. 

Conclusion 

The NIS2 Directive represents a significant advancement in the EU’s efforts to enhance cybersecurity resilience and protect critical infrastructures. The directive aims to create a safer and more secure digital landscape for all member states by establishing common standards, fostering collaboration, and addressing supply chain security. 

For organizations, compliance with the regulations transposed from NIS2 is not just a legal obligation—it’s an opportunity to strengthen their cybersecurity posture and gain a competitive advantage. By implementing robust risk management practices, timely incident reporting, and effective governance frameworks, organizations can protect their operations, safeguard customer trust, and contribute to the overall cybersecurity resilience of the EU. 

Organizations should consider engaging with cybersecurity experts like A-LIGN to stay ahead of evolving cyber threats and ensure compliance with the transposed regulations that will follow the NIS2 Directive. Reach out to our team today. 

In an era where cybersecurity breaches are increasingly common, the demand for regulatory compliance has skyrocketed. To shed light on how businesses can effectively manage these demands, FTV Capital sat down with Scott Price, the Founder and CEO of A-LIGN—a leading provider of cybersecurity and compliance solutions.

Founded in 2009, A-LIGN was established to align companies’ strategic and compliance objectives, transforming how audits are conducted to save time and reduce costs. With a global presence and over 4,000 clients, A-LIGN offers streamlined services, including compliance assessments and cybersecurity testing.

Scott discussed the pivotal role of external investment from FTV in 2018, which provided financial support, market credibility, and growth opportunities. This partnership facilitated A-LIGN’s expansion and allowed Scott to enhance his leadership skills alongside a board of experienced professionals. Scott also emphasized the importance of innovation and leadership development at A-LIGN, highlighting their Leadership Academy, which fosters a culture of continuous improvement and innovation among employees.

With a commitment to quality, transparency, and continuous innovation, A-LIGN remains at the forefront of helping organizations build trust and confidence in a complex cybersecurity environment.

Read the article: https://ftvcapital.com/insights/a-lign-ceo-scott-price-on-delivering-mission-critical-cybersecurity-solutions-and-nurturing-a-leadership-culture/

According to the HITRUST 2024 #TrustReport, only 0.64% of organizations that received HITRUST certifications reported a security breach in their certified environments over 2022 and 2023. This statistic is a powerful testament to the robustness of the HITRUST framework and its unparalleled commitment to leading the industry in data protection standards.

With such a high success rate, it’s clear that HITRUST’s security assessments, including the new AI Risk Management Assessment, can play a critical role in safeguarding your organization’s AI initiatives. Are you assessing the risks associated with your AI tools before deploying them? Conducting due diligence is crucial to ensure that you have the necessary controls in place to mitigate risks.

Read our blog to learn how this framework ensures your business’s AI initiatives are secure, compliant, and aligned with industry best practices.

What is the HITRUST AI Risk Management (RM) Assessment?

The HITRUST AI Risk Management Assessment is a streamlined self-assessment designed to help organizations evaluate and manage the risks associated with AI.

This framework is built upon the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) and the ISO 23894 standard. HITRUST has consolidated the overlapping controls between these two standards into 51 key controls featured in the AI Risk Management Assessment.

One major advantage of the HITRUST AI Risk Management Assessment is its accessibility. Organizations do not need to be HITRUST-certified or even planning certification in the future to take advantage of this assessment.

Additionally, this framework is not restricted to the healthcare industry. Any company, regardless of the sector, can apply the assessment to measure AI-related risks.

Benefits of the HITRUST AI RM Assessment

The primary benefit of the HITRUST AI RM Assessment is that it offers a comprehensive yet simplified framework for managing AI-related risks.

Without this assessment, organizations would need to navigate hundreds of controls from both the NIST AI RMF and ISO 23247 standards. HITRUST significantly reduces this burden, saving security teams valuable time and resources.

By completing the HITRUST AI RM Assessment, organizations position themselves to meet emerging AI compliance regulations and requirements. This proactive approach ensures that your AI initiatives align with industry standards and best practices, providing your organization with a competitive advantage while saving time and effort in the future.

Moreover, the HITRUST AI RM Assessment helps organizations comply with specific directives outlined in frameworks such as ISO/IEC 42001 and the EU AI Act. These regulations mandate periodic AI risk assessments, and the HITRUST AI RM Assessment ensures your risk management practices are both comprehensive and in compliance with current and forthcoming international standards.

Who should use the HITRUST AI RM Assessment?

The HITRUST AI RM Assessment is suitable for a wide range of organizations. This self-assessment is not mandatory for companies that are HITRUST-certified and utilizing AI in their operations.

However, any business looking for valuable insights into the state of their AI development and usage would benefit from this assessment. It helps organizations identify areas for improvement and ensure they are maintaining compliance as both technology and regulations evolve.

Companies can choose to conduct the assessment internally or hire a trusted third-party auditor, such as A-LIGN, to ensure a thorough and objective evaluation. For organizations lacking internal expertise or resources, working with a trusted audit partner can be particularly valuable.

Achieving AI compliance with HITRUST

As AI adoption continues to grow, organizations are investing heavily in integrating AI technology into their daily operations. In 2024, businesses are projected to spend billions on AI initiatives, with adoption rates soaring across multiple sectors.

HITRUST’s anticipated AI certification, set to be released in November 2024, will further support organizations’ compliance efforts. By completing the AI risk management assessment now, businesses can position themselves for success and be well-prepared for upcoming certification requirements.

Contact us to learn more about how A-LIGN can help your organization complete a HITRUST AI Risk Management Assessment today.