A data-driven approach to risk management is essential. By harnessing real-time data, analytics and Cyber Risk Quantification (CRQ) through Factor Analysis of Information Risk (FAIRTM), a methodology which translates cyber risks into financial terms, Irish organisations can transform compliance into an opportunity. This means giving boards actionable insights, focusing investments on real risks, and building resilience beyond the checklist.
In this article, we explore how data-driven practices support each RMM (RMM002 - RMM016) and help meet NIS2 requirements. For some requirements the impact is greater, for others less, but data-driven risk management has a role to play in them all.
Governance and Risk Management
RMM002 - Governance – Management board commitment and accountability
Cybersecurity is now a board-level responsibility. Senior management must actively oversee risk measures. Data-driven practices help CISOs communicate risks in tangible, financial terms using CRQ. Dashboards and metrics - from incident trends to potential losses - enable directors to make informed decisions and show due diligence. This turns vague compliance into visible governance.
RMM003 – Network and Information Security Policy
Policies must reflect real threats. By analysing incidents, control performance data, and threat intelligence, policies can evolve to focus on relevant issues like phishing or ransomware. Regular reviews driven by key metrics (e.g., malware infections or policy violations) keep guidance fresh. CRQ helps align policy strength to actual risk, ensuring that controls are both effective and proportionate.
RMM004 – Risk Management Policy
NIS2 demands continuous risk insight, not periodic reports. A live risk register informed by vulnerability scans, threat intelligence and impact assessments lets organisations see risks in real time. Incorporating the metrics above and quantifying risk financially enables prioritisation and risk-based investments. It also ensures consistency, from frontline staff to executives.
RMM005 – Continuous improvement - assess effectiveness and improve cybersecurity risk management measures
Security must be regularly reviewed and refined. By tracking control performance data, such as patch rates, incident response times or test results, organisations can see what’s working and where to improve. CRQ supports decision-making after each change by showing risk reduction. Regular tests and feedback loops support a culture of continuous, data-led improvement.
Core Security Measures and Controls
RMM006 – Basic Cyber Hygiene Practices and Security Training
Training and hygiene practices must be evidenced. Data such as patch compliance, malware detections and training scores help show NIS2 alignment. CRQ helps quantify how reducing human error (via awareness) impacts risk, supporting investment. Metrics from simulations and audits provide proof of progress and readiness.
RMM007 – Asset Management
Organisations must know their assets to protect them. Automated asset discovery and classification create a real-time, risk-informed inventory. CRQ helps identify crown jewels – high-value systems requiring stronger controls. Asset data supports rapid incident response and prioritised defence, as required under NIS2.
RMM008 – Human Resources Security
Staff risks are critical. Data helps track vetting, role-based access, and insider threats. Logs, background checks and training records prove security responsibilities are understood and monitored. CRQ can model risks tied to human behaviour (like phishing success or insider threats), justifying further investment in people-focused controls.
RMM009 – Access Control
Least privilege must be monitored, not assumed. Data from IAM tools, access reviews and login audits shows who has access, how it’s used, and whether it aligns with policy. CRQ models show how risk drops with controls like MFA. This evidence satisfies auditors and reinforces governance.
RMM010 – Environmental and physical security
IT assets must be physically protected. Logs from badge systems, CCTV alerts and IoT sensors give visibility into threats like unauthorised access or environmental failure. Risk modelling quantifies impact scenarios, supporting targeted investment in defences. Data-driven oversight turns physical security into a managed, measurable domain.
RMM011 – Cryptography, Encryption and Authentication
Controls must be used effectively and consistently. Metrics on encryption coverage, key rotation and MFA usage show whether protection is in place and working. Gaps, like unencrypted backups, are identified through scanning. CRQ highlights how strong cryptographic controls reduces breach costs, supporting strategic upgrades, but also the risk scenarios where this control might be less effective than assumed.
RMM012 – Supply Chain Security Policy
Vendors may be part of attack surface. Data-driven risk ratings and assessments help profile suppliers. Thresholds can be set for required certifications or risk scores. CRQ helps prioritise which vendors to scrutinise by modelling potential loss. Audit trails and live monitoring help prove oversight and compliance.
RMM013 - Security in network and information systems acquisition, development and maintenance
Security must be built into development. Metrics from code scans and testing show how secure software is. They can also identify where improvement is needed. Third-party tools and documentation help maintain control over external tech. CRQ helps justify investment in secure design by quantifying the cost of not doing so.
Incident Response and Resilience
RMM014 – Incident Handling
Speed and clarity are essential. Data from monitoring systems accelerates detection and guides action. Incident metrics (i.e., timelines, causes, resolution steps) help identify patterns. CRQ simulations test response plans and set recovery expectations. Evidence of lessons learned supports compliance and maturity.
RMM015 – Incident Reporting
Reporting must be fast and accurate. Thresholds based on impact data help decide whether to notify authorities. Monitoring tools feed pre-populated reports. CRQ aids in judging materiality. Logs and decision records show transparency. Data automation ensures that data can be extracted and accurate in the event of an incident.
RMM016 – Business Continuity and Crisis Management
Continuity planning must be data-led. BIAs collect downtime tolerances and financial risks, feeding into recovery strategies. CRQ helps prioritise investments (e.g., failover systems). Testing yields metrics on recovery times and performance. Documentation proves plans are working and improving. Data ensures that resilience is more than aspiration.
Regulatory compliance is only the first step to digital operational resilience
C-Risk can help you effectively communicate the financial and operational impact of cyber risks, ensuring strategic resource allocation that aligns with your business objectives.
From Obligation to Opportunity
NIS2 is a turning point for Irish cybersecurity, pushing organisations to adopt smarter, more resilient practices. A data-driven approach delivers operational visibility, enables prioritised investments, and enforces accountability. It provides the evidence to meet compliance demands while improving real-world security. Those who embrace it will lead the way in digital trust and resilience.
C-Risk can help you address new compliance requirements introduced under NIS2. If you would like to discuss your cybersecurity and compliance challenges, schedule a call with a C-Risk expert.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.
