Many companies are affected by the new edition of the EU NIS2 directive. This increases the minimum requirements for the cybersecurity of critical infrastructures. Companies should be well prepared.
Cyber attacks on critical infrastructure are particularly dangerous. The EU therefore defined minimum cybersecurity requirements in the Network and Information Security (NIS) Directive in 2016. This is now being replaced by a new edition. The NIS16 directive has been in force since January 2023, 2 - and the EU member states still have until October 2024 to incorporate it into national law. In Germany, this is done through the NIS2 Implementation Act, which is currently available as a second draft. Changes to the IT Security Act and the KRITIS Ordinance are to be expected. Many companies are now wondering what NIS2 means for them.
What do security managers need to know now and how can they best prepare? Dirk Wocke, compliance manager and data protection officer at indevis, provides answers to the most important questions.
Who is affected by NIS2?
The most important difference to the old legislation is the significantly increased efficiency. Seven new KRITIS sectors are being added, increasing the number from eleven to eighteen. While only large organizations from the direct KRITIS environment have so far been affected, NIS2 also applies to private companies - even those with a size of 50 employees or an annual turnover of 10 million euros. Some companies, regardless of their size, fall under the directive because they are among the so-called “essential entities” that are particularly important for the common good.
What is also new is that affected companies must check and ensure the cybersecurity of their suppliers. This is important because supply chains are becoming increasingly complex and even the failure of a small component can lead to critical bottlenecks. The Solarwinds hack, for example, showed how dangerous supply chain attacks can be. All in all, NIS2 impacts a wide range of companies, many of which only realize at second glance that they are affected.
What innovations does NIS2 bring?
The new directive increases the minimum cybersecurity requirements and makes managers responsible. You are responsible for ensuring that the prescribed standards are adhered to. If a cyber attack occurs, strict reporting requirements apply, similar to the GDPR. Companies must then report the incident to the BSI within a certain period of time. In this way, the legislature wants to prevent those affected from covering up a cyber attack in order to protect their reputation. NIS2 also sharpens European jurisprudence and deepens supervision and cooperation in the EU between authorities and operators. For example, national computer emergency response teams should be set up that cooperate across borders and exchange information. At the same time, a vulnerability database is to be set up at EU level.
What should affected companies do now?
NIS2 prescribes state-of-the-art technical and organizational security measures. This includes, for example, a methodology for assessing cyber risks and a strategy for ensuring service and business continuity. Measures to prevent, detect and manage cyber incidents are also mandatory. Basically, it's about building an information security management system (ISMS). This defines rules, processes, methods, tools and responsibilities to manage and control cybersecurity in the company.
The BSI Grundschutz and ISO/IEC 27001, for example, offer guidance. Most companies have so far only established pieces of the puzzle of an ISMS. First of all, it is important to identify gaps and then close them step by step. Numerous roles need to be filled and policies defined. All of this is usually more complex than expected and takes time. It is therefore advisable to tackle the issue as soon as possible. An external service provider who has experience in introducing and further developing an ISMS can provide support with advice and support.
What happens when companies ignore NIS2 requirements?
Similar to the GDPR, the legislature reinforces its requirements by imposing high fines for violations. Penalties and enforcement actions will be significantly expanded - to maximum penalties of at least seven or ten million euros, depending on the sector. In order to check compliance with the NIS2 requirements, the BSI can carry out audits or commission them from third parties. If deficiencies are discovered, affected companies are given a deadline within which they must make improvements. Last but not least, managing directors are personally liable if the forensic investigation of a cyber incident reveals that the company has disregarded security requirements.
NIS2 as an opportunity
Anyone who has already been assigned to the KRITIS area has probably already implemented many of what NIS2 requires. For new companies, the effort is higher. It is therefore advisable to start as soon as possible. Even if NIS2 initially requires work, the investment is worth it. Increasing cybersecurity is essential given the growing threat situation.
In practice, those responsible for security often find it difficult to free up budget for security measures. Therefore, pressure from legal requirements is needed. NIS2 now places the issue of cybersecurity at the top of management level, paving the way for change. In the future, security managers should have an easier time convincing CEOs to invest more in cybersecurity. In order to achieve NIS2 compliance as quickly and efficiently as possible, we recommend working with an experienced managed security services provider. He can help review the security strategy, set up an ISMS, and select and operate suitable security technology.
More at Indevis.de
About Indivis
Certified according to the international standard ISO/IEC 27001, indevis GmbH is one of Germany's leading Managed Security Service Providers (MSSP). The company has been setting security standards in information technology for over 20 years and offers customers of all sizes and industries suitable IT security solutions for networks, data centers and cloud.