In a few months, numerous companies will have to implement the NIS2 directive. The new EU directive requires strict measures to be implemented to ensure cybersecurity.
At first glance, this period of time may seem long enough, but building an adequate security structure does not happen overnight. NTT Ltd., a leading IT infrastructure and services company, clears up misconceptions surrounding the NIS2 Directive and shows the best way to implement it. The NIS2 Directive is an EU-wide network and information security legislation that came into force on January 16, 2023 and must be transposed into national law by member states by October 17, 2024. In Germany, there is already a draft bill from the Federal Ministry of the Interior on the NIS 2 Implementation Act (NIS2UmsuCG). The new directive will massively increase the number of affected companies in this country - between 30.000 and 40.000 companies will fall under the stricter requirements of NIS2. However, many of them are probably not even aware of this, even though there are severe penalties for non-compliance.
Pressing questions
Do I fall under the NIS2 directive? The authorities do not tell a company whether the new requirements apply to them or not. Rather, companies must determine their “affect” themselves based on the defined criteria. In principle, everyone who is classified as an operator of critical infrastructure falls under this directive. These include facilities, systems and systems whose functionality is important for society, the security of the country and the economy and whose failure would lead to significant disruptions. According to the Federal Office for Civil Protection, these are companies in the energy and water supply, telecommunications and information technology, food supply, transport and logistics, finance and healthcare sectors. At the same time, the NIS2 Directive also affects organizations in the supply chain that provide services or products related to critical sectors. This means that the scope goes far beyond the previously known key companies. In the future, companies and organizations with 50 or more employees and an annual turnover of at least ten million euros will be recorded in the respective sectors. Specifically, NIS2 distinguishes between “important” and “essential” facilities. The latter play a crucial role due to their market share in the respective sector.
Regulations of the NIS2 directive
The EU has tightened requirements in three key areas: supervisory measures and fines, cooperation and cooperation, and risk management and resilience. The increased demands on risk management and resilience mean that organizations must implement both damage prevention and damage minimization measures. This includes areas such as network security, risk management, cybersecurity in supply chains, access control and encryption. NIS2 provides for basic IT hygiene, and the draft bill stipulates attack detection for critical facilities. Companies should also think about how to ensure business continuity after a cyberattack. This includes system recovery, emergency procedures and the establishment of a crisis organization. In addition, an initial report must be received by the responsible authorities as an early warning within 24 hours of becoming aware of the security incident. A detailed report must follow within 72 hours that describes the so-called indicators of compromise. Companies should first use a top-down approach to determine a holistic current state of the maturity level of their IT security and then implement technical and organizational measures as required. To meet the NIS2 guideline, it is also recommended to implement an information security management system (ISMS) according to ISO 27001. At the same time, a security operation center (SOC) makes sense. However, operating a SOC is very cost-intensive, which is why outsourcing it to an external service provider in the form of managed services is a good solution.
What happens if you don't comply?
Although only essential facilities are audited, anyone who ignores the requirements risks significant sanctions in the event of a security incident. For companies classified in the “essential” category, fines can be up to ten million euros or two percent of annual global turnover, whichever is greater. For “important” institutions, the maximum fine is seven million euros or 1,4 percent of global annual turnover. The Federal Ministry of the Interior's draft bill also stipulates that managing directors and other management bodies of companies are liable with their private assets for compliance with risk management measures. You also face a fine of two percent of your global annual turnover. NIS2 is therefore a compliance risk that those responsible should take very seriously. In addition, a poor or non-existent security solution ultimately costs significantly more, even if the investment in appropriate measures may initially seem high to some companies. Analogous to other guidelines, there is also a high probability that companies that have not implemented the required measures will not be considered in public tenders.
“NIS2 compliance is not a product that you can just buy and implement. On the contrary: companies must understand that the implementation of the new EU directive is a truly extensive and long-term project with impacts in a wide variety of areas. At the same time, IT compliance has long been a key strategic issue for companies,” explains Bernhard Kretschmer, Vice President Services and Cybersecurity at NTT Ltd. “However, practice shows that many companies have still not taken the required measures. This could become a stumbling block to the timely implementation of NIS2. Because very few companies are able to meet the required requirements with their own IT team.”
More at NTT
About NTT
As part of NTT DATA, a $30 billion IT services provider, IT infrastructure and services company NTT Ltd. With its technologies, 65 percent of the Fortune Global 500 and more than 75 percent of the Fortune Global 100. The company is laying the foundation for organizations' edge-to-cloud networking ecosystem, simplifying complex multi-cloud workloads and innovating at the edge the IT environments where network, cloud and applications converge. NTT offers tailored infrastructures and ensures consistent best practices in design and operations across its secure, scalable and adaptable data centers. On the path to a software-defined future, NTT supports its customers with platform-based infrastructure services.
Matching articles on the topic