top of page

NIS-2 is coming for (nearly) all organizations!


The EU's new regulation to improve cybersecurity affects many organizations, according to the German government, up to 30,000 companies in 18 important industries are affected. It is to be expected that this will also have an impact on the supply chain, then even more companies would be affected.


Note: The bill for the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) was adopted by the Federal Cabinet on 24.7.2024 and will now go on to the Bundestag.


For the companies concerned, all "possible" dangers are considered in the sense of a risk-based and comprehensive "all-hazard approach" in NIS-2, so the measures must protect not only the digital security of the network and information systems, but also the physical environment and, for example, the hardware on which the systems run.


What exactly needs to be done?


First of all, it is recommended for each organization to check whether it falls under the regulation due to its size (from 50 employees or 10 million turnover or 43 million balance sheet total) or business area (18 industries) and to which group it belongs. Be careful, size alone is not relevant, because certain facilities - regardless of size - fall under the law due to the nature of their business. Depending on the group (sectors with high criticality or other critical sectors), specific requirements must then be observed. And for certain institutions, there is an active obligation to register (Art. 27).

The necessary risk management measures are listed in Article 21 of the NIS-2 Directive, other articles also address measures for training management and employees (Art. 20), and the reporting system based on reporting obligations (Art. 23) is also relevant.

In summary, the following dozen most relevant requirements in particular must be observed in order to strengthen the prevention and management of security incidents according to NIS-2:


  1. The institutions must draw up concepts for the risk analysis and security of the network and information systems.

  2. Procedures for dealing with security incidents must be put in place.

  3. Continuity of operations must be ensured through backup management, disaster recovery, and crisis management.

  4. Institutions must ensure security in their supply chain, i.e. they must check the IT security of their direct suppliers and service providers in their overall quality and for vulnerabilities.

  5. Institutions must implement security measures in the purchasing, development and maintenance of IT systems.

  6. Institutions must develop concepts for assessing the effectiveness of risk management measures.

  7. Institutions must implement basic cyber hygiene and cybersecurity procedures.

  8. Institutions must develop concepts and procedures for the use of cryptography and, where appropriate, encryption.

  9. Facilities must ensure the safety of their staff and create approaches to access control and management of assets.

  10. Institutions must adopt multi-factor authentication solutions or continuous authentication solutions, as well as secured communication solutions (voice, video, text) and, where appropriate, secured emergency communication solutions.

  11. The institutions must set up a reporting system that is able to carry out reports within the deadlines.

  12. Employees must be sensitized and trained for security incidents so that they can act confidently in an emergency under time pressure. Management must be trained in order to be able to monitor the implementation of the measures.


This dozen actions aims to improve the cybersecurity of organizations. Various areas are affected, from organization and technology to people and legal issues.


Risk Management und Managed Security Services


A central element is risk management, which requires a combination of expertise, legal assessment, organizational measures, and technological solutions. To meet the challenges of today's cyber risks, both human expertise and technical solutions are indispensable. Cyberattacks often go unnoticed and require a proactive approach to detection and defence. Technical security solutions and specialized threat experts are used for this purpose. However, these experts are not easy to find, and their services are usually costly.

As a result, more and more companies are turning to managed cyber security, in which managed detection and response (MDR) services play a crucial role. These services provide technical "24/7 coverage" as well as a team of security experts specialized in detecting and combating cyberattacks. The choice of such a service depends on various factors, including individual protection needs, organizational structure, and available budget.


ISO/IEC 27001, the ISMS and certification


The implementation of technical and organizational measures can be carried out within the framework of a solid and comprehensive information security management system (ISMS) based on the ISO/IEC 27001 standard. The ISO/IEC 27000 series reflects internationally recognised standards, which serve as a permissible framework of evidence for the implementation of the NIS-2 Directive in accordance with NIS-2 Recital 79.

In addition, ISO/IEC 27001 certification undoubtedly provides more robust evidence of compliance with these standards compared to simply claiming to be "NIS-2 compliant". For example, a certificate based on an audit carried out by an independent third party has a better "legal strength" and could be used for marketing as well.


This is because there are already nationally and internationally regulated procedures for carrying out internationally recognised certification with the help of well-known and regulated organisations as well as trained and accredited examiners. Particularly when it comes to fines for the company (cf. Art. 34) or personal liability risks for management personnel (cf. Art. 20 and 32) due to NIS-2, a certificate in favour of the defendant can be the decisive factor in demonstrably rebutting the accusation of "inactivity or negligence".


The reference to the ISO/IEC 27000 series offers the advantage of established test methods, testing organizations, consultants, and tools. In summary, although the requirements of the NIS 2 Directive are demanding, they are industry-independent, flexible and implementable for all 18 industries of the NIS-2 within the framework of the ISO/IEC 27000 standards with the help of an ISMS gem. ISO/IEC 27001.


Cybersecurity undoubtedly comes at a price, but investing in appropriate security measures is essential to protect the organization from the ever-growing threats that pose high risks - including insolvency - to the entire company in the face of rapidly increasing digitalization.

Commentaires


bottom of page