Goal of NIS2
The Network and Information Security (NIS) Directive was let go by the EU in 2016. The aim of NIS1 was to fundamentally strengthen European IT security and better protect critical infrastructures. NIS2 is its further development. The guideline was let go by the European Parliament on December 14 in 2022 and came into force on January 16 in 2023. It is intended to significantly expand the resilience of companies and national institutions within the EU across all sectors and harmonise minimum standards.
In view of the constant change in the digital landscape, it has become clear that a broader approach to greater cybersecurity is needed. It is also essential that the member states improve their cooperation in this area. NIS2 aims to support this by establishing harmonised standards and procedures. Overall, the guideline significantly tightens the existing requirements. Those affected must take a wide range of technical and organisational protective measures. In addition, cyber security will become a management task, as the management bears central responsibility for risk management and the implementation of measures.
Who is affected?
NIS2 applies to organisations, companies and institutions from a total of 18 sectors with at least 50 employees and/or at least €10 million in annual turnover and balance sheet. The scope of application has thus been considerably extended. The majority of medium-sized and large companies are affected. In addition, NIS2 refers to a company-wide scope of application, i.e. it applies without specific restrictions to certain parts of the organisation. This is one of the main differences to BSI requirements. However, there are also factors that exist regardless of the size of the organisation. These relate, for example, to critical activities or effects on public order.
Requirements
- Measures are to be implemented in the following areas:
- Risk analysis and security for information systems
- Security of the supply chain
- Evaluation of the effectiveness of cyber security and risk management measures
- Security of personnel
- Concepts for access control
- Asset management
- Management of security incidents
- Security in development, procurement and maintenance
- Cyber security and hygiene training
- Multi-factor authentication
- Maintenance and recovery
- Backup management
- Crisis management
- Vulnerability management
- Use of cryptography and encryption
- Secure voice, video and text communication
- Secure emergency communication systems
Further action is required with regard to registration, verification, training and, above all, reporting obligations. For example, particularly important organisations must report all security incidents to the BSI - within very short deadlines. The initial report should be made within 24 hours, with an assessment of the initial report (severity, impact, compromise) within 72 hours.
Implementation plan
In Germany, the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) will be implemented into national law. The deadline set for this is October 17 in 2024. Of course, the implementation of the measures will take time. Nevertheless, the guideline requires Member States to apply the implementing legislation from October 18 in 2024. It should also be emphasised that the directive provides for minimum harmonisation. The German legislator can therefore also stipulate stricter regulations and additional requirements. In any case, there is a risk of severe fines and even the withdrawal of operating licences or certifications in the event of continued violations.
However, there are still uncertainties, including with regard to liability. It is also claimed that there is an implicit transitional period that does not allow conformity tests until three years after October 18 in 2024. However, the German government is not allowed to make such statements. In case of doubt, a company could therefore be audited on October 19 in 2024. Every organisation should determine its impact at an early stage, clarify responsibilities, analyse the risk, start implementing measures and review them continuously.
Our tip:
The clock is ticking! NIS2 is getting closer and closer, but DTS won't leave you alone!
We would like to use our expertise to help you become ‘NIS2-ready’, develop customised packages of measures, shape your IT security and secure your future ‘compliantly’. Whether it's a brief summary of the NIS2 topic in our one-pager, our NIS2 test to determine your need for action or our NIS2 workshops: We are there for you ... all from a single source.
dts.de