Thought Leadership
The digitalization of industry has made critical infrastructures a popular target for cyber attacks. The potentially devastating damage to both companies and society makes the topic of cyber security increasingly relevant for legislators.
The NIS2 Directive addresses this issue by providing legal measures to improve overall cybersecurity in the EU, with a focus on preparedness and cooperation in critical sectors. The Directive requires operators of critical services to take appropriate security measures. They must notify the relevant national authorities of serious incidents and reduce security risks in their supply chains by reviewing product quality and the cybersecurity practices of suppliers and service providers.
NIS2 is a revised legal framework based on the first EU-wide legal act on cybersecurity. It came into force on January 16, 2023 and member states have until October October 17, 2024 to transpose the directive into national law. On July 24, 2024, the Federal Cabinet approved the draft law to strengthen cybersecurity in Germany, which regulates the implementation of the EU NIS2 Directive. Companies risk fines, management liability, temporary bans for those responsible and more if they fail to comply with the regulations.
With the following five steps, companies can already lay a foundation for NIS2 or the national implementation of NIS2 by implementing programs and procedures that address some of the key requirements:
Step 1: Sensitize the top management level
Top management should be made aware of cybersecurity risk management, NIS2 requirements and the potential impact of maintaining the status. In this context, it is advisable to work with senior management and management teams to ensure that all stakeholders are involved in the discussion on NIS2 requirements.
Step 2: Cooperation within the company
The cybersecurity risk management measures described in the NIS2 guideline should be reviewed in collaboration with internal teams. A determination of the maturity level in relation to the individual mandates is recommended
Step 3: Responsiveness and reporting
Does the company have a fully developed, agreed and practiced incident response plan? Is it known what triggers the incident response? Does the company have a business continuity and crisis management plan that covers all areas of the business?
Step 4: Evaluation of supply chain security
For this purpose, a list of all assets in use in the company’s environment is required – each of these asset providers is part of the supply chain. Which software solutions are used in which process? All of these providers need to be evaluated. The same applies to the hardware and software solutions at company level, as they are connected via networks to other plants and operations within the company.
Step 5: Creating a roadmap for OT cybersecurity
A roadmap should include the current maturity level in key areas as well as time-bound plans for improvement and optimization. From technology adoption to workforce development, a long-term view of cyber readiness should be established so that progress can be consistently measured.
Executives must now take an active role in monitoring and implementing OT cybersecurity. A more coordinated approach to cybersecurity governs the management of network and information security risks and can close the gaps in cybersecurity resilience between different sectors. This will allow organizations to update their OT cybersecurity and create a foundation for the NIS2 directive.
Author: Kai Thomsen, Director of Global Incident Response Services at Dragos
