Thought Leadership
The new version of the EU NIS Directive not only increases the minimum requirements for cyber security, it also affects significantly more companies than before. What measures should companies take now?
Dirk Wocke, IT Compliance Manager and Data Protection Officer at indevis, lists the five most important points.
In October, the new EU directive will be transposed into national law and will oblige a significantly higher number of companies in Germany to be more resilient to cyber threats. This means that even small and numerous companies not previously classified as KRITIS will have to implement defined cybersecurity measures. This takes time. It therefore makes sense to start preparing for NIS2 compliance now.
1. Determine whether you are affected
The NIS2 directive expands the KRITIS sectors from eleven to eighteen. Small companies and organizations can now also be classified as important facilities for the general public. This obliges significantly more organizations than before to implement the NIS2 requirements. An initial way to determine whether your own company is affected is to use online checks available on the Internet. However, caution is advised here. Even if the analysis is negative at first glance, you may still fall under NIS2. For example, if you are obliged to take NIS2 measures as a supplier or through your own supplier relationships. To be on the safe side, it therefore makes sense to bring legal expertise or an experienced Managed Security Service Provider (MSSP) on board. If, as a result of the NIS2 assessment, it is decided to set up a security strategy in the form of an ISMS (Information Security Management System), an MSSP has the advantage that it can contribute its experience and provide advice.
2. Sensitize the management
The NIS2 directive makes managing directors personally liable if a security incident occurs because security requirements have been disregarded in the company. In this case, insurance cover also lapses: both cybersecurity insurance for companies and directors’ and officers’ liability insurance (D&O insurance) assume negligence in the absence of security systems to detect attacks. Responsibility for security therefore lies with the management, not with an organization’s IT experts. Company management teams should therefore find out immediately what is expected of their company under the NIS regulations. Web-based courses as well as the expertise of external IT consultants are available for this purpose. It is important that they develop an awareness of what is at stake and what penalties are available in the event of an emergency. In order to anchor this awareness in the company, the second step should be target group-specific training in the individual departments. In this way, everyone involved in implementing the safety measures will have the same basis.
3. Determine who is responsible
Once management has been sensitized to NIS2, it becomes easier to anchor the topic of security throughout the company. This is because the initiative to introduce comprehensive measures now comes from the very top and no longer from the IT department alone. The next step is now a gap analysis – with external help if necessary – to find out which measures and security systems or tools are still missing and who can solve which challenges. These supporters are usually several people in the company, for example the purchasing department, which manages the suppliers, or the marketing department, which is responsible for crisis communication. If there is a quality management officer in the company, this person can, for example, take on part of the role of the information security officer (ISO), who is responsible for implementing security guidelines. If there is no employee with the necessary qualifications within the company, those responsible can also hire an external expert for this position. In this way, a cross-company security team is created which, under the direction of the management, competently takes care of the topic of information security.
4. Define schedule and budget
Making the company watertight in terms of NIS2 with an ISMS (Information Security Management System), which includes rules, processes and tools for information security, takes time. If a company is subject to the new directive, it should not only have a team of experts on hand to implement or expand the ISMS. It is also important to communicate to the workforce that NIS2 and therefore cyber security play a central role and that the corresponding requirements must be adhered to. This phase can take some time due to coordination processes, the creation of guidelines and training courses – which in turn should be taken into account in the budget. Anyone aiming to have their ISMS certified in accordance with DIN ISO/IEC 27001:2022 should expect an implementation period of around one to two years, depending on the individual level of maturity. Certification is not mandatory, but can be useful with a view to future compliance requirements and also makes it easier to prove to customers, suppliers or the BSI (German Federal Office for Information Security) that a compliant ISMS is in place.
5. Define reporting chain in the event of an emergency
NIS2 stipulates that a security incident must be reported within 72 hours and an evaluation must be submitted subsequently. In addition to the necessary tools for attack detection – Incident Management, Endpoint Security or Managed Detection & Response (MDR) Services – companies also need internal guidelines that stipulate how security incidents must be reported. An emergency plan describing what to do in the event of an emergency should be available – preferably also in physical form so that it cannot be made inaccessible by encryption in the event of an attack. This emergency plan defines responsibilities and procedures. These procedures can be reviewed and consolidated as part of emergency exercises or simulation games so that the organization is also optimally prepared for individual crisis situations.
Conclusion: Rely on external expertise
The NIS2 directive places far more companies under obligation than before. Management should therefore check now whether they are affected by the new regulations. “With a top-down approach, the right team and the involvement of external expertise from an experienced managed security service provider, companies can meet the requirements of the new directive on time and without any obstacles,” explains Dirk Wocke, IT Compliance Manager and Data Protection Officer at indevis. “This makes their organization resilient against cyber threats – now and in the future, and in line with NIS2.”
(pd/indevis)
