With the further development of the NIS Directive, stricter and more far-reaching security requirements will be imposed on a large number of companies in important sectors from 2025. We explain which measures need to be taken promptly in order to fulfil the requirements of NIS 2.
What is the NIS Directive and who is affected by NIS 2?
From October 2024, all European countries must adopt Directive (EU) 2022/255, the EU’s latest NIS Directive on cybersecurity, into local law. This will take place together with the entry into force of the regulations from 2025. Some countries, including Germany, are already aiming for spring 2025.
The ‘Network and Information Systems Security Act’, or NIS for short, defines the common security framework for network and information systems within the EU. Compared to NIS 1, the security requirements of the new NIS Directive have been expanded in their scope to include additional sectors and the sub-areas to be covered.
- On the one hand, large companies from the energy, healthcare, banking, financial markets, water management, digital, information and communication technology, aerospace and public administration sectors are affected. These also include KRITIS operators, qualified trust service providers, TLD registries, DNS services, telecommunications providers, ministries and the Chancellery.
- Medium-sized companies from critical sectors such as chemicals, food, industry, waste management, postal and courier services and digital services are also covered. The defence industry, incident response companies and providers of trust services and classified information are also covered by the regulations.
Details on the exact classification and the specific security requirements are specified in national legal ordinances. In Germany, NIS 2 is covered by the implementation in the IT Security Act 2.0 and the BSIG (Act on the Federal Office for Information Security). The BSI offers a NIS 2 affectedness test for companies.
What implementation measures need to be taken for NIS 2?
Affected companies are obliged to fulfil the NIS 2 requirements under personal liability. On the one hand, the requirements are aimed at cybersecurity risk management measures, both digital and physical. In addition, an auditing obligation will come into force for KRITIS operators and particularly important facilities.
The reporting requirements and reporting deadlines for security incidents will also be more strictly regulated, not only to the BSI, but also with regard to the supply chain and the corresponding notification of customers. The following organisational and technical measures are the focus of the stricter requirements:
-
Policies:
Guidelines for risk management and information security -
Incident management:
Prevention, detection and management of cyber incidents -
Business continuity:
BCM with backup management, DR, crisis management -
Supply chain:
Security in the supply chain – to secure development at suppliers -
Network and IS procurement, development and maintenance:
Security in the procurement of IT and network systems incl. vulnerability management -
Effectiveness:
Targets for measuring cyber and risk measures
- Cybersecurity hygiene and training
-
Cryptography:
Specifications for cryptography and, where possible, encryption -
Personnel:
Human resources security - Access control
- Asset management
-
Authentication:
Use of multi-facto authentication and SSO -
Communication:
Use of secure voice, video and text communication -
Emergency communication:
Use of secure emergency communication systems
Meeting future challenges with best practices
An asset and gap analysis is the first step in preparing an affected company for the upcoming requirements. Cyber risk management, incident management and business continuity processes can be defined and contact with computer security incident response teams can be established.
1. Real-time monitoring:
SIEM systems enable companies to monitor their networks in real time in order to benefit from immediate threat and attack detection.
2. Log management:
SIEM systems collect and store logs from various sources, which helps to recognise patterns and trends in security threats and attacks.
3. Incident response:
In the event of an attack, SIEM systems can help to quickly identify and analyse the incident and initiate appropriate measures.
4. Compliance with regulations:
Among other things, a SIEM system helps KRITIS companies to prove that they are complying with legal security regulations.
5. Threat and attack detection:
By analysing logs and other data, a SIEM system can help detect and respond to known and unknown threats.
6. Automation:
SIEM systems can automate many security processes, which saves time and resources and increases efficiency.
Learn all about attack detection with SIEM: 5 use cases for SIEM systems