NIS 2

NIS 2: Which companies need to act by 2025

With the further development of the NIS Directive, stricter and more far-reaching security requirements will be imposed on a large number of companies in important sectors from 2025. We explain which measures need to be taken promptly in order to fulfil the requirements of NIS 2.

What is the NIS Directive and who is affected by NIS 2?

From October 2024, all European countries must adopt Directive (EU) 2022/255, the EU’s latest NIS Directive on cybersecurity, into local law. This will take place together with the entry into force of the regulations from 2025. Some countries, including Germany, are already aiming for spring 2025.

The ‘Network and Information Systems Security Act’, or NIS for short, defines the common security framework for network and information systems within the EU. Compared to NIS 1, the security requirements of the new NIS Directive have been expanded in their scope to include additional sectors and the sub-areas to be covered.

Details on the exact classification and the specific security requirements are specified in national legal ordinances. In Germany, NIS 2 is covered by the implementation in the IT Security Act 2.0 and the BSIG (Act on the Federal Office for Information Security). The BSI offers a NIS 2 affectedness test for companies.

What implementation measures need to be taken for NIS 2?

Affected companies are obliged to fulfil the NIS 2 requirements under personal liability. On the one hand, the requirements are aimed at cybersecurity risk management measures, both digital and physical. In addition, an auditing obligation will come into force for KRITIS operators and particularly important facilities.

The reporting requirements and reporting deadlines for security incidents will also be more strictly regulated, not only to the BSI, but also with regard to the supply chain and the corresponding notification of customers. The following organisational and technical measures are the focus of the stricter requirements:

Meeting future challenges with best practices

An asset and gap analysis is the first step in preparing an affected company for the upcoming requirements. Cyber risk management, incident management and business continuity processes can be defined and contact with computer security incident response teams can be established.

1. Real-time monitoring:
SIEM systems enable companies to monitor their networks in real time in order to benefit from immediate threat and attack detection.

2. Log management:
SIEM systems collect and store logs from various sources, which helps to recognise patterns and trends in security threats and attacks.

3. Incident response:
In the event of an attack, SIEM systems can help to quickly identify and analyse the incident and initiate appropriate measures.

4. Compliance with regulations:
Among other things, a SIEM system helps KRITIS companies to prove that they are complying with legal security regulations.

5. Threat and attack detection:
By analysing logs and other data, a SIEM system can help detect and respond to known and unknown threats.

6. Automation:
SIEM systems can automate many security processes, which saves time and resources and increases efficiency.

Learn all about attack detection with SIEM: 5 use cases for SIEM systems

Share this post