Digital transformation has significantly increased dependence on IT systems and digital services in recent years. As a result, threats to cybersecurity and attacks on critical infrastructure are also steadily increasing. In order to stop this development, the European Union has adopted the NIS directive on network and information security. In this blog post, we focus on NIS2, the second stage of this directive, and explain what it means for organizations.
Not in the mood to read? You can also watch our webinar.
What is behind the NIS2 guideline?
The abbreviation NIS stands for “Network and Information Systems Security Act”. Network and information security includes, but is not limited to, protecting computer networks, information systems, and data from unauthorized access, misuse, disclosure, destruction, or failure. The general goal of network and information security is to ensure the confidentiality, integrity and availability of information and systems. Various technologies, processes and methods are used for this purpose.
“NIS2” refers to the second stage of the EU Directive for NIS. The first NIS Directive already establishes a common security framework for network and information systems within the EU. It requires member states to establish national cybersecurity policies and regulations and requires operators of essential services and digital service providers to take appropriate security measures and report incidents.
NIS2 builds on NIS1, expanding the scope of the directive and the requirements placed on the security of network and information systems. The expansion serves to further harmonize cybersecurity requirements within the EU. It also aims to further strengthen the resilience of critical infrastructure against cyberattacks.
To which companies does the EU directive NIS2 apply?
The more stringent security requirements for network and information systems in the NIS2 Directive are aimed at providers or operators of services of general economic importance. NIS2 thus affects companies that are classified as operators of critical infrastructure or producers or service providers of significant economic importance. These include, for example, classic critical infrastructure operators such as energy providers, transport companies, healthcare service providers, digital service providers or online marketplaces and now also, for example, manufacturing industry in certain sectors or postal and courier services.
In addition, direct suppliers of IT products and services must also expect more stringent requirements: NIS2 places great emphasis on supply chain risk management, so increased cybersecurity requirements for suppliers can be expected. The exact definition and classification of the companies concerned will still be determined in the context of legal ordinances when they are implemented in German legislation.
What requirements does NIS2 bring with it?
NIS2 introduces stricter security requirements for affected companies. These include:
- Risk management and implementation of minimum cyber security requirements: Effective risk management and implementation of cyber security requirements helps organizations identify and counter cyber threats early. What exactly this looks like can vary depending on the industry and the size of the company. These requirements include, but are not limited to, implementation of basic cyber hygiene procedures and cybersecurity training, regular software updates, access restrictions, encryption technologies, and monitoring of IT systems.
- Registration obligation: Under the NIS2 Directive, affected companies are required to register with national authorities. The purpose of registration is to record and monitor relevant companies in order to improve safety standards and cooperation in the event of safety incidents.
- Duty to provide evidence: Companies classified as "particularly important companies" will have a duty to provide evidence in the future. This means that they must provide evidence that they have implemented the required safety measures. Demonstrating implementation of the Minimum Cyber Security Requirements is critical to ensure compliance and avoid potential sanctions.
- Security incident reporting and information: The NIS2 directive places great emphasis on improved collaboration and information sharing in the event of security incidents. Affected companies are required to report significant security incidents to the authorities without delay. This information must include the nature of the incident, its impact, and the countermeasures taken. In some cases, information obligations to customers also exist.
Preparation for NIS2
To meet the requirements of the NIS2 directive, you can start preparing now:
2. A thorough asset and gap analysis is the first step in assessing a company’s security posture. A responsible person should be appointed who has the task of identifying critical assets and recognising possible security gaps. Through a comprehensive gap analysis, the maturity level of IT security measures can be assessed and optimisation potential can be uncovered.
3. In addition, cyber risk management plays a central role in compliance with the NIS2 policy. It is important to review existing policies or introduce new ones as necessary to adequately assess and address risks. This should include supply chain risks to minimise vulnerabilities.
4. Setting up a Security Information and Event Management (SIEM) system or attack detection can be crucial to identify potential security incidents at an early stage. In addition, incident management processes should be established to ensure effective incident response. Reaching out to Computer Security Incident Response Teams (CSIRTs) can help ensure a coordinated and professional response to security incidents.
5. In order to maintain business operations at all times, the establishment of business continuity processes is of great importance. These processes should ensure that critical functions and services continue to be available even in crisis situations. In addition, it is also advisable here to establish contact with CSIRTs in order to be able to fall back on their support in the event of an emergency.
COCUS helps to meet NIS2 requirements
As an experienced IT service provider and cybersecurity expert, COCUS AG can assist in meeting NIS2 requirements. We offer customized solutions for all areas, tailored to the individual requirements of the company. In doing so, we have the requirements of NIS2 firmly in mind!
COCUS AG’s experts help, for example, in performing gap and risk analyses to identify weak points. Following on from this, we also support the development and implementation of the necessary security measures. In the area of cybersecurity, we offer to conduct training for employees. Our experts find the right solution for every application and provide support from start to finish.
Consequences of non-compliance with NIS2 requirements
Failure to comply with NIS2 requirements can have significant consequences for organizations. These can be fines and penalties in comparable amounts to the penalties for data protection violations. Management is held personally liable by NIS2 for compliance with the requirements. In addition, failure to comply with requirements can lead to cybersecurity incidents that can result in financial losses, data leaks, and business continuity impairments.
It is therefore critical to take the requirements of NIS2 seriously and take appropriate measures to ensure the security of your network and information systems. As a trusted partner, COCUS AG develops customized solutions to meet the requirements of NIS2 and guarantee the security of network and information systems.
