Risk Management Measures for IT Security
NIS2 Directive Compliance for Cybersecurity in the EU
The overall requirements of cybersecurity criteria and the number of affected companies have increased significantly with NIS2. Companies are required to implement the new security measures by October 2024. If you want to implement the requirements of the NIS2 Directive easily and sustainably, you’ve come to the right place.
- Increase in Security Level
- Prevention of Cyber Attacks
- EU-compliant Compliance Standards
What is the NIS-2 directive? And what does it mean for companies?
The NIS-2 Directive (The Network and Information Security Directive) is an EU-wide regulation for cyber and information security. It contains legal requirements for IT security to bring the current minimum security standard to a new level and to remedy existing deficiencies.
Since April 2023, there has already been an existing draft bill for the new law in Germany, which has been submitted to the Federal Ministry as the NIS-2 Implementation and Cybersecurity Strengthening Act.
Among other things, the strengthened NIS-2 directive focuses on:
- Supply chain security
- Risk management
- Tightening of supervisory measures and obligations (keyword: personal liability of management)
- Introduction of enforcement rules with harmonized sanctions in all member states
NIS-2 affected sectors and companies
Enforcement of NIS2 depends on the category in which an organization is classified. An organization or institution can be classified as essential (Essential Entity) or important ( Important (Important Entity). The dependence of the classification is determined by the size of the company and whether it falls under a high criticality sector or other critical sectors. Fines for violations and oversight by authorities vary by classification.
Should companies fail to comply with the new measures of the NIS-2 Directive, they may be subject to heavy fines, depending on the sector. Fines range from 10 million euros or 2 percent of annual revenue for essential facilities. Major facilities may incur costs of 7 million euros or 1.4 percent of annual sales.
NIS2 requirements simply implement
The NIS2 Directive does not specify concrete technical measures. For this, reference is made to industry standards, such as B3S! There is generally a lot of overlap with ISO/IEC 27001.
Learn at a glance how Enginsight software and matching partner services can help you implement and continuously comply with NIS2.
NIS-2 requirements for companies
The requirements of NIS2 can be roughly divided into four categories, from which security objectives and, based on them, measures can be derived to improve the security status or to demonstrate it.
Meeting security targets with Enginsight
The NIS-2 Directive is a new EU-wide constitution on the new network and information security directives that must be implemented by all affected companies by October 17, 2024. The new directive significantly increases the number of companies affected. Affected companies must check their IT security measures and adapt them to the new standard if necessary.
Whether or not a company is affected must be assessed and evaluated by the company itself on the basis of the new NIS2 criteria.
However, the NIS2 directive does not specify concrete technical measures. It points to industry standards such as B3S. There is generally a lot of overlap with ISO/IEC 27001.
However, basic security objectives can be derived from the NIS2 directive. Enginsight and partners support you in the implementation and continuous compliance with these goals from the NIS2 requirements.
- Implement procedures for regular risk analysis and vulnerability assessment
- Asset Discovery, Description und Software inventory
- Identify existing vulnerabilities and security gaps
- Regular penetration testing of own infrastructure and security measures taken so far
- Implement ISMS according to ISO 27001, TISAX, etc.
- Implement end-to-end anomaly and attack detection. Log all events and derive automatic responses.**
- Detect attacks, malicious, erroneous, or other activities on the network that could impact critical services at an early stage
- Ensure rapid response to cyber incidents (enable incident response)
- Best possible defense against malware and attackers at network boundaries
- Managed Detection and Response Services
- Avoid disruption of processes through safety measures
- Create business continuity plan
- Establish multi-level backup management
- Enable fast disaster recovery
- Set up professional crisis management and communication
- Monitor and evaluate the technical communication of the interfaces and establish automated measures if necessary.
- Establish least privilege access for suppliers
- Ensure secure supplier access to the network (e.g. secure passwords, VPN)
- Regular penetration testing of own software and infrastructure
- Permanent monitoring of vulnerabilities
- Ensure effective and safe treatment and of vulnerabilities
- Continuously review and improve the effectiveness of the cybersecurity system using automated pentests
- Reassess cybersecurity posture and risk exposure on a regular basis
- Build defense-in-depth architecture to detect perimeter security failures early and monitor internal network communications extensively
- Monitor and shield vulnerable assets where patches/updates are not possible
- Contain the spread of attacks (e.g., through network segmentation)
- Keep digital resources up to date in terms of firmware, operating system, etc.
- Set and implement strong password policies
- Implement regular cybersecurity training for staff.
- Monitoring and verification of encrypted connections according to the current state of the art. Adjustment TLS according to TR-03116-4 Checklist of the BSI
- Establishing and ensuring end-to-end encrypted communication on the internal network
- Monitor access to critical files and directories enterprise-wide.
- Integrate security screening and awareness into the hiring and contracting process
- Prevent unauthorized physical access to assets
- Monitoring of all communication systems and encrypted connections
- Submit early warning to CSIRT*** within 24 hours of an incident.
- Submit initial assessment to CSIRT within 72 hours (include statements of severity, impact, source)
- Provide incident management status updates as requested by the CSIRT.
- Submit detailed report to CSIRT within one month (incl. information on severity, internal and transboundary impacts, root cause, remedial actions)
- Prevent unauthorized access to digital assets. Monitoring of all logins and login attempts
- Ensure personalized multi-factor authentication
- Ensure secure digital communication
LEGEND:
Green checkmarks = direct implementation by Enginsight / gray checkmarks = solution available via Enginsight Trusted Partner.
* The listed objectives are not explicitly defined in NIS2, but reflect general basic safety objectives as recommended in international standards such as IEC 62443.
** Mandatory for critical infrastructure
*** CSIRT (Computer security incident response team) = government computer emergency response team.
Status quo How well are you positioned so far?
Your company is located in Germany or another European country and is NIS2-regulated, but you are not sure if your security measures fit the requirements of the directive? Then start now with an NIS2 requirements analysis of your IT infrastructure. Once you have identified the discrepancies between the status quo and the target state, you can implement (or have implemented) suitable security measures in a prioritized manner and relax when the need arises as a result of the amendment to the law.
By the way: IT inventorying is done in Enginsight at the push of a button. We are happy to provide the proof. Contact us.
FAQ about the NIS2 requirements
NIS-2 stands for “Network Information Security” and is a law that relates to the security of information networks. It builds on the original NIS framework and aims to strengthen cybersecurity through complementary security measures in Europe. The new requirement imposes mandatory security measures and reporting obligations on companies and organizations that were not previously affected (regulated).
In Germany, a draft bill for the new NIS2 Act is already available (NIS2UmsuCG).
In the European Union, the new NIS2 Directive (EU 2022/2555) was promulgated in early 2023. All member states are now required to make NIS2 a mandatory minimum standard through national legislation. In Germany, the implementation of the directive is expected to come into force in October 2024.
All companies and institutions that are considered critical infrastructure sectors fall under the new NIS2 directive if they have at least 50 employees or at least EUR 10 million in annual revenue and annual balance sheet. Some important ones fall under regulation regardless of their size (e.g., CRITIS). A brief overview of all sectors and requirements can be found in our PDF download on NIS2.
Depending on the classification (significant/important, large/medium/small), the amount of the fine differs. The maximum amount is €10 million or 2% of global sales.
Essential facilities are proactively, regularly audited by authorities. For important setups, a reactive check takes place, i.e. only when there are indications of violations.
With NIS 2 comes liability for management and the board of directors. They must monitor the implementation of the measures and participate in training.
