With the new EU-wide cybersecurity directive NIS2 entering into force, new regulations and security requirements are on the way. This directive for a common level of cybersecurity (NIS) from 2016 has been extended by a few points in 2023. In the following, we explain which sectors are subject to this extended directive and what companies and authorities must do now.
Increasing networking and digitization also mean that attackers are becoming increasingly sophisticated about digital targets. For a common level of cybersecurity within the EU, the NIS Directive (Security of Network and Information Systems) was launched a few years ago. Due to further tension on the threat landscape of the digital space, the EU refined and expanded the directive. The new regulation aims to higher protect critical sectors and infrastructures within the EU and to make them safer. In order to achieve this, it is necessary to tighten the security requirements for companies quickly and consistently, because the attackers are also constantly developing new strategies. Organizations that are subject to the directive, must act now, as the timeline stipulates that the requirements will be transposed into national law by autumn 2024 at the latest. But which companies are actually meant and what is required of them?
NIS2 increases penalties for breaches
The NIS2 legislation stresses the importance and necessity of cybersecurity and risk management. Companies are required to take measures that take into account both internal damage and the impact on the society. The level of sanctions can rise to over EUR 10 million, depending on the sector. From an economic perspective, it is often not feasible to eliminate all risks. Reliable data is therefore required in order to find proper compromises. Regular coordination between top management, operational IT and IT security is becoming increasingly important in order to meet the requirements of the NIS2 Directive.
35,000 companies in Germany and Austria affected
NIS2 extends NIS1 with stricter security requirements that cover additional economic sectors and therefore a larger number of affected companies. It is estimated that around 30,000 companies in Germany will be affected. In Austria approximately 5,000 companies look at new regulations.
International and European standards are to be promoted for cybersecurity measures and ICT systems. The EU Commission is expected to issue further and more specific regulations with this regard.
Minimum requirements for cybersecurity
The NIS2 directive contains a wide range of measures that companies must implement in the area of cybersecurity:
Policies: Guidelines for risks and information security
Incident management: prevention, detection and management of cyber incidents (e.g. done by Security Operations Center)
Business continuity: backup management, recovery and crisis management
Supply chain: Security in the supply chain and secure development at suppliers
Purchasing: Security in the procurement of IT and network systems
Effectiveness: Guidelines for measuring cyberrisks
Training: Cybersecurity hygiene
Cryptography: Specifications for cryptography and encryption where possible
Human resources security
Access control
Asset management
Multi-factor authentication and SSO
The use of secure emergency communication systems
Authority for national supervisory
NIS2 gives authorities extensive supervisory and enforcement privileges, including as follows:
– Verification & review of implemented requirements by appointed authorities
– Ad hoc reviews and security audits by independent third parties or authorities, including security scans
– Permission to request data, information and evidence of implementation
– Instructions in the event of compliance violations and appointment of supervisory bodies
– Setting deadlines for compliance improvements and withdrawal of operating license
Member states are to establish a national CSIRT body (also known as CERT) for the management, assessment and evaluation of national cyber incidents. Affected companies are obliged to report security incidents to this body.
SOC: The control center in the fight against cybercrime
It is essential to understand that cybercrime affects every company. Attackers are becoming increasingly professional and campaigns more sophisticated. Security Operations Centers play a crucial role here. SOCs specialize in identifying, evaluating and defending against information risks from cyberspace. It is an organizational unit that reports directly to the management and should be tied to operational IT. A close partnership between SOC team and operational IT should be a given and is crucial for business continuity. In addition, the SOC can transfer data and information to a CSIRT authority in case a security incident happens. For companies and authorities that cannot implement the new security requirements themselves, commissioning a SOC as a Service from a trustworthy Managed Security Service Provider (MSSP) is a viable alternative.