Indevis
August 7, 2024, 11:37 am | Dirk Wocke
The new version of the EU NIS Directive not only increases the minimum requirements for cyber security, it also affects significantly more companies than before. What measures should companies take now? Dirk Wocke lists the five most important points.
In October the time has come: The new EU directive will then be incorporated into national law and will require a significantly higher number of companies in Germany to be more resilient to cyber threats. This means that even small companies and numerous companies not previously classified as critical infrastructure will have to implement specified cybersecurity measures. This takes time. It therefore makes sense to prepare for NIS2 compliance now.
1. Determine whether you are affected
The NIS2 directive expands the KRITIS sectors from eleven to eighteen. Even small companies and organizations can now be classified as facilities important to the general public. This obliges significantly more organizations than before to implement the NIS2 requirements. A first way to determine whether your own company is affected is to use online checks available on the Internet. However, caution is advised here. Because even if the analysis turns out to be negative at first glance, you may still fall under NIS2. For example, if you are obliged to take NIS2 measures as a supplier or through your own supplier relationships. To be on the safe side, it is therefore sensible to bring legal expertise or an experienced Managed Security Service Provider (MSSP) on board. If, as a result of the NIS2 assessment, it is decided to develop a security strategy in the form of an ISMS (Information Security Management System), an MSSP has the advantage of being able to contribute its experience and provide advice.
2. Raise awareness among management
The NIS2 Directive makes managing directors personally liable if a security incident occurs because security regulations were disregarded in the company. In addition, insurance cover also expires in this case: Both cybersecurity insurance for companies and managing director insurance or D&O insurance (Directors & Officers Liability Insurance) assume negligence in the absence of security systems for attack detection. The responsibility for security therefore lies with the management, not with the IT experts of an organization. Management teams in companies should therefore immediately find out what is expected of their company based on the NIS regulations. Web-based courses and the expertise of external IT consultants are available for this purpose. It is important that they develop an awareness of what is at stake and what penalties are possible in an emergency. In order to anchor this awareness in the company, the second step should be to provide target group-specific training in the individual departments. In this way, everyone involved in implementing the security measures has the same basis.
3. Determine responsible persons
If management is sensitized to NIS2, it becomes easier to anchor the issue of security throughout the company. This is because the initiative to introduce comprehensive measures now comes from the very top and no longer just from the IT department. The next step is a gap analysis – with external help if necessary – to find out which measures and security systems or tools are still missing and who can solve which challenges. These supporters are usually several people in the company, for example the purchasing department, which manages suppliers, or the marketing department, which controls crisis communication. If the company has a quality management officer, this person can, for example, take on parts of the role of the information security officer (ISO), who takes care of the implementation of security guidelines. If there is no employee in the company with the necessary qualifications, those responsible can also hire an external expert for this position. In this way, a cross-company security team is created that competently deals with the issue of information security under the control of management.
- NIS2 is coming – what do companies have to do now?
- Schedule, budget and emergency
Read more about
You might also be interested in
More articles on cyber security
More articles on Industrial/OT Security
More articles on security management
More articles on security services
More articles on IoT security