From risk to resilience: Using NIS-2 to future-proof cybersecurity

In order to overcome the existing uncertainties, companies can rely on established standards such as ISO 27001 and BSI's basic IT protection. These provide a structured framework for developing an information security management system (ISMS) and help implement systematic security measures. While these standards provide a solid basis for effective information security, the NIS-2 Directive exceeds its requirements. It calls for more specific measures, such as extended reporting requirements and increased consideration of safety throughout the supply chain. These additions aim to further increase the cyber resilience of companies and to be able to better address the constantly changing threats in the digital space.

One possible approach for implementation is an asset-based risk approach. This involves taking a close look at every asset within a company and assigning corresponding risks. Assets are any valuable resources that process, store, or transmit information, including buildings, hardware, software, networks, databases, and people. Analyzing and managing these assets results in the necessary security measures. By identifying and evaluating the risks associated with each asset, companies can implement targeted protection mechanisms to effectively strengthen cybersecurity.

The asset-based approach offers several benefits:

• Holistic overview: Companies receive a comprehensive overview of all information flows and can identify potential weak points at an early stage.

• Focused measures: Through risk analysis, security measures can be specifically tailored to the identified risks, which increases the efficiency and effectiveness of the measures.

• Continuous improvement: This approach promotes continuous improvement of security measures through regular reviews and adjustments of the information security management system. The idea of continuous improvement encourages companies not only to update existing security measures, but also to proactively manage new risks and refine security strategies.

Implementing such an approach requires resources, both in terms of personnel and technology. Nevertheless, it allows business processes to be specifically adapted to the requirements of the NIS-2 Directive. A GAP analysis can serve as an entry point to identify existing gaps in NIS 2 compliance and develop a detailed roadmap for implementation based on this.

It is important that security is understood as an essential part of the company's philosophy. It is a process that affects the entire company and not just the IT department. A safety-conscious mindset should be anchored throughout the organization in order to build a robust safety culture in the long term.

NIS-2: Just an extension of ISO 27001 and basic IT protection?

While both standards provide a solid basis for information security management, the NIS-2 Directive places additional emphasis on specific measures and processes.

One major difference is the extended reporting requirements. NIS-2 requires affected companies to report security incidents within a specified period of time, often within 24 to 72 hours. Depending on the level of concern, e.g. for major and important sectors, extensive reports to the competent authority are required after one month. These fast response times require clear and effective incident management and response processes, which are not required to the same extent in ISO 27001 or basic IT protection.

NIS-2 also requires greater involvement of management in cybersecurity strategies to ensure that cybersecurity is seen as a strategic priority. This requirement applies to the entire company and requires a deeper integration of safety culture and processes into all areas of business.

In addition, NIS-2 requires a more comprehensive view of supply chain risks and their management. Companies must ensure that not only their own systems, but also those of their service providers and partners, are secure. These requirements are more specific and detailed than what is typically covered in ISO 27001 or basic IT protection.

Despite these additional requirements, companies can effectively respond to NIS 2 requirements with an information security management system based on ISO 27001 or basic IT protection. Both frameworks offer the flexibility and structure to make the necessary adjustments and integrations into existing security strategies and thus meet the extended requirements.

Relaxed for the future: Companies with strong information security are well prepared

The NIS-2 Directive brings comprehensive innovations and requirements to ensure that companies are more resilient to security incidents. However, for companies that have already established a solid information security culture and rely on standards such as ISO 27001 or basic IT protection, this adjustment is far less worrying. These organizations already know their information security-relevant assets and simply need to focus on specific enhancements, such as extended reporting requirements or a comprehensive look at supply chain risks.

The long-term benefits of a robust security infrastructure are significant. They not only promote trust in a company's cybersecurity practices, but also strengthen resilience against potential threats and ensure compliance with regulatory requirements. Organizations that have already implemented a strong information security management system can address NIS 2 requirements proactively and with peace of mind.

For affected companies, it is advisable to carry out a GAP analysis to identify potential gaps and to advance the optimization of existing security processes. The human factor remains decisive. Through continuous training and awareness raising, employees become a “human firewall,” which makes a decisive contribution to preventing threats and ensuring corporate security. In this way, companies that are already well positioned can sit back and concentrate on the many opportunities that a future-proof cybersecurity strategy offers.

Ultimately, it's not just about compliance, but also about gaining competitive advantages through a future-oriented security strategy. Companies that invest in their information security strengthen their trust with customers and partners and position themselves as reliable players in the economy. Accepting the challenges of the NIS 2 Directive means paving the way for a secure and sustainable future.