Secure basis, secure future: NIS-2 as an addition to strong safety standards

These companies can build on existing security concepts and focus more on specific expansions. The integration of NIS-2 requirements therefore offers the opportunity to efficiently supplement existing management systems.

However, with an estimated 30,000 affected organizations in Germany and 150,000 to 180,000 in Europe, there is considerable uncertainty as to which companies are actually affected. Numerous edge cases require careful consideration to determine whether they belong to the relevant categories. The NIS 2 Directive aims to increase the cyber resilience of affected companies and to establish a sustainably higher level of IT security.

Implementing the Directive is not a one-off product, but an ongoing process that not only affects the IT department, but involves the entire company. Security must be understood as an integral part of the corporate philosophy and requires a rethink at all levels — towards a security mindset that is deeply anchored in corporate culture.

In Germany, the NIS2 Directive is being implemented by the planned NIS2 Implementation and Cybersecurity Strengthening Act (NIS2umsuCG). However, national implementation is delayed — entry into force is now planned for March 2025. However, due to criticism of the current draft and the rule that all undecided proposals must be resubmitted after new elections, it is unlikely that this deadline will be met. These factors indicate that the law needs to be revised again. It is therefore currently unclear when it will actually be completed and implemented.

Who is affected by the NIS 2 Directive?

The NIS-2 Directive expands the circle of companies and organizations covered compared to its predecessor, the NIS-1 Directive. It is aimed at essential service providers whose functionality is of crucial importance for society. Whether a company is affected by the Directive depends on several criteria, including sector membership and company size.

Affected by the NIS 2 Directive:

1. Critical infrastructure (regardless of size):
   • Some sectors are affected regardless of the size of the company. This includes:
   • public administration
   • Public telecommunications services
   • Internet services (such as Internet service provider)
   • Critical digital infrastructures, such as online search engines and cloud computing services

2. Sectors with high criticality:
   • ‍Key sectors: energy, water, transportation, healthcare, and financial services. These sectors must comply with particularly strict safety standards.

3. Other critical sectors:
   • ‍Key sectors: This includes digital services such as online marketplaces, food production and distribution, as well as the waste management industry. Cultural institutions are also included, as they are important for social functionality.

Company size and its relevance:

• ‍Medium-sized companies: With 50 to 249 employees and a turnover of up to 50 million euros. They are affected when they work in critical sectors. ‍
• Large companies: With 250 or more employees and a turnover of over 50 million euros. These companies are almost always affected, especially when they operate in major or important sectors.

New sectors since NIS-1:

• Food production and distribution
• waste management
• digital services
• Cultural institutions and public administration

In order to determine whether a company is affected, several criteria should be considered simultaneously. To clarify your own concerns, it is recommended that you use the Federal Office for Information Security (BSI)'s impact assessment questionnaire. This is under https://betroffenheitspruefung-nis-2.bsi.de/ available and provides initial guidance.

Affected institutions will be required to file a registration with the competent authority. Depending on sector affiliation or criticality, there are further obligations, such as Reporting or verification requirements.

Implementation of the NIS 2 Directive

With the introduction of the NIS 2 Directive, many companies are confronted with considerable uncertainties, particularly with regard to the specific steps to implement the requirements. The complex nature of the Directive and the multitude of factors to be considered make it difficult to develop a clear action plan. A central approach to dealing with these uncertainties is to focus on established standards such as ISO 27001 or BSI's basic IT protection. These standards provide a structured framework for an information security management system and help companies to systematically implement security measures.

One possible approach for implementation is an asset-based risk approach. This involves taking a close look at every asset within a company and assigning corresponding risks. Assets are any valuable resource that processes, stores, or transmits information, including buildings, hardware, software, networks, databases, and people. Analyzing and managing these assets results in the necessary security measures. By identifying and evaluating the risks associated with each asset, companies can implement targeted protection mechanisms to effectively strengthen cybersecurity.

The asset-based approach offers several benefits:

1. Holistic overview: Companies receive a comprehensive overview of all information flows and can identify potential weak points at an early stage.

2. Focused measures: Through risk analysis, security measures can be specifically tailored to the identified risks, which increases the efficiency and effectiveness of the measures.

3. Continuous improvement: This approach promotes continuous improvement of security measures through regular reviews and adjustments of the information security management system. The idea of continuous improvement encourages companies not only to update existing security measures, but also to proactively manage new risks and refine security strategies.

Implementing such an approach requires resources, both in terms of personnel and technology. Nevertheless, it allows business processes to be specifically adapted to the requirements of the NIS-2 Directive. A GAP analysis can serve as an entry point to identify existing gaps in NIS 2 compliance and develop a detailed roadmap for implementation based on this.

It is important that security is understood as an essential part of the company's philosophy. It is a process that affects the entire company and not just the IT department. A safety-conscious mindset should be anchored throughout the organization in order to build a robust safety culture in the long term.

Key differences from frameworks and challenges

While both standards provide a solid basis for information security management, the NIS-2 Directive places additional emphasis on specific measures and processes.

One major difference is the extended reporting requirements. NIS-2 requires affected companies to report security incidents within a specified period of time, often within 24 to 72 hours. These fast response times require clear and effective incident management and response processes, which are not required to the same extent in ISO 27001 or basic IT protection.

NIS-2 also requires greater involvement of management in cybersecurity strategies to ensure that cybersecurity is seen as a strategic priority. This requirement applies to the entire company and requires a deeper integration of safety culture and processes into all areas of business.

In addition, NIS-2 requires a more comprehensive view of supply chain risks and their management. Companies must ensure that not only their own systems, but also those of their service providers and partners, are secure. These requirements are more specific and detailed than what is typically covered in ISO 27001 or basic IT protection.

Despite these additional requirements, companies can effectively respond to NIS 2 requirements with an information security management system based on ISO 27001 or basic IT protection. Both frameworks offer the flexibility and structure to make the necessary adjustments and integrations into existing security strategies and thus meet the extended requirements.

Relaxed for the future: Companies with strong information security are well prepared

The NIS-2 Directive brings comprehensive innovations and requirements to ensure that companies are more resilient to security incidents. However, for companies that have already established a solid information security culture and rely on standards such as ISO 27001 or basic IT protection, this adjustment is far less worrying. These organizations have already laid the essential building blocks to meet the new requirements and simply need to focus on specific enhancements, such as expanded reporting requirements and fine-tuning their security strategies.

The long-term benefits of a robust security infrastructure are significant. They not only promote trust in a company's cybersecurity practices, but also strengthen resilience against potential threats and ensure compliance with regulatory requirements. Organizations that have already implemented a strong information security management system can address NIS 2 requirements proactively and with peace of mind.

For affected companies, it is advisable to carry out a GAP analysis to identify potential gaps and to advance the optimization of existing security processes. The human factor remains decisive. Through continuous training and awareness raising, employees become a “human firewall,” which makes a decisive contribution to preventing threats and ensuring corporate security. In this way, companies that are already well positioned can sit back and concentrate on the many opportunities that a future-proof cybersecurity strategy offers.

In the upcoming second part of this series, I will dive deeper into the practical aspects of implementing NIS-2 requirements. I'll look at the challenges and strategies that can help you implement. Stay tuned to learn how you and your company can successfully shape the path to a robust cybersecurity strategy!