By Patrick Scholl, Head of Operational Technology, Infinigate
NIS2 – the Network and Information Security Directive – is a revision of the NIS Directive, which came into force in 2016, with the aim of strengthening cyber security resilience across the EU.
The revision tightens reporting requirements and introduces stricter control measures and enforcement provisions. By October 17th 2024, the NIS2 Directive will be a requirement across all EU member states. Despite the urgency, businesses still have many questions.
Distributors like Infinigate are committed to supporting the implementation of NIS2 by offering a broad choice of cyber security solutions and services in collaboration with vendors, such as Check Point.
Supporting NIS2 implementation
In Germany, as an example, NIS2UmsuCG, the local directive governing the implementation of the EU NIS2 to strengthen cyber security, is already available as a draft and defines EU-wide minimum standards that will be transferred into national regulation.
It is estimated that around 30,000 companies in Germany will have to make changes to comply. However, thus far, only a minority have adopted the measures mandated by the new directive. Sometimes, symbolic measures are taken with little effect. In view of the complexity of the NIS2 requirements, the short time in which they are to be implemented and the need for holistic and long-term solutions, companies need strong partners who can advise on how to increase their cyber resilience.
Who is affected?
The NIS2 directive coming into force in autumn 2024 will apply to organisations across 18 sectors with 50 or more employees and a turnover of €10 million. Additionally, some entities will be regulated regardless of their size — especially in the areas of ‘essential’ digital infrastructure and public administration.
The following industry sectors fall under the ‘essential’ category:
- Energy
- Transport
- Banking and finance
- Education
- Water supply
- Digital infrastructure
- ICT service management
- Public administration
- Space exploration and research
- Postal and courier services
- Waste management
- Chemical manufacturing, production and distribution
- Food production, processing and distribution
- Industry & manufacturing (medical devices and in-vitro, data processing, electronics, optics, electrical equipment, mechanical engineering, motor vehicles and parts, vehicle manufacturing)
- Digital suppliers (marketplaces, search engines, social networks)
- Research institutes
It’s worth bearing in mind that NIS2 regulations apply not only to companies, but also their contractors.
Good to know: The "size-cap" rule
The "size-cap" rule is one of the innovations that come with NIS2 and is intended to level out inequalities linked with varying requirements and risk profiles, budgets, resources and expertise. The regulation is intended to enable start-ups and medium-sized companies as well as large corporations to be able to implement the security measures required by NIS2.
You can get NIS2 compliance tips here: https://nis2-check.de/
NIS2 in a nutshell
In Germany, companies are required to register with the BSI (Federal Office for Information Security), for their relevant areas. A fundamental rule is that any security incidents must be reported immediately.
Across Europe, the strict security requirements mandated by NIS2 include the following:
- Risk management: identify, assess and remedy
Companies are required to take appropriate and proportionate technical, operational and organisational measures. A holistic approach should ensure that risks to the security of network and information systems can be adequately managed.
- Security assessment: a self-analysis
Security assessment includes questions such as: what vulnerabilities are there in the company? What is the state of cyber hygiene? What security practices are already in place today? Are there misconfigured accounts that could be vulnerable to data theft or manipulation?
- Access management: protecting privileged accounts
Companies subject to NIS2 regulations are encouraged to restrict the number of administrator-level accounts and change passwords regularly. This lowers the risk of network cyber security breaches threatening business continuity.
- Closing the entry gates: ransomware and supply chain security
One of the main concerns of the NIS2 directive is proactive protection against ransomware. Endpoint security solutions can help here. Employee training is another necessary step to create risk awareness and help identify and prevent cyber attacks.
The focus here should be on best practices in handling sensitive data and the secure use of IT and OT systems. Supply chain vulnerability is a major area of concern. Companies need to ensure that the security features and standards of the machines, products and services they purchase meet current security requirements.
- Zero tolerance strategy: access control and zero trust
In a world where corporate boundaries are increasingly blurred due to digitalisation, cloud infrastructures and decentralised working models, perimeter-based architectures have had their day. A zero trust concept provides multiple lines of defence, relies on strong authentication methods and threat analysis to validate access attempts.
- Business continuity: prepared for emergencies
Business continuity management measures are essential to ensure that critical systems can be maintained in the event of an emergency. These include backup management, disaster recovery, crisis management and emergency plans.
In summary, we should not let the complexity of the topic discourage us from taking action; after all, NIS2 is for our benefit, to help us protect our business assets from increasing cyber risk.
Businesses would be well advised to start on the route to assessing their security posture and current status vis-à-vis NIS2 requirements. You can make a start by simply identifying all relevant stakeholders in your organisation, starting a task-force and gathering intelligence on your cyber risk.
Identify key steps and build a roadmap to compliance that is manageable for your resources; your channel partners can help by providing expert advice https://page.infinigate.com/nis2-checkpoint.