NIS2: 10 pillars for cybersecurity in the EU

The NIS2 Directive (Network and Information Systems Directive) represents a significant step towards strengthening cybersecurity in the EU. In addition to general obligations for companies in critical sectors, it defines ten basic requirements that should form the foundation of cybersecurity in the EU. These requirements form a comprehensive approach to minimizing risk and strengthening cybersecurity measures in all relevant areas.

The 10 minimum requirements of NIS2 in detail:

1. Risk assessments and security policies: Organizations must conduct regular risk assessments of their information systems and define and implement security policies based on these results.
2. Evaluation of security measures: The effectiveness of the implemented security measures must be regularly reviewed and evaluated through defined policies and procedures.
3. Cryptography and encryption: Both sensitive data and communication must be protected by appropriate cryptographic procedures and encryption techniques.
4. Efficient management of security incidents: Organizations must have processes in place to efficiently identify, report, respond and remediate cybersecurity incidents.
5. Secure procurement, development and operation: The entire supply chain of IT systems must be protected by appropriate security measures. This includes protocols for reporting security breaches.
6. Cybersecurity training and practices: Employees must receive regular cybersecurity training and follow secure practices when handling IT systems and sensitive data.
7. Access controls: Strict access controls must be implemented for access to sensitive data and systems, granting access only to authorized individuals.
8. Contingency plans: Companies must create contingency plans to maintain business operations during and after cyberattacks.
9. Secure communications: Voice, video and text communications must be protected by multi-factor authentication and encryption.
10. Supply chain security: Supply chain security must be strengthened through appropriate measures to address the vulnerabilities of direct suppliers.

Who is subject to the NIS2 Directive?

The NIS2 Directive must be observed by the following companies:

• Operators of critical infrastructure: this includes sectors such as energy, transportation, banking, financial market infrastructure, healthcare, drinking water supply and distribution, and digital infrastructure.
• Digital service providers: This includes online marketplaces, online search engines and cloud computing services.
• Public administration: Public institutions that provide essential services for the population are also affected.

Why NIS2 is important for ALL companies

NIS2 compliance is important for ALL businesses, regardless of its application requirements, as it provides a comprehensive framework to help strengthen cybersecurity and minimize the risk of cyberattacks. By implementing the NIS2 requirements, companies can

• Increase their business continuity: With contingency plans and rapid response mechanisms, companies can (better) maintain or (faster) recover their business operations during and after cyber incidents.
• Protect their sensitive data: Implementing measures such as encryption and multi-factor authentication protects sensitive company and customer data from unauthorized access.
• Build trust: Customers and partners have more confidence in companies that have a proven track record of adhering to strict security standards.
• Secure competitive advantages : Companies that meet high security standards stand out from the competition and can win new customers as a result.
• Avoid legal consequences: NIS2 sets legal obligations. Non-compliance can lead to considerable penalties.

Strategic IT security and outsourcing

As a managing director, you are faced with the challenging task of constantly protecting your company from new threats. However, the risks are becoming increasingly complex and difficult to manage. NIS2 and/or DORA also increase the requirements that you have to take into account.

IT security must be thought through strategically and implemented with the right partners. Due to the high technical and regulatory requirements for IT security, there is a strong trend towards outsourcing IT operations, especially among small and medium-sized companies. The reasons are simple:

Outsourcing partners

• are specialized in professional IT operations,
• have the necessary know-how to ensure the required security standards,
• continuously invest in improving their systems and thus guarantee a consistently high level of security,
• ensure compliance with legal and (in the case of financial service providers) additional regulatory requirements resulting from the EBA Guidelines or the German Banking Act (KWG), among others, and which are currently specified in DORA (for most financial service providers) and NIS2 (for all companies) with extended requirements via BAIT.

Choosing the right partner is crucial. We support you in mastering these challenges. We would be happy to advise you and provide you with a customized offer based on a few key parameters:

Conclusion:

The 10 minimum requirements of NIS2 provide a comprehensive framework for improving cyber security in the EU. ALL companies should comply with these requirements in order to achieve and ensure an adequate level of protection against cyber attacks. Implementing these requirements requires investment in personnel, processes and technology, but offers significant long-term benefits by strengthening cybersecurity resilience and reducing cybersecurity risks.

Additional information:

• NIS2 Directive: https://eur-lex.europa.eu/eli/dir/2022/2555
• BNetzA - NIS2: https://www.bsi.bund.de/DE/Themen/KRITIS-und-regulierte-Unternehmen/Kritische-Infrastrukturen/KRITIS-aktuell/KRITIS-Meldungen/221227-veroeffentlichung-nis-2.html