NIS-2 Directive:What is the best way for companies to implement cyber security requirements?

Author: Dr Markus Hülper, Attorney at Law

Increasing networking and digitalisation not only bring numerous benefits, but also considerable risks. Cyber attacks and IT security incidents can have a serious impact on companies and society. To counteract this, the EU’s NIS 2 Directive places increased demands on companies’ cyber security. The directive obliges a large number of companies in various sectors to take comprehensive security measures.

Germany has already taken measures to transpose the NIS 2 Directive into national law. The Federal Republic of Germany pursues a comprehensive approach that includes legal as well as technical and organisational measures. (You can read more about this in the article NIS 2 Directive: Implementation and current status in Germany)

Who is obligated?

The NIS 2 Directive applies to companies and organisations operating in certain critical sectors. The 18 sectors affected include, among others:

Energy

Healthcare

Manufacturing sector

Finance

Transport

Digital infrastructure and digital services

Public administrations

Food production and processing

These sectors were selected because they are considered to be particularly critical for the functioning of society and the economy. A failure or impairment of these sectors would have far-reaching consequences.

In total, around 30,000 institutions in Germany are affected by the NIS-2 Directive. In principle, the directive applies to companies with more than 50 employees or an annual turnover of more than 10 million euros. Smaller companies can also be affected if they are of particular importance to a sector. This means that a wide range of organisations will have to take measures to meet the requirements of the Directive.

And be careful: companies and public organisations must check for themselves whether they fall within the scope and proactively implement the required cyber security measures.

What are the requirements?

The NIS 2 Directive places a number of technical, operational and organisational requirements on the companies concerned, including

Registration

As soon as institutions have identified ‘critical’ areas, they must register themselves with the BSI as an ‘obligated institution’ once the implementation law comes into force. Important institutions and particularly important institutions must complete the registration within three months of entry into force.

Contact point

Companies must designate and operate a contact point for their critical areas and provide evidence of this to the BSI. Institutions must be reachable at all times via the contact point and fulfil their obligation to report significant IT faults.

Reporting obligations

Companies are obliged to report significant IT security incidents to the Federal Office for Information Security (BSI). The reporting deadlines are tight: a preliminary report must be submitted within 24 hours of becoming aware of the incident, a full report with an initial assessment within 72 hours, and a final report with a detailed description within one month. These strict guidelines are designed to ensure that security incidents are quickly recognised and reported so that effective countermeasures can be initiated.

Risk management

Companies must operate a comprehensive risk management system that also includes security in the supply chain. This includes documented risk analyses, concepts for the ongoing evaluation of measures taken as well as business continuity and emergency management. Systematic risk management helps to identify potential threats at an early stage and take appropriate measures to minimise risk.

Trainings

Regular cyber security training for management and employees is mandatory. These training courses are designed to raise awareness of secure behaviour when dealing with IT systems and ensure that all employees understand the importance of cyber security and act accordingly. E-learning tools can help to ensure that training measures are carried out regularly and comprehensively.

Technical and organisational measures

NIS-2 obliges companies to take technical and organisational measures to improve cyber security. This includes the use of state-of-the-art security technology, the implementation of security guidelines and procedures as well as regular effectiveness checks and tests of the security measures. These measures are intended to ensure that the IT infrastructure is robust and resistant to attacks.

What do companies need to look out for?

Various areas of the company are involved in the implementation of the NIS 2 Directive (IT, Compliance, Data Protection, HR, QM, etc.). Holistic risk management involving all stakeholders is therefore essential for companies. Companies should pay particular attention to the following points:

Compliance with reporting obligations

Compliance with the strict reporting deadlines is crucial in order to avoid sanctions. Companies should ensure that they have suitable contact points, reporting channels and responsibilities in place. A clear allocation of responsibilities and the establishment of efficient reporting processes are essential.

Integrated risk management

The NIS 2 requirements should be integrated into the company’s general risk management. A holistic approach facilitates implementation and ensures effective risk management. Synergies can be utilised and redundancies avoided through integration into existing risk management processes.

Training measures

Regular training is essential to raise awareness of cyber security and ensure compliance with security guidelines. E-learning tools can offer an efficient solution here to organise training measures flexibly and in line with requirements.

Documentation and verification

Companies must be able to document and prove compliance with security requirements in detail. This includes regular audits and the preparation of comprehensive reports. Seamless documentation is not only important for compliance reasons, but also serves as the basis for continuous improvements in the area of IT security.

Act now to avoid sanctions

The implementation of the NIS 2 Directive presents companies with considerable challenges, but also offers them the opportunity to strengthen their own cyber security and better arm themselves against threats. Companies should take the requirements of the NIS 2 Directive seriously and take the necessary measures in good time.

We are happy to support you in implementing the NIS 2 directive. We offer you comprehensive advice and practical assistance in implementing the necessary security measures, complying with reporting obligations and training your employees. Contact us to find out how we can help you successfully fulfil the requirements of the NIS 2 Directive and avoid sanctions.

Your personal contact

Matthias SchulzSenior Sales Manager

You might also be interested in these articles

cybersecurity Schloss
How legal departments reduce daily stress
Learn more
Surfing
How legal departments reduce daily stress
Learn more