The EU rules - you can too!

OVERVIEW

What will change due to NIS-2 directive?

We humans are very evasive about some issues. Of course we want unpleasant incidents to be avoided and for someone to take care of them. This doesn’t necessarily have to be a comic book hero from our childhood; we are happy for the responsibility to be passed on to the law.

But what if that happens? Then we are quickly annoyed by the fact that there is a new regulation. And perhaps rightly so, because generally formulated rules are usually well-intentioned, but in some cases they don’t fit quite as well as we would like.

We experienced this most recently in May 2018, when the GDPR came into force. Of course, we all want our data to be protected. From data octopuses, from large corporations, from advertisers and in general from all people who have no business with my personal information.

So was the GDPR a great idea? It certainly was. And are we ourselves annoyed when we have to specify our own handling of customer data in processing directories and keep it constantly up to date? Definitely, too!

In a nutshell: What is defined as critical infrastructure (KRITIS)?

According to the German Federal Office for Information Security (BSI), “Critical infrastructures (KRITIS) are organizations and facilities that are important for the state community and whose failure or impairment would result in long-term supply bottlenecks, significant disruptions to public safety or other dramatic consequences.”

This includes the following sectors:

  • Energy
  • IT and telecommunication
  • Transportation and traffic
  • Health
  • Media and culture
  • Water
  • Food
  • Finance and insurance
  • Waste management
  • State and administration

THE SECURITY OF CRITICAL INFRASTRUCTURE

Another topic where we are “supposedly” pleased that the legislator is taking responsibility and creating a legal framework is the security of critical infrastructure. Of course we want essential infrastructure such as electricity suppliers to be adequately protected against hackers – after all, it’s about the security of us all.

Here, too, the EU has responded, back in 2016, with “Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016 concerning measures for a high common level of security of network and information systems across the Union(1). This makes us all safer, but it has become clear that the issue is important enough to further tighten this directive, both in terms of scope and requirements.

Network and information security 2 (NIS-2)

The successor directive 2022/2555 – known as NIS-2 – was published at the end of 2022(2). The original implementation target of 18.10.2024 was not met in Germany, but is imminent and targeted for the end of the first quarter of 2025.

A lot will change then. One of the most important aspects is that significantly more companies will be affected. In addition to energy and transportation, the entire food industry, for example, will also be considered critical infrastructure. This means that a potato trader, for example, will have to adhere to the same requirements as the operator of a nuclear power plant. Many are still unprepared for this. It is estimated that around 30,000 companies are affected.

Am I affected? You can easily find that out. The Federal Office for Information Security (BSI) offers a quick self-test (German)

Website des BSI, auf dem der Fragebogen zur NIS-2-Betroffenheitsprüfung zu sehen ist.
NIS-2 impact self test by the Federal Office for Information Security (BSI) (German)

Am I affected? What to do next?

If you are affected, the first thing to do is to keep calm. Yes, there are a lot of measures to take and many more things to document. And a first glance at the list of what needs to be done can be quite overwhelming. But it is doable.

Select measures for KRITIS:

  • Risk analysis
  • Security concepts
  • Implementation of measures to safeguard operational integrity
  • Disaster Recovery Plan (DR)
  • Business Continuity Plan (BCP)
  • Backup plan
  • Checking supply chains
  • Security procedures for sourcing, development and maintenance
  • Risk management
  • Cybersecurity training for staff and management
  • Implementation of encryption
  • Access control with least priveledge
  • Multi factor authentication (MFA)
  • Incident reporting
  • (Security Operations Center for KRITIS customers)

NIS-2 directive: We can assist you!

If you are in need of suport, don’t be afraid to talk to us. We can help you implement necessary procedures in three phases:

  1. phase: Taking inventory. Which documents and measures already exist? What is missing?
  2. phase: Support during implementation. We support and advise your team during implementation in the weeks following the inventory.
  3. phase: Final acceptance. We look through everything again and check for completion.

(1): https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016L1148

(2): https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32022L2555

cropped-christoph_endres.png

CHRISTOPH ENDRES
CEO
sequire technology

LinkedIn

Other articles that might be interesting for you