The risk of cyber attacks such as DDoS, ransomware and phishing is increasing. Attackers are increasingly targeting companies in the DACH region. Only those who can quickly detect cyber attacks and react to them immediately will survive a security incident without major damage. This is why greater weight has been afforded to this aspect in the revised NIS2 guideline. In this article we will show you why engaging with this EU directive is still worthwhile.
Given the increasing prevalence of cyber attacks, also on critical infrastructures (known as “KRITIS” in German), companies absolutely must adopt an improved position when it comes to their own cyber resilience. The revised NIS2 (Network and Information Security) EU directive relating to the security of network and information systems is an important impetus towards increasing the general level of security and should not be seen simply as a means for meeting regulatory requirements. Instead, it forms a part of a comprehensive approach to corporate responsibility. Even though the NIS2 is essentially aimed at European organisations, it is also important for Swiss companies to be guided by the associated security measures.
NIS2 aims to increase security at KRITIS
With its revised NIS2 directive, the EU is tightening the cyber security requirements for KRITIS – as the successor to the NIS1 directive. As a result, KRITIS operators such as electricity and water supply companies, the financial sector, the healthcare sector and digital service providers within the EU have been required to implement appropriate state-of-the-art technical, operational and organisational security measures to adequately protect themselves against cyber attacks.
The new NIS2 directive sees the EU reacting once again at the beginning of the year and will significantly tighten the requirements for the cyber security of KRITIS. This time, more sectors are included than in NIS1. Thus, further “critical sectors” have been added to the previous “high criticality sectors”, including postal and courier services, waste management and food producers. In addition, the group of addressees will be expanded to include companies that employ at least 50 people and have an annual turnover of more than € 10 million. This means that SMEs are now also affected.
In future, CEOs or board members can be held accountable for non-implementation. We have prepared a helpful checklist (in German) to ensure that you can fulfil your duties as a board member. This provides you with the perfect basis for an independent self-assessment of your cyber resilience.
The required security and detection measures in NIS2 are also being significantly expanded beyond this.
Stricter reporting requirements for security incidents
In order to reduce the response time to cyber attacks, incidents must be reported to the competent national authority within 24 hours of becoming known. In future, incidents in which the availability of data or services is restricted must also be reported. The institution concerned must already be able to submit a final report on the current case by no later than one month after the first notification.
Such a response time can only be maintained through permanent monitoring, the correlation of security alerts and the sound analysis of indicators of compromise. Today, well over 250 customers from the DACH region already rely on the services from our Cyber Defence Center in Switzerland.
Strengthened risk management
NIS2 tightens the requirements for the minimum technical, operational and organisational measures of “high criticality sectors” to further “critical sectors”. This includes the implementation of risk analysis and security concepts for IT systems, the management of security incidents, backup and crisis management as well as procedures for evaluating the effectiveness of its own risk management measures.
Key practices should include, but are not limited to, zero trust principles, regular software updates and appropriate network segmentation. Furthermore, sufficient identity and access management as well as multi-factor authentication (MFA) are essential for a sustainable security strategy in terms of the NIS2 directive. At the same time, employees should be sensitised to and trained in the increasing cyber threats. In essence, these measures are nothing new and have been established as good practice for many years. The challenge is to implement them and periodically check their effectiveness, be it with vulnerability scans, security assessments, targeted penetration tests or simulated cyber attacks.
Securing the supply chains
Without effective protection of the entire supply chain, even the best protection of individual companies is of little use. Therefore, NIS2 requires operators to define security requirements for their service providers and suppliers. In addition, businesses must ensure their compliance through service level agreements (SLAs) or periodic audit mechanisms. This requirement is very much in line with the revised version of the NIST CSF.
Supply chain attacks are a real threat. The chain reaction that could be triggered by a successful attack on a single supplier can endanger an entire network of suppliers and thus the value chain – which could have particularly devastating consequences for “high criticality sectors” and “critical sectors”. We have already taken a closer look at this topic in an earlier article and drawn up appropriate tips for you.
Strengthen your cyber defence measures – not only in terms of NIS2
Cyber attacks will continue to rise and cause increasing numbers of emergency situations as cyber criminals use ever-more modern tools and sophisticated methods – the keyword here is “generative artificial intelligence”. A comprehensive security concept should therefore go beyond reactive defence and cover the entire security lifecycle: from prevention to active protection to guaranteeing or – in the event of an incident – restoring business operations and data.
Ultimately, each company should carefully consider which measures are necessary in order to comply with the requirements of the NIS2 directive and thus maintain an appropriate level of security. Early implementation provides the opportunity to quickly identify risks and counter them with the right measures. After all, cyber security is not merely a legal requirement, but is in the very own interest of the companies concerned.
Involve external cyber security experts at an early stage
In the context of the NIS2 Directive adopted by the EU, member states now have until October 2024 to transpose the requirements into national law. The organisations concerned should therefore start implementing the necessary measures at an early stage. Companies subject to NIS2 should also ensure that they have sufficient (and qualified) resources to successfully meet all requirements for implementation. For example, they also need to ensure that external support is available when needed. We therefore recommend contacting an external security service provider at an early stage. To help you meet your NIS2 requirements, InfoGuard has over 200 experts at your disposal, be it with our Risk Management & Compliance Services or 24/7 Cyber Defence & Incident Response Services from our ISO 27001-certified Cyber Defence Center in Switzerland.
Would you like to establish where you are up to in terms of NIS2 compliance? Our NIS2 Gap Analysis provides you with the necessary transparency. Our security experts will uncover discrepancies in all NIS2 topic areas, evaluate them and make prioritised recommendations for action. You will receive a report that summarises everything in detail and is then discussed with you. Do not hesitate to contact us – we will be happy to help you.
