The NIS-2 Directive: How Companies Can Implement It Reliably

The NIS-2 Directive: How Companies Can Implement It Effectively

On October 17, 2024, the NIS-2 Directive of the EU will come into effect, which aims to make organizations more resilient to cyber attacks. Affected companies need to implement a range of measures to meet growing demands and minimize risks in the increasingly digital world. But what specific measures are necessary? The following checklist provides companies with a clear overview of the key steps for implementing NIS-2.

What is NIS-2?

The NIS-2 Directive builds on the original NIS Directive (Network and Information Security) from 2016 and extends the scope and security requirements for companies. Its main goal is to increase the resilience of socially relevant organizations against cyber threats and to establish a unified cybersecurity strategy in the EU. By October 2024, EU member states must transpose the NIS-2 Directive into national law, and companies are obliged to adhere to these new requirements.

The Eight Key Measures for Implementing NIS-2

1. System Inventory

The first step for any company is to create a complete inventory of all IT systems and corporate assets. This System Inventory and Asset Management form the basis for identifying and managing cyber risks. Companies need to know which systems are critical and how they can be protected against misuse or theft.

2. System Monitoring

Companies are required to implement Intrusion Detection Systems (IDS) to detect and prevent potential cyber attacks early on. Tools such as Pentesting, Security Audits, Log Monitoring, and Compliance Monitoring should be part of a comprehensive security management approach. This ensures that companies can respond immediately to an attack.

3. Vulnerability Management

Vulnerabilities in IT systems are often the entry point for cyber attacks. Companies must implement a systematic Vulnerability and Patch Management process to address known security gaps and minimize future risks. Relying on Excel spreadsheets to track vulnerabilities is inadequate, especially in complex IT environments.

4. Awareness and Training

In addition to technical measures, staff awareness is a critical aspect of cybersecurity. Companies need to create policies for the secure handling of data, provide training, and ensure that employees master complex security requirements such as Multi-Factor Authentication (MFA).

5. Transparency

To minimize security risks, companies should monitor their IT systems with tools like Endpoint Detection and Response (EDR), Network Detection and Response (NDR), and Security Information and Event Management (SIEM). These tools provide transparency regarding which systems are in use and ensure that all devices within the company are checked for vulnerabilities.

6. Emergency Plans

The NIS-2 Directive requires companies to create emergency plans and ensure that they function in the event of a crisis. Response measures must be clearly defined, and reporting obligations, such as reporting a cyber incident within 72 hours, must be observed. Additionally, it is essential that sensitive data on mobile devices is secured to prevent unauthorized access.

7. Communication Channels

A successful response to cyber incidents requires a clear communication strategy. Companies must ensure that staff know how to behave in an emergency. Regular training, clear behavioral guidelines, and coordinated emergency plans contribute to handling security incidents efficiently and in a controlled manner.

8. Supply Chain Risks

In an increasingly connected world, companies must also ensure the security of their supply chains. It is essential to implement Zero Trust principles and enforce Multi-Factor Authentication in collaboration with suppliers and partners. External service providers that access IT systems must also be included in the risk management process to minimize vulnerabilities in the supply chain.

Conclusion

The NIS-2 Directive presents significant challenges for companies but also clear requirements to improve their cybersecurity. The consistent implementation of the above measures – from system inventory and vulnerability management to communication and emergency planning – is key to meeting the new requirements.

To reliably implement the directive, companies must:

• assess how they are affected by the NIS-2 requirements,

• analyze existing measures for their effectiveness,

• prioritize implementation and provide financial and human resources for it,

• define clear roles and responsibilities,

• and document all measures and regulations in detail.

This ensures that companies not only meet legal requirements but are also prepared for the growing threat landscape in cyberspace in the future.