The European NIS-2-Directive (Network and Information Security Directive) is a significant development of the original NIS Directive. In contrast to the NIS Directive, the NIS-2-Directive takes a more targeted approach and gives critical importance to cybersecurity and cyber hygiene due to the growing threats in this area.

Why the New NIS-2-Directive?

The advancing digitalisation in society, economy and administration increases the risk of falling victim to cyber-attacks. Cyber-attacks are increasing worldwide dramatically and are being intensified through current conflicts, with costs running into the billions. Cyber-attacks can not only lead to existentially threatening damage in the private sector, but can also destabilise states and can represent a direct attack on the democracy.

The European Union (EU) wants to counteract this. The NIS-2-Directive is a European initiative to strengthen cyber security within the EU. This new directive aims to better prepare organisations to protect themselves against cyber threats and to make cyber infrastructure across the entire EU more secure and resilient. The requirements of the NIS-2-Directive will be implemented into the national law by the EU member states. In Germany, this will be done via the “NIS-2 Implementation and Cybersecurity Strengthening Act” (NIS2UmsuCG), which is to come into effect in mid-October 2024.

 

Important Terms Relating to NIS-2

The NIS-2-Directive includes various terms and acronyms that are essential for understanding the new regulations:

  • NIS-Directive: Network and Information Security Directive (directive with minimum harmonization)
  • KRITIS: Critical Infrastructure
  • CER-Directive: Critical Entities Resilience Directive (directive with minimum harmonisation)
  • CRA: Cyber Resilience Act (legal act with full harmonisation)
  • UBI: Organisations which are of special public interest
  • NIS2UmsuCG: NIS-2-Implementation and Cyber Security Strengthening Act
  • Institution: NIS-2 applies to both – companies as well as public institutions, where “institution” is used as an umbrella term

Who must Implement the NIS-2-Directive?

The NIS-2-Directive implements uniform rules for medium and large organisations in 18 different sectors, which are classified as ”highly critical sectors” and ”critical sectors“. Seven new sectors have been added in addition to the previous NIS-Directive – including the public authorities, research sector and manufacturing sector.

Companies and organisations are classified based on their size (EU Size Cap) and their sector affiliation. This ensures that both small and large companies take the necessary security measures.

The ”very important” category includes companies/organisations

  • With a minimum of 250 employees or
  • Which have an annual turnover of over 50 million euros and an annual balance sheet of over 43 million euros or
  • With an affiliation to Annex 1 NIS2UmsuCG

OR

Operators of critical systems, regardless of company size.

The ”important“ category includes companies/organisations

  • With a minimum of 50 employees or
  • Which have an annual turnover of, and an annual balance sheet total of over 10 million euros each or
  • With an affiliation to Annex 1 or 2 NIS2UmsuCG.

All organisations, operating in these areas and which fall under the requirements of the NIS-2-Directive, must observe the new legal provisions. This applies to the increase in the IT security standards, as well as the improvement of the reporting obligations and the cooperation and support in the event of security incidents. The new NIS-2-Directive affects around 30,000 companies in Germany.

You can find out whether or not your organisation falls under the NIS-2-Directive, for example, in the NIS-2-Compass of the HiSolutions AG.

 

NIS-2 – Risk Management Requirements

In Chapter IV/Article 21 the NIS-2-Directive demands ”appropriate and proportionate technical, operational and organisational measures“ in the context of risk management. These measures must include at least the following points:

a) Concepts related to risk analysis and security for information systems;

b) Management of security incidents;

c) Business continuity, such as backup-management and recovery from an emergency, and crisis management;

d) Supply chain security, including security-related aspects of relationships between individual entities and their direct suppliers or service providers;

e) Security measures in the acquisition, development and maintenance of network and information systems, including vulnerability management and disclosure of vulnerabilities;

f) Concepts and procedures for assessing the effectiveness of risk management measures in the area of cybersecurity;

g) Basic cyber hygiene practices and cybersecurity trainings;

h) Concepts and procedures for the use of cryptography and when required, encryption;

i) Personnel security, access control policies and management of assets;

j) Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication; and where applicable, secure emergency communication systems within the facility.

 

Structured Implementation of the NIS-2-Directive with HiScout

Companies and organisations are now facing challenges in implementing the measures required by the NIS-2-Directive. It is therefore now ever more important not to approach the issues randomly, but adopt a strategic and comprehensive approach. This also includes a complete and flawless documentation. This is where the HiScout GRC Suite comes into play. The software supports the persons responsible, in fully coordinating the implementation of their NIS-2-Compliance. The GRC software offers an extensive risks catalogue, with the resulting protection requirements and implementation measures. This allows managers to monitor compliance and risks comprehensively.

The HiScout GRC Suite already covers a large part of the NIS-2-requirements in order to support companies and organisations in implementing the NIS-2-Directive. The persons-in-charge have the complete documentation, which they need as proof for the NIS-2-compliance, including risk management, incidents, measures and other tasks relating to the NIS-2-compliance centrally, in one place.

We have summarised the exact requirements, which can already be implemented with the HiScout Suite:

  • Point a) and “recognise vulnerabilities “ from point e)
    • Definition of process chains (through protection requirement assessments/Business Impact Analysis)
    • Inventory of assets (structural analysis)
    • Conducting a Business Impact Analysis (BIA)
    • Creating a Corporate Compliance & Governance Inventory
  • Points e), g), h), i), j)
    • Activating an emergency environment in cyber crisis exercises (part of the implementation of BCM exercises)
    • Ensure security und continuity awareness and training (practicing and testing in BCM)
    • Development of a complete, comprehensible and scalable security control framework (GRC Suite)
    • Training for improving responsiveness/security incident handling (practicing and testing in BCM)
  • Point d) and “recognise vulnerabilities” from Point e)
    • GAP analysis through target/actual comparison (BCM)
    • Technical audits (Audit Management ISO 27001)
    • Threat simulations, adversary emulation
    • BCM – practice and testing
    • Cross-process BC and DR tests
  • Points b), c) and f)
    • Business Continuity Plans (BCM)
    • Analysis and prioritisation of business processes (BCM)
    • Set up/formation/moderation of crisis management and emergency teams (BCM/BAO)
    • Implementation of emergency measures and workarounds (in Basic Protection: proof of implementation)
    • Risk management measures in the area of cyber security (status/effect)
  • Point g)
    • Restart planning/recovery planning (process is documented in BCM)

 

The NIS-2-Directive places high demands on companies, especially in the area of cybersecurity and cyber hygiene. HiScout provides you with a comprehensive management suite for the effective implementation of these requirements. From risk analysis, and business continuity to supply chain security – HiScout is your ideal partner for implementing the NIS-2-Directive.

By using the HiScout GRC Suite with its integrated reporting, you can not only demonstrate the implementation of the compliance with the NIS-2-Directive requirements, but also create a secure and transparent digital environment. We enable organisations to build a robust cybersecurity framework, minimise risks, ensure business continuity and protect critical services with our expertise and innovative technologies.

We would be happy to assist you with the implementation of the NIS-2-Directive!

No cookies requiring consent are used on the HiScout website. By continuing to browse the site, you agree to the use of other cookies. Website visits are analysed anonymously and in compliance with data protection regulations using the web analysis tool Matomo. Further information can be found in our privacy policy.