The implementation of NIS-2 into national law is still pending in Germany.

From the EU’s perspective, all member states should have implemented the “NIS-2 Directive” into their national law long ago. Official information on this subject is primarily available from Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security, “BSI”).

News from the EU

The European Union Agency for Cybersecurity (ENISA) recently published another document related to NIS-2: “NIS2 Technical Implementation Guidance.” Anyone who would like to start looking at specific implementations for NIS-2 in Germany should take a look at this document.

Although there may still be changes to the requirements on the national side as the legislation is transposed into German law, it can be assumed that the basic content and concepts (which are being developed at EU level for NIS-2) will essentially remain the same at the national level. The new EU document deals in particular with methodological requirements for achieving compliance with “NIS-2.”

Contents of the ENISA document

In addition to scope limitations, the document contains explanations of the following technical and methodological requirements:

• Network and information system security policy,
• Risk management policy,
• Incident handling,
• Business continuity and crisis management,
• Supply chain security,
• Security in the procurement, development, and maintenance of network and information systems,
• Guidelines and procedures for assessing the effectiveness of cybersecurity risk management measures,
• Basic cyber hygiene practices and security training,
• Cryptography,
• Human resources security,
• Access control,
• Asset management and
• Physical and environmental security.

What stands out?

If you take a closer look at the document content and have already dealt with standards and frameworks for information security in advance, you will also recognize the “high-level” requirements for an information security management system (ISMS) here.

NIS-2 cannot be viewed as a “pure IT problem” either, but rather describes a task for all areas of an organization. Of course, it can be made a pure “IT problem” if, for example, the supply of electricity for IT devices, the hiring of IT personnel, the procurement of IT devices, etc. are fully shifted to IT. This would eliminate the need for building management department, human resources department, or purchasing department within the organization, as they would have become redundant in the context of the “expanded IT department.”

But joking and irony aside, information security and its holistic management remain a comprehensive task for the institutions and organizations concerned.

Impact on organizations

Of course, there is no such thing as complete, “100%” cyber-secure organization. But with a good starting point, requirements for achieving an acceptable level of security can be implemented without impossibly high costs. Some companies become part of a supply chain that imposes cybersecurity requirements on them, while other organizations may be subject to regulation (in Germany: “NIS-2” or “KRITIS”). The most favorable starting point is, of course, to address the issue of cybersecurity on your own initiative.

Who has an easier time implementing it?

Organizations that have already established an ISMS will find it easier to implement the requirements imposed on them by NIS-2. In many cases, the requirements of NIS-2 will first be mapped onto existing and implemented requirements of the already established ISMS in order to identify possible gaps or “blind spots.” It is likely that compliance with NIS-2 can be achieved with few changes to the existing ISMS.

If an ISMS has not yet been established, an established and well-functioning process management system and a corporate culture that can respond efficiently to change will be very helpful for organizations.

What might the first steps look like?

“Many roads lead to Rome.” We recommend first creating an overarching document - often referred to as a ‘guideline’ or “information security policy document.” If you manage this step well, sensitize stakeholders, and “get them on board from the start,” you will have a starting point for all further processes involved in establishing an ISMS.

The next step is to implement risk management. This often consists of describing a procedure and ultimately mapping out the risk management process. This “mapping” often takes the form of a data collection or list of identified risks that are addressed after identification. Perhaps your organization already has a risk management system in place that can be expanded to include information security.

Conclusion

Getting started is important!

NIS-2 gives greater importance to governance at the corporate management level and awareness as a management responsibility. NIS-2 will sensitize some corporate management teams not only to the topic of counter-espionage (“Where do I store my sensitive information?”) but also to potential liability risks.

However, waiting for the NIS-2 Directive to be transposed into national law in Germany means losing valuable time. Resource bottlenecks already exist today, especially if you need to acquire skills and expertise within your organization or want to purchase additional resources from service providers.

The reason is obvious. First, you need to know and be able to implement the “state of the art”; second, regulation in the field of cybersecurity is constantly increasing; and third, the technical and organizational landscape is constantly evolving. Remote working has become increasingly prevalent in recent years, and blockchain, cloud, artificial intelligence, zero-trust concepts, and quantum-secure cryptography are hot topics. Experts in these complex fields are therefore somewhat scarce.