In an increasingly digitalized world, cyber security is becoming ever more important. The European Union has responded to this by adopting the NIS2 Directive (Network and Information System Security 2). But what does this mean in concrete terms for companies and how can they meet the new requirements? This article provides an overview and practical insights.
What is NIS2?
NIS2 is the successor to the original NIS Directive from 2016 and was developed to take cybersecurity in the EU to a new level. The directive significantly expands the scope and places stricter requirements on companies and organizations.
Main objectives of NIS2
- Strengthening cybersecurity in the EU
- Improving the resilience of critical infrastructures
- Harmonization of cybersecurity standards in all EU member states
- Promoting a culture of risk management
- Improving the exchange of information between Member States
Who is affected?
NIS2 significantly expands the group of affected companies. In addition to critical infrastructures such as energy, transport and healthcare, sectors such as:
- Digital infrastructure (e.g. cloud providers, data centers)
- Public administration
- Space travel
- Postal services
- Waste management
- Chemical industry
- Food production
under the directive. The size of the company also plays a role: medium-sized and large companies in these sectors must meet the NIS2 requirements.
Technical requirements
NIS2 places specific technical requirements on the companies concerned:
- Risk managementImplementation of comprehensive cybersecurity risk management
- Incident ReportingReporting cyber security incidents within 24 hours
- Supply Chain SecurityEnsuring cyber security throughout the supply chain
- EncryptionUse of strong encryption technologies
- Access controlsImplementation of strict authentication mechanisms
- Network segmentationSeparation of critical systems from the Internet and other network areas
- Patch managementRegular and timely updating of systems and software
- Backup and disaster recovery: Regular backups and disaster recovery plans
Solutions and examples
To meet the NIS2 requirements, companies can take the following measures:
- Implementing a risk management framework
Example: Introduction of the NIST Cybersecurity Framework, which helps organizations identify, protect, detect, respond to and recover from risks.
- Introducing Security Information and Event Management (SIEM)
Example: Implementation of Splunk or IBM QRadar for real-time monitoring and analysis of security events.
- Use multi-factor authentication (MFA)
Example: Use of Google Authenticator or Microsoft Authenticator for an additional layer of security when logging in.
- Strengthen encryption
Example: Use of AES-256 for data encryption and implementation of TLS 1.3 for secure communication.
- Implement network segmentation
Example: Use of VLANs or micro-segmentation with technologies such as VMware NSX to isolate critical systems.
- Automated patch management
Example: Use of tools such as Microsoft SCCM or Ansible for the automated distribution and installation of security updates.
- Supply Chain Risk Management
Example: Carrying out regular security audits of suppliers and integrating security requirements into contracts.
Timetable for implementation
The EU member states have until October 2025 to transpose the NIS2 Directive into national law. However, companies should start preparing now in order to be compliant in time.
Conclusion
The NIS2 directive presents companies with new challenges, but also offers them the opportunity to improve their own cyber security in the long term. By implementing robust security measures, companies can not only comply with legal requirements, but also strengthen their resilience to cyberattacks and strengthen the trust of their customers.NIS2 implementation requires investment and resources, but in the face of increasing threats from cybercrime, it is a necessary step towards securing Europe's digital future.
#nis 2 directive #implementation of nis2 #network and information security #information security #area of application #information security #information sharing #cyberthreats #security levels