New EU Security Directive: How to prepare for NIS 2
Health, education, public authorities – cyber criminals are increasingly targeting new areas of public life. There is no doubt that it is time to regulate cyber security more strictly across Europe. The new EU Directive NIS 2 (Network and Information Security 2) does this for the essential and important areas of public services. Companies should now consider how they want to prepare their IT for this.
The disclosure of vulnerabilities in the network requires the monitoring of incoming and outgoing network traffic.
NIS 2 aims to define measures for a high common level of cyber security. The legislators in the individual countries must transpose the guidelines published in December 2022 into national law by 17 October 2024. Its content remains unclear. The GDPR (EU General Data Protection Regulation) also hardly prescribed any specific technical measures when it came to implementing European data protection requirements.
Only one thing is currently certain: the number of companies affected will increase, as will the requirements for IT security. Higher penalties for companies may have two consequences: IT insurance companies will raise the bar even higher in order to issue a policy. They will also endeavour to exclude certain types of damage from cover altogether. Hackers may try to demand maximum ransoms as long as these remain below the threatened higher penalty. MSSPs (Managed Security Service Providers) and the specialised distribution of IT should be prepared for an increasing demand for services and consulting expertise. Two questions arise above all:
Question 1: Are the new rules relevant for my company?
Many managers think that their company does not play a significant or important role in public supply within the meaning of NIS 2. Of an estimated 3.4 million companies in Germany (as of 2021), NIS is not relevant for around 3.3 million due to their small size (less than 50 employees). However, there are at least around 90,000 other companies with more than 50 employees that are eligible due to their size and corresponding turnover.
According to the founder and CEO of Hisolutions, Timo Kob, “around 80 per cent of companies do not know that they are affected by NIS 2.” In his judgement, the requirements are likely to apply to an additional 40,000 German companies. This means that NIS 2 will soon play a role in the companies that are relevant in terms of company size alone – and if you follow the above calculation, it will be a new one for almost every second organisation.
In addition, those affected in the future will come from a wide variety of sectors. NIS 2 distinguishes between essential and important sectors. Essential sectors do not just include utilities in the narrower sense (critical infrastructure). In IT, digital infrastructure operators and managed service providers are already listed as essential. The list of important companies goes even further: in IT, these include manufacturers of electronics and computers, digital marketplaces, social networks and search engines, research institutes, large parts of production, electronics, food, chemicals, vehicle construction, medical products, mechanical engineering and postal services.
MSSPs will therefore have to be prepared for more enquiries from these companies. This will open up new opportunities for their service business. But they will need a suitably competent workforce or external help.
Original article link: https://www.connect-professional.de/security/wie-man-sich-auf-nis-2-vorbereitet.326344.html