The new NIS2 directive for optimised cybersecurity for networks and information systems of critical and important infrastructures in EU member states must be implemented by 17 October 2024. It replaces the previous NIS Directive.
Who is affected by NIS2?
NIS2 primarily affects medium-sized and large companies with 50 or more employees or an annual turnover/balance sheet of more than €10 million. However, small companies may also be covered, for example, as suppliers or if they are essential for the maintenance of critical social or economic activities.
The updated Directive aims to improve the cyber resilience and security incident response of public and private organisations in the EU. As such, the requirements may be of interest to any organisation seeking to improve its cyber defences and protect its business continuity.
The Austrian Federal Economic Chamber (WKO) has published a guide that Austrian companies can use to find out whether they are affected by NIS2 and therefore obliged to implement it: WKO Online Ratgeber zur Cybersicherheitsrichtlinie NIS 2 (German).
How can NIS2 be met?
Once the extent of the impact has been clarified – according to the OCG, current estimates assume more than 3,000 affected organisations instead of the previous 99 – responsibilities and resources should be defined within the company.
Legal, organisational, and technical aspects need to be considered when implementing the NIS2 directive. “A good Information Security Management System (ISMS) is a solid basis that can already cover many of the NIS2 requirements,” says Herbert Dirnberger, industrial cyber security expert at IKARUS Security Software: “ISO 27001 is also a good basis for companies that do not need or are not aiming for certification to approach the introduction of an ISMS in a structured and sustainable way.”
Implementing ISO 27001 is a challenge. SMEs often face implementation problems due to a lack of resources and expertise. “For many companies, CISIS12, formerly ISIS12, could be an interesting alternative,” recommends Dirnberger.
ISO 27001 and CISIS 12 define and structure IT security measures
CISIS12 is an information security management system with clear recommendations for action in 12 steps. It is specifically tailored to the needs of SMEs and can be implemented using a manual or with the help of certified consultants. “The rules are structured in such a way that it is easy to switch to ISO 27001 if a greater need for security is identified at a later stage,” explains Dirnberger.
ISO 27001 was revised last year. The new version ISO 27001:2022 comes into force in October 2025 after a transition period of 36 months and is to be used as a basis. Compared to the previous standard, it places a stronger focus on cyber security, data protection and cloud security. It follows a clear structure and defines 37 Organisational Controls, 8 People Controls, 14 Physical Controls and 34 Technological Controls.
Which technical measures support NIS2?
One example of basic technical cyber security measures is the creation of (dynamic) asset inventories with information on all devices, protocols, and communication connections in the network. Only the visibility of all OT assets, their connections and accessibility allow for comprehensive risk analysis and vulnerability management. These measures are also part of the best practice supply chain security strategy.
Anomaly detection using artificial intelligence (AI) and behaviour-based analytics can serve as an early warning system against cyber-attacks but can also make misconfigurations or insider threats visible. This is particularly relevant in environments where routine patching is not possible – but also as a protective measure against zero-day attacks.
Threat Intelligence provides security teams with up-to-date threat data to understand indicators and tactics, as well as attackers’ goals and motivations, so they can be more targeted and proactive. Used in conjunction with an incident response plan, threat intelligence accelerates security incident response and enables informed decision making.
Training and awareness for employees
Employee training and awareness complement the technical and organisational solutions for implementing cyber security measures. For a long time, industrial control systems were strictly separated from IT and the outside world, as was the implementation of information technology (IT) and operational technology (OT).
The convergence of IT and OT through digitalisation and the Industrial Internet of Things (IIoT) now needs to be followed by convergence at the operational and personnel level. As a result, OT security projects often start by clarifying responsibilities for industrial cybersecurity. Good interaction between IT and OT experts and a mutual understanding of the different goals and requirements are critical to success.
Bringing IT and OT security together
“IT and OT are firmly connected through digitalisation and can no longer be separated. This creates a completely new technological world with new requirements, especially in terms of security,” says Herbert Dirnberger: “As complex as the challenges may seem at first glance, they can be overcome. Best practice examples, playbooks and modern technologies enable effective defence strategies that can efficiently and satisfactorily bridge the gap between IT and OT security”.
In addition, OT security solutions can provide valuable input to IT, making investment in industrial security doubly rewarding.
This might also interest you:
Cyber Security Schecks 2023: Funding for NIS2-affected SMEs
Secure energy transition: Cybersecurity for energy suppliers
Links:
https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32022L2555
https://www.iso.org/standard/27001
IAF_MD_26_Transition_requirements_for_ISOIEC_27001-2022_09082022.pdf
https://cisis12.de/
https://www.ocg.at/de/nis-2-richtlinie
https://www.enisa.europa.eu/publications/good-practices-for-supply-chain-cybersecurity