NIS2 Guideline: The Practical 10-Point Plan

The NIS2 Directive, a further development of the original 2016 NIS (Network and Information Security) Directive, aims to improve and harmonize cybersecurity within the European Union. It was published on January 16, 2023, and must be transposed into national law by October 17, 2024.

• December 2020: The EU Commission proposes the NIS2 Directive.
• December 2022: The EU Parliament and the Council of the EU adopt the NIS2 Directive
• January 2023: The NIS2 Directive enters into force.
• March 2023: Drafting work for the German Implementation Act (NIS2UmsuCG) begins.
• December 2023: The latest draft of the NIS2UmsuCG is published.
• May 2024: The legislative process (association vote) begins in Germany.
• October 2024: The deadline for transposing the NIS2 Directive into national law is scheduled to end on October 17, 2024.
• 2025: Implementation is complete and the Federal Office for Information Security (BSI) monitors compliance with the NIS2 requirements.

The NIS2 directive can be compared to house rules: it is a comprehensive set of rules that requires all occupants (companies) to comply with security measures, while the janitor (service provider) ensures that these rules are followed to protect the building (the EU) and keep it operational. The companies, as residents, are responsible for their own areas and must contribute to general safety.

The NIS2 Directive brings with it some significant innovations: for example, companies must now report security incidents within 24 hours and there are stricter requirements for cybersecurity measures. In addition, more organizations and sectors are included than before, including small and medium-sized enterprises. Critical and highly critical sectors such as energy and utilities, transportation, financial markets, and healthcare are particularly affected. This expansion and a distinction between "essential" and "important entities" is intended to create a more homogeneous and robust cybersecurity landscape across the EU. In addition, the NIS2 Directive also brings together many individual measures that companies in Germany are already implementing into a uniform set of rules.

Anyone affected by the requirements of the NIS2 Directive can use the following 10-point plan to gain an overview of the tasks that need to be fulfilled for legally compliant implementation.

1. System inventory – Create a solid foundation: The NIS2 directive requires a complete inventory of a company's IT systems and assets. This includes identifying, documenting, and regularly updating all hardware and software components. Without a system inventory, companies risk overlooking critical vulnerabilities and unsecured systems, leading to increased security risks and possible cyberattacks. There is also a risk of legal consequences and high fines.
    
2. System monitoring – Early warning systems and vulnerability scans: According to the NIS2 directive, companies must introduce continuous monitoring mechanisms to detect potential security vulnerabilities at an early stage. This includes vulnerability management and systems for attack detection (SzA). Companies should use automated tools that monitor networks and systems for anomalies and suspicious activities and can react quickly in the event of an emergency. Without an effective early warning system, threats may remain undetected for too long or undetected altogether. In addition to financial penalties, the most painful consequences are economic losses and the loss of trust from customers and partners.
    
3. Damage detection—Automated detection and response measures: Under the NIS2 directive, automated systems for detecting and responding to security incidents are essential. This includes patch management, which can close known vulnerabilities, and attack detection systems, which identify suspicious activities and initiate immediate measures to avert or contain the damage. Without automated detection and response measures, it is impossible to detect and resolve security incidents on time, which can lead to significant damage and business disruption.
    
4. Raising awareness — Policies and employee training: Companies must develop clear cyber security policies and provide regular training. The aim is to raise awareness of cyber threats and promote secure behaviors. Training programs should cover password security, phishing detection, and safe use of IT resources. However, failing to provide comprehensive employee awareness and training opens the door to cybercriminals. What's more, a human error that could have been avoided through education and training around NIS2 requirements not only weakens the company, but also unsettles individual team members.
    
5. Transparency—Monitoring and risk assessment of IT systems: The NIS2 directive requires continuous monitoring of IT systems and regular risk assessments so that security vulnerabilities can be identified and remedied at an early stage. Tools such as Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) help to identify and analyze security incidents in real-time. Security gaps can remain undetected and exploited without transparent monitoring and risk assessment.
    
6. Emergency plans — Prepare and implement response measures: Companies must develop comprehensive contingency plans by the NIS2 directive to respond quickly during a cyber attack. This includes regularly reviewing and updating the plans and crisis management exercises. What if companies don't do this? Then, in an emergency, they would not be able to respond to security incidents that could result in longer downtimes and greater damage.
    
7. Communication channels - internal and external communication in an emergency: Clear lines of communication are critical to communicating effectively during an emergency. Companies should develop internal and external communication protocols to ensure that all relevant parties, including employees, customers, and partners, are informed quickly and transparently. Regular training and emergency drills support the implementation of these communication strategies. Without clearly defined communication channels, important information will not be passed on quickly enough in a crisis, making it much more difficult to coordinate and respond to security incidents.
    
8. Supply chain risks - holistic management required: The management of risks along the entire supply chain is a central component of the NIS2 directive. Companies must ensure that their suppliers and service providers follow the same high-security standards. If companies ' supply chains are not sufficiently checked, vulnerabilities at third-party providers can go undetected, which cybercriminals can use to damage more than just one company.
    
9. Personal liability of the management: The NIS2 directive places responsibility for compliance with cyber security measures in the hands of the management. Managers can be held personally liable if security requirements are not met. This ensures that top management recognizes the importance of cybersecurity and implements appropriate measures. Without the involvement of top management, NIS2 implementation in German companies is hardly feasible. Decisions would not be made in time, and measures would probably only be implemented insufficiently.
    
10. Legal consequences of non-compliance: Companies that do not meet the requirements of the NIS2 Directive must expect high fines and possible operating bans. These legal consequences are intended to ensure compliance with security standards and deter potential breaches. Companies should, therefore, take proactive measures to comply with the requirements of the NIS2 Directive. Failure to do so could result in fines, economic damage, and loss of reputation.

By implementing these ten points in detail, companies can meet the requirements of the NIS2 directive and improve their cyber security strategies to protect themselves against increasing cyber threats.

Implementing the NIS2 directive is crucial for German companies as it significantly strengthens cyber security and thus increases resilience to increasing cyber threats. In light of increasing digitalization and the associated risks, companies must implement comprehensive security measures to protect themselves from potential attacks. Companies should start by assessing their vulnerability if they want to implement the NIS2 directive within the deadline. Don't wait and hope for delays in the legislative process, because the issue is coming. Instead, a concrete NIS2 implementation plan should be drawn up that prioritizes the relevant measures and provides for step-by-step implementation. Determine the necessary financial and human resources and document all processes. It is also important to ensure that security standards are continuously met.