Operational cyber security management is still a major hurdle for many small and medium-sized enterprises. From October 2024, many SMEs will be legally obliged to comply with security standards under the EU Network and Information Security Directive NIS2. Have you already checked whether your company will fall under the regulation of the new EU legislation?
The EU Cybersecurity Directive NIS2 has been in force since January 2023 and is currently being transposed into national law. It is due to be incorporated into the German legal framework on October 17, 2024.
The scope of the affected companies goes far beyond the previous KRITIS companies. The number of sectors has doubled to 18 and small businesses can also be covered by the directive. In particular, as a supplier to affected companies, NIS2 compliance may be required from the customer.
The directive provides for severe fines for non-compliance, which - similar to the GDPR - are defined as a percentage of global annual turnover. Furthermore, it also explicitly provides for personal liability of the management.
In order to be prepared for NIS2, certain minimum standards must be met. For example, concepts for risk analysis and security for information systems as well as for the management of security incidents must be created. In the event of an emergency or crisis, precautionary measures must be taken to maintain operations. Safety-related aspects must also be taken into account in the supply chain, which can still oblige SMEs that do not fall under the NIS2 regulation due to their size to comply. Security measures must also be taken into account when purchasing, developing and operating hardware and software, for example when dealing with vulnerabilities. Awareness training must be provided to the workforce. Furthermore, the use of cryptographic measures must be regulated, concepts for access control of systems must exist and secure communication channels must be provided.
If you already have an ISMS in your company or are even certified according to BSI baseline protection or ISO27001, these points offer no surprises. However, once you start managing cybersecurity in your organization, you are faced with a big task.
The NIS2 directive can be viewed on the official website of the European Union .
With its experienced cyber security experts, digitalSee GmbH can help you set up an operational security management system. It may even be possible to receive state funding for the consultancy service.