NIS-2 is on its way
The national implementation law for this directive is due to come into force on 18 October 2024, which will also affect many SMEs in particular. Anyone who has not yet dealt with this topic should therefore do so as soon as possible. But what is important in advance? We present four measures that you can use to prepare yourself in the best possible way for NIS 2 compliance.
1. Impact analysis
This analysis is carried out on two levels. The NIS 2 Directive affects all companies in certain sectors, in some cases from 50 employees upwards. The criteria regularly raise questions and uncertainties. It is therefore essential that you first check whether NIS-2 will apply to your organisation. If this is the case, all departments, groups of people and individuals who will be directly or indirectly affected by NIS-2 must be identified internally. All of these should be summarised in a project and updated regularly.
2. Check and implementation of cyber security measures
Companies affected by NIS-2 must implement the ISO 27001 standard without exception, which requires the implementation, realisation and documentation of an effective information security management system (ISMS). Seek advice on the required ISMS and risk management measures and use a comprehensive analysis of your infrastructure to check whether or how you fulfil the required minimum measures or will fulfil them by the deadline.
This also includes the security of your utilised supply chains, as these are explicitly mentioned in NIS-2. Obtain a comprehensive overview of their structure and check the security of the individual suppliers, for example by means of certificates. Please note that certificates must be renewed regularly.
3. Registration with the BSI
As an affected company, you must register with the German Federal Office for Information Security (BSI). However, it is essential that you check in advance whether you fall under the NIS 2 directive at all.
4. Definition of reporting processes
If a cyber security incident or at least a suspicion of one occurs in your company, you are obliged under NIS-2 to notify the reporting authority in writing within 24 hours and to assess it after 72 hours at the latest. In addition, the directive requires a detailed report on each incident, which must be sent to the reporting authority within one month. In order to meet these deadlines and ensure a smooth process, it is essential to define appropriate processes with the project managers and the data protection officer that can be implemented promptly by those responsible in the event of an emergency.
We are aware that there are still many unanswered questions regarding the implementation of NIS-2. We are happy to support you with individual challenges as well as with general information on the current status of publications.