Cybersecurity norms reshaped globally by the advent of NIS 2
The European Union has adopted the NIS 2 Directive, the largest legal act on cybersecurity to date, in December 2022. This directive affects companies worldwide, not just those within the EU, and applies to a wide range of sectors, including energy, transport, banking, healthcare, and digital infrastructure.
The directive obliges companies that employ at least 50 people or have annual turnover and balance sheets that each exceed €10 million to implement a cybersecurity management system. Companies in these sectors must adhere to specific cybersecurity best practices, focusing on risk management, access control, incident reporting, supply chain security, and accountability at the executive level.
Risk Management
Companies are expected to conduct systematic identification, evaluation, and documentation of IT and cybersecurity risks to inform security measures. This process helps companies prepare for cybersecurity audits, certifications, and defend against fines, civil claims, and potential damages following IT failures.
Technical Measures
Implementing Identity Governance & Administration (IGA) and Identity & Access Management (IAM) with Multi-Factor Authentication (MFA) is crucial for securing system access. Data encryption and protection of information assets against unauthorized access or breaches are also essential. Companies should maintain a comprehensive inventory and overview of all IT resources and infrastructure. For those using cloud services, secure configurations and controls are necessary to address cloud-specific risks.
Organizational Measures
Defining clear cybersecurity roles and responsibilities, including top management accountability for cybersecurity, is essential. Emergency response and incident response plans should be established for timely and structured reporting of cybersecurity incidents to relevant authorities. Regular audits and continuous monitoring of cybersecurity controls, including external audits and certifications like ISO 27001 and relevant NIS 2 certifications, are necessary. Supply chain security policies should be implemented by evaluating and securing the cybersecurity posture of suppliers and partners. Regular cybersecurity awareness, training, and skills development for employees are crucial to strengthen the human factor in cybersecurity resilience.
Documentation and Accountability
Companies must keep complete, audit-proof documentation of security processes and compliance activities to demonstrate adherence to NIS 2. Clear accountability for cybersecurity measures at organizational and executive levels is necessary to ensure effective governance and compliance oversight.
The NIS 2 Directive affects not only critical infrastructure companies but also central economic enterprises, their suppliers, and digital supply chains. Companies covered by NIS 2 may pass on increased cybersecurity requirements in their contracts, requiring caution when providing evidence and documentation of cybersecurity standards.
Cybersecurity is increasingly becoming a task of holistic digital resilience, incorporating factors of industrial espionage and trade secret protection. Prof. Dr. Dennis-Kenji Kipker, a cybersecurity expert and the Scientific Director of the cyberintelligence.institute, emphasizes the importance of these best practices across various sectors and enterprises that meet the size and sector thresholds defined by NIS 2.
In summary, companies under the NIS 2 Directive must establish a mature cybersecurity risk management framework combining robust technical controls and organizational governance, with a strong emphasis on continuous monitoring, incident management, supply chain security, and executive accountability to ensure compliance and resilience against cyber threats.
- Prof. Dr. Dennis-Kenji Kipker, a cybersecurity expert, underscores the importance of the NIS 2 Directive's best practices across multiple sectors and enterprises that fall under its size and sector thresholds, particularly in the industry, finance, technology, and cybersecurity sectors.
- To maintain corporate integrity, companies within the technology, finance, and cybersecurity sectors, when working with central economic enterprises that meet the NIS 2 Directive's criteria, should be cautious and provide comprehensive evidence and documentation of their cybersecurity standards and compliance practices, as failure to do so could lead to increased requirements in contracts.
