Putting Zero Trust 2.0 into practice in five steps (InfoGuard Cyber Security Newsletter)

The clock is ticking: stricter NIS2 guidelines from October 2024

The EU adopted the NIS2 Directive on cyber security in December 2022. The EU member states have until 17 October 2024 to enact a corresponding national NIS2 law. Affected companies are obliged to comply with the new regulations from 18 October 2024 (no transition period provided). This article explains what you need to bear in mind.

In view of the growing threat of cyber attacks, including on critical infrastructures (KRITIS), it is essential for companies to optimise their cyber resilience – the ability to prevent, withstand and recover from cyber incidents. The aim of NIS2 is to achieve a better collective level of cyber security.

From October 2024, many companies will be subject to significantly stricter, mandatory security measures and reporting obligations – including many businesses that were not previously affected. Swiss companies would also be well advised to align themselves with the security measures, although NIS2 is essentially aimed at European organisations.

NIS2 Gap Assessment

NIS2 – and what needs to be considered by when

This EU Directive is a minimum standard which must be enshrined in national law by the EU member states. The EU Directive is relevant for Swiss companies because it explicitly includes supply chains and partner companies. Swiss companies also need to observe NIS2 more generally as part of their operations in the European Union.

At present, the implementation status in the individual EU member states varies greatly. Legislation in some countries is already well advanced and is currently the subject of public debate (e.g. Austria, Belgium, Croatia, Czech Republic, Finland, France, Germany, Italy, Netherlands, Sweden). In other countries, the status is unclear as little or no information is available.

There are considerable differences in national implementation levels: the definitions of sectors and companies are not standardised; obligations are interpreted differently; verification checks are sometimes carried out by authorities, sometimes by operators and sometimes not at all. There is also variation in terms of the level of detail for specifications and requirements for implementation.

SMEs are also affected by NIS2

In future, providers of digital services will also be obliged to implement suitable state-of-the-art technical, operational and organisational security measures in addition to critical infrastructures (KRITIS) such as electricity and water supply companies, the financial sector and the healthcare sector.

At the same time, sectors such as postal and courier services, waste management and food producers must also take appropriate measures to protect themselves effectively against cyber attacks. The Directive generally applies to organisations with 50 or more employees and an annual turnover of more than €10 million, and thus also covers SMEs.

Substantive focus of NIS2

Alongside backup, emergency and crisis management, the sensitisation of employees as well as regular audits and procedures for evaluating the effectiveness of the company’s own risk management measures, NIS2 also requires risk-analysis and security concepts for IT systems to be implemented and vulnerabilities and security incidents to be managed.

Key practices include zero-trust principles, regular software updates and appropriate network segmentation. Sufficient identity and access management and multi-factor authentication are a must.

 

NIS2_en

 

The challenge for companies is not only to implement such measures, but also to perform regular effectiveness checks, whether in the form of vulnerability scans, security assessments, penetration tests or simulated cyber attacks.

These four points must be observed when implementing NIS2

Irrespective of the specific manner of national implementation, affected companies must observe the following changes, which will come into force on 18 October 2024:

  1. Registration with the competent national authority.
  2. Incidents must be reported to the local competent authorities.
  3. Conformity with the requirements must be guaranteed.
  4. Proof of conformity through appropriate certification or a security review/security audit should be provided on a regular basis. 

Companies affected by NIS2 should check that they fulfil the requirements of the EU Directive and rectify any identified divergences in good time to ensure that at least the minimum EU-wide requirements are met. 

Any existing country-specific requirements should be taken into account in order to minimise potential non-conformities. It must be ensured that conformity is permanently guaranteed.

Gap assessment to determine the NIS2 maturity level

Find out how your company is positioned in terms of NIS2 and what still needs to be done. A NIS2 gap assessment provides an overview of possible divergences from the minimum requirements in your IT security strategy.

But there's more: our specialists will also provide you with technical, organisational and personnel-related recommendations and suggestions for implementing immediate measures.

Let us support you and get your NIS2 optimisation underway now.

NIS2 Gap Assessment

Implementation of concrete safety measures

At InfoGuard, over 230 experts are available to help you meet the NIS2 requirements, be it with our Risk Management & Compliance Services or 24/7 Cyber Defence & Incident Response Services from our ISO 27001-certified Cyber Defence Center in Switzerland.

Get in touch: our cyber security experts will be happy to support you.

Contact us now!

NIS2 will soon be followed by the Cyber Resilience Act (CRA)

While the NIS2 Directive aims to strengthen companies’ basic resilience against cyber threats by creating a uniformly high level of security, the Cyber Resilience Act (CRA) seeks to increase the security of digital products in the long term.

We have already reported on the announcement of the introduction of the CRA. In the coming weeks, we’ll be taking another detailed look at the latest developments in a separate blog post

Stay tuned and subscribe to our blog updates.

Subscribe to blog updates!

<< >>

Data Governance , IT Security

Markus Limacher
About the author / Markus Limacher

InfoGuard AG - Markus Limacher, Head of Security Consulting, Mitglied des Kaders

More articles from Markus Limacher


Related articles
NIS2 – Cyber Defence is a Must, not only for KRITIS
NIS2 – Cyber Defence is a Must, not only for KRITIS

The risk of cyber attacks such as DDoS, ransomware and phishing is increasing. Attackers are increasingly [...]
Why a Gap Analysis is Crucial for Corporate Security
Why a Gap Analysis is Crucial for Corporate Security

As the technological landscape continues to change, the security of company data and systems has become a key [...]
FINMA circular 2023/1 Operational Risks and Resilience – Ready for an audit?
FINMA circular 2023/1 Operational Risks and Resilience – Ready for an audit?

Have you completed or planned the necessary steps to ensure compliance with FINMA Circular 2023/1 [...]

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media
infoguard-cyber-security-guide-2