For years, cyberattacks and the associated consequences such as business interruptions have been among the greatest risks for companies – worldwide.
Companies in Europe also increasingly have to arm themselves against threats from the Internet. In Germany, 9 out of 10 companies now report data breaches, sabotage attempts or espionage attacks. The German economy suffers losses in the triple-digit billions every year as a result. Insurance companies can no longer bear the risk alone. Providers of cyber insurance made losses in this segment for the first time in 2022. Therefore, policyholders must be held more accountable.
In order to counter cybercriminals, the European Union passed a guideline in 2016 to ensure network and information security – NIS for short. The aim of this directive (EU) 2016/1148 was to build cyber resilience across the EU. Threats to network and information systems of essential services were to be contained. This was to ensure the continuity of services – especially in key sectors – so as not to harm the economy and society.
Initial successes have already been recorded. Research has shown that significant progress has been made in strengthening cyber resilience. However, it has also become clear that the implementation of the requirements of Directive (EU) 2016/1148 varies widely among EU member states, which ultimately means that the risk of an attack is higher for certain member states than for others. However, this state of affairs can, in the worst case, have negative consequences for the entire European Union. It was therefore decided to make minimum requirements mandatory for all member states. These have now been summarized in an updated Directive on measures for a high common level of cybersecurity (short NIS2 – (EU) 2022/2555) (Official Journal of the European Union).
Perseus, as a provider of a 365° degree approach to cybersecurity, can advise and actively support small and medium-sized enterprises in particular in implementing the NIS 2 directive and the measures it contains.
Additional sectors to be brought under the obligation
The NIS 2 directive expands the field of companies that must comply with the defined minimum requirements. In addition to “essential” sectors, such as energy suppliers or healthcare companies, “important” sectors are also included. These include, for example, waste management and postal service providers.
Here is the complete list:
Essential:
- Energy (electricity, oil, gas, heat, hydrogen)
- Health (utilities, labs, R&D, pharma)
- Transportation (air, rail, water, road)
- Banks and financial markets
- Water and wastewater
- Digital enterprises (these include Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, Data center service providers, cloud computing service providers, content delivery network providers, trust service providers)
- ICT service management, space, public administration
Important:
- Postal and courier
- Waste management
- Chemicals
- Food
- Industry (technology and engineering)
- Digital services (online marketplaces, online search engines, social networks)
- Scientific Research
Small companies are also challenged
Another new aspect is that not only corporate enterprises and large companies have to present concepts for network and IT security. The so-called “size-cap rule” has been introduced. This means that companies that employ more than 50 people, have an annual turnover or annual balance sheet of more than 10 million euros, and operate in a critical or important sector, will now also have to comply with the requirements (Infoguard.ch). This represents a change from previous guidelines.
The reason for this expansion is that small and medium-sized enterprises make up a significant portion of the economy in all EU member states. To make matters worse, these companies in particular are struggling to adapt to a more connected and increasingly digitalized world. Recent developments, such as the Covid 19 pandemic, and the resulting shift of work to the home, as well as the more frequent use of services on the Internet, have further exacerbated the situation.
Low cyber awareness, lack of IT security and high costs for cybersecurity solutions are just some of the challenges that small and medium-sized enterprises face.
Neglecting, delaying or even ignoring these issues is now no longer an option. The NIS2 Directive must be implemented by member states by October 17, 2024. Thereafter, the Commission must periodically review the functioning of the directive – for the first time by Oct. 17, 2027.
NIS 2 calls for concrete measures for cybersecurity
In order to implement the required minimum requirements, the EU specifies a catalog of measures that companies must follow and that are monitored by national authorities. These measures are defined in Article 21 of NSI 2. The main objective here is to sustainably reduce the risks to IT security and to keep the impact as minimal as possible. The implementation and proportionality of the measures depends on certain parameters of the organization: The company’s risk exposure, the size of the company, and the likelihood of a security incident occurring – and ultimately how serious the impact of a cyber incident would be on society and the economy.
The most important contents are summarized once here:
- Concepts of risk assessment, risk analysis and information security
- Crisis management and handling of security incidents
- Securing business operations (backup management)
- Provision of concepts for access security
- Provision of concepts for multi-factor authentication and encrypted communication
- Preventive measures (e.g., basic cyber hygiene procedures and cyber security training, staff security)
Challenges for the affected companies
According to Handelsblatt, Hisolution founder Tino Kob sees the first challenge as the fact that many companies do not even know that they are affected by the NIS 2 directive. According to his estimate, 40,000 additional companies will now be held accountable.
Experts do not see major stumbling blocks for larger companies and organizations that were already affected by the 2016 NIS directive. They also believe that companies were already addressing IT security and cybersecurity issues through due diligence requirements before the NIS 2 directive was adopted. What is different now is that this must be demonstrated through systematically established processes (Handelsblatt).
The experts at Perseus see problems in integrating the minimum requirements, especially for micro, small and medium-sized enterprises. Above all, the lack of IT specialists can lead to a lack of advisory bodies to support the development and implementation of the required measures, leaving these companies on their own. If many of the required aspects are new or not previously relevant in the organization, there is a risk that these companies will be overwhelmed.
Other obstacles such as lack of financial and human resources can also affect the implementation of the NIS-2 directive.
Perseus is the perfect partner for SMEs
And this is where Perseus can help companies. Perseus’ cybersecurity product portfolio includes many of the required measures. For example, the Perseus prevention solution can help with employee training and awareness. Elaborated guidelines on topics such as data security concepts, authorization management, patch management and mobile working contribute to the implementation of cyber hygiene requirements.
With the Security Baseline Check, companies can check their basic security concept in a standardized manner. The Cyber Risk Dialog provides more in-depth insights.
Perseus can also support companies in the area of emergency management. A customizable emergency plan provides an overview of all processes and applications that must be observed in an emergency or that must be protected separately before an incident. The plan also helps to get business operations back up and running quickly in the event of a loss. In the event of a cyber emergency, the Perseus emergency team also helps to manage the damage. Here, the team is available to its customers around the clock and also provides advice in cases of suspicion.