Cyberattacks and the associated consequences such as business interruptions have been among the greatest risks for companies for years – worldwide.

Companies in Europe also increasingly need to arm themselves against threats from the Internet. In Germany, 9 out of 10 companies now report data breaches, sabotage attempts or espionage attacks. As a result, the German economy suffers damage in the hundreds of billions of euros every year. Insurance companies can no longer bear the risk alone. Cyber insurance providers made losses in this segment for the first time in 2022. Policyholders must therefore be held more accountable.

In order to be able to counteract cybercriminals, the European Union adopted a directive on ensuring network and information security – NIS for short – in 2016. The objective of Directive (EU) 2016/1148 was to build cyber resilience across the EU. Threats to network and information systems of essential services should be contained. This was intended to ensure continuity of services, especially in key sectors, so as not to harm the economy and society.

The first successes have already been recorded. Research has shown that significant progress has been made in strengthening cyber resilience. However, it also became clear that the implementation of the requirements of Directive (EU) 2016/1148 varies greatly between EU Member States, which ultimately means that the risk of an attack is higher for certain Member States than for others. In the worst case, however, this state of affairs can have negative consequences for the entire European Union. It was therefore decided to make minimum requirements mandatory for all Member States. These have now been summarised in an updated Directive on measures for a high common level of cybersecurity (NIS2 – (EU) 2022/2555 for short) (Official Journal of the European Union).

As a provider of a 365° approach to cybersecurity, Perseus can advise and actively support small and medium-sized enterprises in particular in the implementation of the NIS 2 Directive and the measures contained therein.

Other sectors are being held accountable

The NIS 2 Directive expands the field of companies that must comply with the minimum requirements set. In addition to “essential” sectors, such as Energy suppliers or healthcare companies, “important” sectors are also involved. These include, for example: waste management or postal service providers.

Here is the complete list:

Essential:

• Energy (electricity, oil, gas, heat, hydrogen)
• Health (Utilities, Laboratories, R&D, Pharma)
• Transport (air, rail, water, road)
• Banks and financial markets
• Water and wastewater
• Digital enterprises (including Internet Exchange Point (IXP) providers, DNS service providers, TLD name registrations,
• Data Center Service Providers, Cloud Computing Service Providers, Content Delivery Network Providers, Trust Services Providers)
• ICT Service Management, Space, Public Administration

Important:

• Post and courier
• Waste management
• Chemistry
• Nutrition
• Industry (technical and engineering)
• Digital services (online marketplaces, online search engines, social networks)
• Research

Small companies are also challenged

Another new feature is that it is not only corporations and large companies that have to demonstrate concepts for network and IT security. The so-called “size-cap rule” is introduced. As a result, companies that employ more than 50 people, have an annual turnover or balance sheet of more than 10 million euros, and operate in a critical or important sector will now have to meet the demands (Infoguard.ch). This is a change from previous guidelines.

The reason for this enlargement is that small and medium-sized enterprises account for a significant share of the economy in all EU Member States. To make matters worse, these companies in particular are struggling to adapt to a more connected and increasingly digitalized world. Recent developments, such as the Covid-19 pandemic, and the resulting shift to work from home, as well as the increased use of services online, have further exacerbated the situation.

Low cyber awareness, lack of IT security and high costs for cybersecurity solutions are just some of the challenges that small and medium-sized enterprises have to face.

Neglecting, delaying or even ignoring these issues is no longer an option. The NIS2 Directive must be implemented by Member States by 17 October 2024. The Commission must then review the functioning of the Directive at regular intervals – for the first time by 17.10.2027.

NIS 2 calls for concrete measures for cybersecurity

In order to implement the required minimum requirements, the EU specifies a catalogue of measures that companies must follow and which are monitored by national authorities. These measures are defined in Article 21 of NSI 2. The main goal here is to reduce the risks to IT security in the long term and to keep the impact as minimal as possible. The implementation and proportionality of the measures depends on certain parameters of the organization: the risk exposure of the company, the size of the company and the probability that a security incident will occur – and ultimately how serious the extent of a cyber incident would be on society and the economy.

You can find a summary of the most important contents here:

• Concepts of risk assessment, risk analysis and information security
• Crisis management and handling of security incidents
• Ensuring business operations (backup management)
• Provision of access security concepts
• Provision of concepts for multi-factor authentication and encrypted communication
• Preventive measures (e.g. basic cyber hygiene procedures and cybersecurity training, staff safety)

Challenges for the affected companies

According to Handelsblatt , Hisolution founder Tino Kob sees the first challenge as the fact that many companies do not even know that they are affected by the NIS 2 Directive. According to his estimate, 40,000 additional companies will now be held responsible.

Experts do not see any major stumbling blocks for larger companies and organizations that were already affected by the NIS Directive from 2016. They also believe that companies have already dealt with the issues of IT security and cyber security through due diligence requirements before the adoption of the NIS 2 Directive. What is different now is that this must be proven by systematically set up processes (Handelsblatt).

The experts at Perseus see problems with the integration of the minimum requirements, especially among micro, small and medium-sized enterprises. Above all, the lack of IT specialists can lead to a lack of advisory bodies to support the development and implementation of the required measures and to leave these companies to their own devices. If many of the required aspects are new or not yet relevant in the organization, there is a risk that these companies will be overwhelmed.

Other obstacles, such as a lack of financial and human resources, may also hamper the implementation of the NIS 2 Directive.

Perseus is the perfect partner for SMEs

And this is exactly where Perseus can help companies. Perseus’ cybersecurity product portfolio includes many of the required measures. For example, the Perseus prevention solution can help train and raise awareness among employees. Developed guidelines on topics such as data security concepts, authorization management, patch management and mobile working contribute to the implementation of cyber hygiene requirements.

With the Security Baseline Check, companies can check the basic security concept in a standardized way. The Cyber Risk Dialogue provides in-depth insights.

And Perseus can also support companies in the area of emergency management. A customizable emergency plan provides an overview of all processes and applications that must be observed in an emergency or that must be protected separately against an incident. The plan also helps to restart business operations quickly – in the event of a possible claim. In the event of a cyber emergency, the Perseus emergency team also helps to cope with the damage. Here, the team is available to its customers around the clock and also advises in cases of suspicion.