Companies only have one year left to adapt their cyber security to the EU’s NIS2 directive, warns Andreas Schwan.
The most serious change in the EU NIS2 directive is the target group. While it was previously mainly large and critical companies that had to comply with cybersecurity regulations, from October 2024 small and medium-sized companies from 18 sectors with an annual turnover of at least 10 million euros and at least 50 employees will also have to comply.
Previous drafts for implementation in Germany
It is not yet clear exactly how NIS2 will be implemented in Germany, even though two drafts have already been published in April and July 2023. These confirm that the target group of the so-called NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) will include significantly more companies than the previously applicable IT Security Act 2.0. It is also known that it will be an article law. The centrepiece is the Federal Act on Security in Information Technology (BSIG), which will contain 65 paragraphs.
The energy sector is excluded from this and is given a special status. It is mainly dealt with in the Energy Industry Act (EnWG). In addition to the specific requirements that companies now have to fulfil, the drafts also contain a plan on how to deal with managing directors who refuse to comply with the law: they are personally liable and can be fined up to 20 million euros.
Companies must fulfil these requirements due to NIS2
As soon as NIS2 or the NIS2UmsuCG applies, affected companies must ensure that they comply with international standards such as ISO/IEC 27001 when setting up their cyber security. In addition, regular risk assessments and audits must be carried out. As soon as a security incident occurs, it must be reported to the authorities. Employees should also be kept up to date and receive regular training on “cyber hygiene”. Last but not least, the security regulations must not only be complied with by the company, but managing directors must also ensure that all companies in the supply chain fulfil the corresponding requirements.
Protecting the cloud against attackers
If you want to be optimally prepared for the upcoming security law, start implementing measures now. It is important to bear in mind that securing the cloud is a shared responsibility between the cloud provider and the customer. Cloud providers generally offer a secure infrastructure, while customers are responsible for the security of their own data and applications in the cloud. Therefore, a comprehensive cloud security strategy is of utmost importance. The following measures serve as a guide for companies.
- Identify security requirements
Organisations should first identify their specific security requirements and compliance requirements to ensure that their cloud security strategy meets them.
2. Access and identity management
Implementing access controls and identity management is critical to ensure that only authorised users can access cloud resources. This can be achieved through the use of multi-factor authentication (MFA) and role-based access.
Organisations should encrypt data in the cloud both in transit and at rest. This protects against data leaks and unauthorised access.
4. Data classification and protection
It is important to classify company data and protect it according to its sensitivity. This may mean that certain data is stored or processed in the cloud, while others are secured offline or in private clouds.
5. Network security
Cloud networks should be carefully configured to prevent unauthorised access and attacks. Firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) are important components of network security.
6. Security as code
Organisations should integrate security into their DevOps and CI/CD pipelines to ensure that security checks and policies are automated and consistently applied.
7. Cloud-specific security solutions
There are many cloud-specific security tools and services that organisations can use to protect their cloud workloads and data. These include Cloud Access Security Broker (CASB), Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP).
8. Monitoring and logging
Companies should continuously monitor cloud resources in order to recognise suspicious activities at an early stage. Logging is crucial for analysing security incidents and meeting compliance requirements.
9. Incident response and disaster recovery
Organisations should have a clear plan for dealing with security incidents in the cloud and ensure that their data can be regularly backed up and restored.
10. Employee training and awareness
Employees are often the first line of defence against security threats. Training and awareness campaigns can help to raise awareness of security risks.
Andreas O. Schwan
is an expert in information and data management. He supports corporations as well as small and medium-sized companies in organising their data volumes in a targeted manner and using them profitably.