NIS 2 Directive: 8 measures for SMEs

Die NIS-2-Richtlinie führt für viele Unternehmen verpflichtende Maßnahmen und Meldepflichten in der Cybersecurity ein. NIS-2 ersetzt die vorhergegangene Richtlinie NIS Directive von 2016: Im Vergleich erweitert sie zum einen den Kreis der betroffenen Unternehmen und zum anderen die Pflichten sowie das Ausmaß der behördlichen Aufsicht. Verstöße gegen die neue Richtlinie können hohe Geldstrafen nach sich ziehen.

Offizielle Meldung des BSI: BSI – Aktuelle Informationen aus dem KRITIS-Fachbereich – NIS-2-Richtlinie im Amtsblatt der EU veröffentlicht (bund.de)

In Germany, almost 30,000 medium-sized companies have to deal with the new directive and take appropriate measures. One thing is certain: From 18.10. NIS-2 conformity must be guaranteed. The tight deadline now requires SMEs to act quickly.

The prompt introduction of the directive could particularly affect companies that have not yet had to deal with the topic of IT security and have little experience and know-how in this area.

From October, the requirements for e-mail service providers will also increase. In future, your services must be protected even more efficiently against cyber attacks so that the confidentiality and availability of email communication is adequately ensured at all times. The focus here is on protection against spam, phishing and malware.

The topic of e-mail security in the context of NIS-2 has not yet been worked out in detail. What is certain, however, is that effective email encryption will be a basic requirement for compliance with the NIS 2 directive.

You are on the safe side if spam, phishing, malware and other dangers in email communication cannot infiltrate your company’s mailboxes in the first place. A
professional email security solution for companies
becomes even more relevant with regard to NIS-2.

The dataglobal Group sees itself as a competent partner and advisor in this area. We have been achieving the highest standards in cybersecurity for companies for decades, especially with our email security solution eXpurgate.

We have summarized 8 measures for you that can help you achieve NIS 2 compliance for your company.

Due to the urgency and complexity of the topic, we recommend setting up a separate NIS 2 project. The following group of people should be involved:

• Management
• IT managers
• IT security managers
• Other relevant persons (internal or external)

The requirements of the directive are high and implementation requires time and budget. A coordinated organizational structure with a clear distribution of responsibilities is essential here. The project group should conduct cybersecurity training at the beginning if the relevant understanding of the basics is not yet available.

In the second step, you carry out a risk assessment. This allows you to identify potential security gaps and vulnerabilities in your IT systems and processes. Ensure that priorities are defined and resources are deployed where they are most urgently needed. Many companies rely on external consulting for this.

The review of supply chains, both in terms of information and network systems and their physical environment, is also a relevant aspect. You should consult the purchasing department for this.

Revise your internal policies and procedures to ensure that they meet the requirements of NIS-2. This may include changes in areas such as data security, access control and incident response procedures.

Implement technical security measures such as firewalls, anti-virus software, encryption, access controls and email security software to ensure the security of your systems and data.

Regularly review your security measures and make adjustments where necessary to ensure that they remain effective and can withstand current threats.

Document all steps to achieve NIS 2 compliance and conduct a thorough follow-up to ensure that all requirements are met. In the event of an inspection, you can also provide proof that all standards have been met.

Under the NIS 2 Directive, very tight reporting deadlines must be met in some cases. In the event of a security incident, the relevant reporting authority must be informed within 24 hours. An assessment of the incident must be submitted within 72 hours and a full report within one month.

Due to these tight deadlines, those responsible in the project group must have the information they need quickly in the event of a security incident. All processes should be clearly defined in advance in order to collect this data and then report it promptly.

If your company is affected by NIS-2, registration with the BSI (Federal Office for Information Security) is mandatory. Before registering, it is essential to check whether your company is subject to the NIS 2 Directive.

The current limitation: The corresponding reporting office does not yet exist (as of April 2024). The organizational and personnel requirements for this are to be created by BSI by October 2024.

Achieving NIS 2 compliance for SMEs requires careful planning and the implementation of appropriate measures. The deadline for implementing these measures is tight and could pose challenges for many companies – especially if they have had little contact with cybersecurity to date. The project requires time, resources and commitment, but it is crucial to ensure the security of your IT systems and data.

Would you like more information about e-mail security? Click here to download our factsheet.