NIS 2 Directive: 8 measures for SMEs
Everything you need to know about the NIS 2 Directive and how SMEs should proceed nowThe NIS 2 Directive is the EU-wide legislation on network and information security and aims to achieve a universal and improved level of cyber security. It came into force at the beginning of 2023 and will also apply to many SMEs in Germany from October 18, 2024.
In this article, you will learn more about NIS-2, what measures you can now take and what requirements the new legislation places on your company’s email security.
What is NIS-2?
Die NIS-2-Richtlinie führt für viele Unternehmen verpflichtende Maßnahmen und Meldepflichten in der Cybersecurity ein. NIS-2 ersetzt die vorhergegangene Richtlinie NIS Directive von 2016: Im Vergleich erweitert sie zum einen den Kreis der betroffenen Unternehmen und zum anderen die Pflichten sowie das Ausmaß der behördlichen Aufsicht. Verstöße gegen die neue Richtlinie können hohe Geldstrafen nach sich ziehen.
Offizielle Meldung des BSI: BSI – Aktuelle Informationen aus dem KRITIS-Fachbereich – NIS-2-Richtlinie im Amtsblatt der EU veröffentlicht (bund.de)
Rethinking cybersecurity for SMEs
In Germany, almost 30,000 medium-sized companies have to deal with the new directive and take appropriate measures. One thing is certain: From 18.10. NIS-2 conformity must be guaranteed. The tight deadline now requires SMEs to act quickly.
The prompt introduction of the directive could particularly affect companies that have not yet had to deal with the topic of IT security and have little experience and know-how in this area.
What requirements does NIS-2 place on e-mail security?
From October, the requirements for e-mail service providers will also increase. In future, your services must be protected even more efficiently against cyber attacks so that the confidentiality and availability of email communication is adequately ensured at all times. The focus here is on protection against spam, phishing and malware.
The topic of e-mail security in the context of NIS-2 has not yet been worked out in detail. What is certain, however, is that effective email encryption will be a basic requirement for compliance with the NIS 2 directive.
You are on the safe side if spam, phishing, malware and other dangers in email communication cannot infiltrate your company’s mailboxes in the first place. A
professional email security solution for companies
becomes even more relevant with regard to NIS-2.
The dataglobal Group sees itself as a competent partner and advisor in this area. We have been achieving the highest standards in cybersecurity for companies for decades, especially with our email security solution eXpurgate.
8 Measures to comply with the NIS 2 Directive
We have summarized 8 measures for you that can help you achieve NIS 2 compliance for your company.
1) Set up a project group
Due to the urgency and complexity of the topic, we recommend setting up a separate NIS 2 project. The following group of people should be involved:
- Management
- IT managers
- IT security managers
- Other relevant persons (internal or external)
The requirements of the directive are high and implementation requires time and budget. A coordinated organizational structure with a clear distribution of responsibilities is essential here. The project group should conduct cybersecurity training at the beginning if the relevant understanding of the basics is not yet available.
2) Risk assessment
In the second step, you carry out a risk assessment. This allows you to identify potential security gaps and vulnerabilities in your IT systems and processes. Ensure that priorities are defined and resources are deployed where they are most urgently needed. Many companies rely on external consulting for this.
The review of supply chains, both in terms of information and network systems and their physical environment, is also a relevant aspect. You should consult the purchasing department for this.
3) Updating policies and procedures
Revise your internal policies and procedures to ensure that they meet the requirements of NIS-2. This may include changes in areas such as data security, access control and incident response procedures.
4) Implementation of security measures
Implement technical security measures such as firewalls, anti-virus software, encryption, access controls and email security software to ensure the security of your systems and data.
5) Regular review and updating
Regularly review your security measures and make adjustments where necessary to ensure that they remain effective and can withstand current threats.
6) Documentation and tracking
Document all steps to achieve NIS 2 compliance and conduct a thorough follow-up to ensure that all requirements are met. In the event of an inspection, you can also provide proof that all standards have been met.
7) Define reporting processes
Under the NIS 2 Directive, very tight reporting deadlines must be met in some cases. In the event of a security incident, the relevant reporting authority must be informed within 24 hours. An assessment of the incident must be submitted within 72 hours and a full report within one month.
Due to these tight deadlines, those responsible in the project group must have the information they need quickly in the event of a security incident. All processes should be clearly defined in advance in order to collect this data and then report it promptly.
8) Registration with the BSI
If your company is affected by NIS-2, registration with the BSI (Federal Office for Information Security) is mandatory. Before registering, it is essential to check whether your company is subject to the NIS 2 Directive.
The current limitation: The corresponding reporting office does not yet exist (as of April 2024). The organizational and personnel requirements for this are to be created by BSI by October 2024.
Conclusion
Achieving NIS 2 compliance for SMEs requires careful planning and the implementation of appropriate measures. The deadline for implementing these measures is tight and could pose challenges for many companies – especially if they have had little contact with cybersecurity to date. The project requires time, resources and commitment, but it is crucial to ensure the security of your IT systems and data.
Would you like more information about e-mail security? Click here to download our factsheet.
More news
Social engineering – 6 tips on how companies can protect themselves
No matter how good the technical security precautions in companies are: The human factor is often the weakest link in the security chain. In social engineering, cyber criminals exploit this potential vulnerability by faking a personal relationship with the victim in order to carry out their criminal activities. How do you recognize social engineering and how can companies protect themselves and their employees?
Critical Outlook vulnerability discovered (February 2024)
In February 2024, security researchers discovered a vulnerability in Microsoft Outlook and classified it as critical. You can read everything you need to know as a user here.
Bitcoin Halving 2024 : Danger from phishing mails on the rise
More and more cases of crypto phishing! The reason is the high Bitcoin price and the upcoming Bitcoin Halving 2024.
Digital document management system – Find out everything you need to know about DMS.
The efficient management of digital documents is a necessity in the modern working world. A digital document management system (or “DMS” for short) is therefore becoming a must-have for companies – and not just for corporations, but also for SMEs. In this article, you will find out what a digital document management system actually is, what functions it fulfills and what advantages it can offer your company.
Managed IT services: Is it worth it for my company? Can I simply outsource my IT?
Managing and monitoring their IT poses challenges for many companies. There is a lack of resources to set up an in-house support team that is up to the task. Managed IT services offer one solution, with external specialists taking over individual IT sub-areas through to complete IT operations. Find out here what Managed IT Services actually are, what advantages they offer and whether the model is also worthwhile for you.