EU measures to strengthen cybersecurity: how best to prepare for them

Network and Information System Security Act (NIS) 2.0

The NIS 2 Directive is a European piece of legislation on cyber security. It aims to ensure a high level of security for network and information systems in the EU. It focuses on sectors that are essential to society and the economy, such as energy, transport, health, finance and digital services. Compared to current Network and Information Systems Security (NIS) law, which applies only to operators of so-called “essential services” as well as “digital services,” the scope of NIS 2 will be expanded to include more sectors, including healthcare, water, wastewater, chemical industry and digital infrastructure. The directive establishes more stringent security requirements that must be met by affected companies and organizations. These include risk-based security measures, the implementation of security precautions and practices, and the reporting of security incidents. The NIS 2 Directive provides deterrent penalties for breaches of the security requirements, making both companies and individuals in leadership positions liable. Member States must provide appropriate enforcement mechanisms to ensure that companies and organizations comply.

Cyber Resilience Act

Unlike NIS2, which applies to companies in specific sectors or functions, the Cybersecurity Act applies to all products that have a digital component. This means that a wide range of products is affected, from a smart light bulb to a modern car. The directive is still being drafted, but it is expected that a number of mandatory measures will be prescribed. The entire product lifecycle is to be affected. Thus, cybersecurity must be considered in the planning, design, development, manufacturing and maintenance phases. Comprehensive documentation and reporting obligations (e.g., reporting of vulnerabilities and incidents) will be introduced. Furthermore, vulnerabilities must be fixed in a timely manner, and security-relevant updates must be provided for every product sold for at least five years.

Why waiting is not an option

By implementing measures from this directive early on, companies can ensure that they comply with the legal requirements as soon as the directive comes into force in their country. This enables them to make a smooth transition and avoid potential sanctions or legal consequences.

Legal requirements aside, these directives aim to improve the security of network and information systems. Cyberattacks are a constant threat. Companies that take early action to strengthen their security standards are better equipped to counter these threats. By implementing security precautions and practices, organizations can identify and address potential vulnerabilities, increase the security of their systems, and reduce the likelihood of successful attacks.

This can minimize financial losses – cyberattacks can cause significant economic damage, whether through loss of data, business interruption or intellectual property theft. By taking proactive steps to secure their network and information systems, organizations can identify and address potential vulnerabilities, resulting in reduced financial risk.

In addition, compliance with the NIS 2 guideline can strengthen the trust of customers, partners and the public. With the increasing threat of cyberattacks, the security of network and information systems has become a major concern. Companies that demonstrably implement robust security measures and meet the requirements of the NIS 2 Directive can reinforce their image as a trustworthy and reliable business partner. This can lead to an improved competitive position, increased customer loyalty and a positive reputation.

The first steps

1. Impact assessment:
First, a comprehensive assessment of network and information systems must be conducted to identify potential vulnerabilities and risks. This includes analysis of critical infrastructure, identification of sensitive data, and assessment of potential threats.

2. Development of a security strategy:
Based on the assessment, a comprehensive security strategy should be developed. This strategy should include the necessary security measures and practices to increase the level of protection of their network and information systems.

3. Implementation of technical and organizational measures:
Appropriate technical and organizational measures must be implemented to ensure the security of the systems. These include, but are not limited to, implementation of firewalls, intrusion detection systems (IDS), access controls, regular security updates and patches, secure configurations, and access restrictions.

4. Risk Management:
Effective risk management must be established to identify and assess risks and take appropriate countermeasures. This includes continuous monitoring, detection of security incidents, and rapid response to those incidents.

5. Incident Response Plan:
It is advisable to create an Incident Response Plan that defines clear procedures for handling security incidents. This includes communication, escalation procedure, recovery of systems and data, and collaboration with authorities and partners.

6. Training and awareness:
Employees should be briefed on security measures and made aware of potential threats. Training programs and regular security briefings can help raise cybersecurity awareness and empower employees to effectively perform security-related tasks.

7. Collaborate and share:
You are not alone! The NIS 2 guideline emphasizes collaboration and information sharing between companies, authorities and relevant stakeholders.

RISC Software GmbH is happy to support you in the development of secure and resilient software and to contribute its expertise. With its motivated team of experts, your software will be developed from the first step with regard to the highest quality and security. We will be happy to advise you on the implementation of your product idea or to update your established software to the latest state of the art.