The NIS 2 Directive ushers in a new era of cyber security in the EU for financial service providers. Are you ready?
The NIS-2 Directive (‘The Network and Information Security (NIS) Directive’), which came into force on 16 January 2023, regulates the minimum cyber and information security requirements for companies and institutions in the EU. In order to improve the level of security in the member states, it expands the existing cyber security requirements with a special focus on the risk management of the companies concerned as well as the initial registration and reporting obligation. EU member states must transpose NIS-2 into national law by October 2024. In our consulting projects, however, we often find that the significant expansion of the scope of application is underestimated in ongoing implementation projects everywhere. Are you ready?
What is the background and the speciality?
As digitalisation progresses and the IT landscapes of organisations such as companies and public authorities become increasingly complex, regulations are constantly being adapted and expanded. This applies all the more to the topic of IT and information security.
In an increasingly interconnected world, one of the core elements will therefore be how to protect personal data, business secrets, critical infrastructures and society as a whole. One of the major challenges is the issue of company-wide cyber security.
What are important aspects of cyber security? These include topics such as authentication and access control, encryption, firewalls & network segmentation, malware protection, internal security guidelines, patch and incident management as well as monitoring & auditing.
To this end, the existing NIS Directive was adapted at the beginning of 2023. It must be transposed into national law by 18 October 2024. This new directive, known as NIS-2 (2022/2555), aims to strengthen security requirements, take into account the security of supply chains, simplify reporting obligations and introduce stricter supervisory measures and harmonised sanctions throughout the EU.
In contrast to the previous national regulations (BSIG), NIS-2 applies regardless of whether the company is actually based in the EU. Instead, this directive applies to any company that does business in the EU and has a threshold of 50 employees and a turnover (or balance sheet total) of €10 million. A basic distinction is made between Essential Entities and Important Entities. For financial service providers, this distinction means essential entities (direct influence on financial market stability) and important entities (no critical, but major influence on financial market stability).
For both categories of companies, requirements regarding dedicated cyber risk management must be introduced and implemented. The directive obliges affected institutions to register in advance with the European Union Agency for Cybersecurity and to inform the national cybersecurity authority immediately of any significant disruptions and cyberthreats (cybersecurity-related incidents within the scope of their own incident management) to their critical services and to review the state of the art with regard to IT security and, if necessary, adapt it accordingly.
It can be assumed that existing standards such as IT-Grundschutz, ISO/IEC 27001 and the Cloud Computing C5 criteria catalogue will probably only cover part of the requirements of NIS-2 and that further technical and organisational measures will have to be taken to implement the directive.
Companies that have already introduced a comprehensive and effective information security management system (ISMS) and only need to make minor adjustments are at an advantage. Otherwise, it is advisable to introduce this together with the NIS-2 as part of an implementation project in the company.
CONCLUSION: Are you affected by this? And if so, what does this mean in concrete terms? Can we help you?
With the implementation of NIS-2 into national law from October 2024, not only large critical infrastructure companies will be affected, but also smaller SMEs and presumably others along the entire supply chain.
Be Shaping the Future – Performance, Transformation, Digital GmbH as a European consulting company for financial service providers and part of the Engineering Group stands for digital transformation and information security and is happy to support you with our team of experts.
We help you with the implementation according to our proven process for risk management in the NIS Directive.
We also support you in setting up effective reporting and notification processes for cyber threats or the introduction of an ISMS and ISO27001 certification.
Our aim is to help you fulfil the requirements of the NIS 2 Directive and keep your information security up to date.
Contact us for more information:
André Köhler
Managing Partner Consulting Services, Information security
Mesut Arslan
Senior Consultant, Information security