How can the technical requirements of the NIS2 regulation be implemented? This question will be the focus of discussion among eco members at the next regular meeting of the KRITIS Competence Group (CG) – scheduled on 13 February 2025 at the DE-CIX Meeting Center in Frankfurt. Ulrich Plate, Head of the KRITIS CG, will present the current status of ENISA’s “Implementing Guide” at this event. You can now gain insights from our brief interview with him.
Why is a European cybersecurity directive causing such a stir that it has dominated public debate for months now?
For the first time, NIS2 formulates concrete, unambiguous and absolutely binding minimum security requirements for companies within its scope of application throughout Europe. The previous legal framework only ever referred to the “state of the art”, which had to be adhered to. While this didn’t mean that the law could be interpreted arbitrarily, it lacked specific requirements. These were previously the subject of separate regulations, security catalogues or industry-specific standards. NIS2 creates an improvement here: by forming a legal basis that will make it easier to identify which measures a company’s cyber risk management needs to implement in the future.
Why have the technical and methodological requirements been further specified in a separate Commission Implementing Regulation (EU) 2024/2690? And what has prompted the European cybersecurity agency ENISA to create a comprehensive guide on the subject?
This implementing regulation only affects a specific scope of the directive – namely, to the sectors that fall under the category of digital services. The EU Commission is thus pursuing the primary aim of ensuring European harmonisation for those industries that in many cases are already operating internationally.
The ENISA guidance goes a step further. Not only does it break down the measures to be followed into individual steps, but it also provides detailed commentary on the regulation. But what it also offers – and this is where it gets really interesting for companies to be regulated in the future – is a concordance of requirements from the directive and regulation with international standards such as ISO 27001, the American NIST et al, and other individual national standards such as the Belgian “Cyberfundamentals”. In short: comprehensive reference tables that allow you to directly connect already implemented measures, perhaps even existing certifications, with the legal requirements. This greatly simplifies implementation.
How are the affected companies responding to the regulation? Do they find it difficult to implement the technical and methodological requirements of NIS2?
On the contrary. Anyone who still recalls the scepticism that existed ten years ago when the first KRITIS regulation was introduced for operators of critical infrastructure might be surprised by the almost enthusiastic reception of the NIS2 Directive. But, on the one hand, companies throughout Europe are now much more aware of the massive threats to cybersecurity than they were a few years ago. Many have already had bitter experiences with ransomware attacks or complete IT failures themselves, while others have witnessed horror stories at their customers or suppliers. But absolutely no one is naive enough to believe that something like this cannot happen to their own company.
On the other hand, we’re simply already well advanced in terms of adapting to international information security standards – and ultimately NIS2 is nothing more than a legal approach to the same standards that many companies are already using anyway. I still have in my mind the evaluation of the IT security laws by the German Federal Office for Information Security (BSI), according to which over 86% of the companies surveyed from different critical infrastructure sectors were declared supporters of the legal requirements because they received a solid foundation for strengthening their cybersecurity. That’s something to work with.
Anyone who wants to learn more about the NIS2 Implementing Regulation (EU) 2024/2690 and the ENISA “Implementing Guide” should not miss the CG session on 13 February 2025 at the DE-CIX Meeting Center in Frankfurt.
Click here to register.
