- eco Association provides tips for companies on how to strengthen their digital infrastructure and fulfil the regulatory requirements of the European NIS2 Directive
- 75.2 per cent of IT experts see potential for improvement in digital infrastructure when it comes to protection against cyberattacks
The resilience of IT infrastructures remains a challenge for the economy. This is shown by a recent eco survey. 75.2 per cent of IT experts in Germany see potential for improvement when it comes to arming them against cyberattacks. From the perspective of many experts, local data networks and individual servers in particular are often only moderately protected against cyberattacks or hacker attacks. Only around one in ten experts (10.7 per cent) attest to the generally used digital infrastructures in Germany having good or very good security. In November, the market and opinion research institute Civey surveyed 503 IT experts on their assessment of the security of the digital infrastructure in Germany.
“The IT infrastructure in Germany is fundamental to the functioning of our society,” says Klaus Landefeld, Board Member of the eco Association. “We therefore welcome the goal of politics and business to make the digital infrastructure in Germany more resilient. Companies and institutions in particular, which belong to the so-called essential institutions according to the NIS2 Directive, will have to pay more attention to compliance requirements in the future and should prepare for them today,” states Landefeld and gives companies the following tips on how to increase their resilience – SMEs in particular need to catch up quickly:
– Check the legal texts yourself to see whether you could fall under the critical infrastructures (KRITIS) umbrella act. According to the current draft of the umbrella act for the protection of critical infrastructures, significantly more companies will in future belong to the group of those who have to fulfil statutory minimum standards for IT security. If you are unsure, get help, for example from the BSI (German Federal Office for Information Security) service centre.
– Get your business processes up to scratch by analysing them and assessing the risks. Derive the necessary action steps from this. Critical business processes in particular should be protected as well as possible.
– Make (written) plans for emergencies and designate contact persons within the company in the event of an emergency. An emergency manual is mandatory for critical infrastructures (KRITIS) companies. However, non-CRITIS companies can also benefit from this. For example, use it to regulate processes for restarting after an IT failure or security incident. The emergency manual also includes regularly checked backups and clear communication channels.
– If you are a critical infrastructures (KRITIS) company, be aware of what data you store where and how sensitive it is. The data must be assessed in terms of confidentiality, integrity and availability. It is also important to consider the cumulative effect: if you store a lot of non-critical data on just one server, it becomes critical.
– Make IT security a top priority, as emphasised by the NIS2 directive. In future, Managing Directors will also be privately liable for any omissions.
– Find out which reporting obligations you have to fulfil in the event of an incident following the introduction of NIS2. Include these in your emergency manual and clearly define who is responsible for reporting.
– A regular review of the implemented security measures and the emergency manual is mandatory. Establish clear cycles in which these are reviewed and document them clearly.
– Depending on the industry, even more specific security requirements may apply than those stipulated by NIS2. Find out in advance about your industry-specific standards.
– If you have any questions, please get in touch with our Competence Group KRITIS and get actively involved in the working groups on regulatory and operational aspects!
Download graphic
Download photo
