With the introduction of NIS 2, companies must comply with new cyber security standards. Failure to act now will jeopardize your own security and competitiveness, as well as failing to meet legal requirements. Take this opportunity to strengthen your systems and secure the trust of your customers and partners. In our article, we explain in detail the new requirements, the extended scope of the application, and who is affected by the new NIS 2 requirements.
Table of contents:
- From October 2024, the new requirements of the NIS 2 directive apply to IT security
- New requirements for affected companies in the automotive industry
- Essential requirements that are new compared to ISO 27001
The NIS 2 requirements bring new responsibilities for management and specific measures per sector
From October 2024, the new requirements of the NIS 2 directive apply to IT security
The NIS 2 directive officially entered into force in October 2024 after being adopted by the European Parliament in 2022. Transposition into national law is mainly the responsibility of the legislative bodies, in particular the Federal Ministry of the Interior and Home Affairs (BMI), in cooperation with the Federal Parliament (Bundestag) and Federal Council (Bundesrat), to strengthen security standards in the network and information systems.
Companies must take several steps to comply with the Directive by that date. With NIS-2, these requirements affect a broader range of industries and represent extended obligations in the cybersecurity field.
Transposition into national law in October 2024
Implementation deadline: By October 2024, all EU member states must have transposed the NIS 2 guideline into national law. As of this date, companies must comply with the new, stricter cyber security requirements. No grace will be given!
- Validity of the new regulations: From October 18, 2024, the latest safety requirements will be binding for companies that fall within the scope of NIS 2. This also includes companies not previously affected by the original NIS Directive.
1) New requirements for affected companies in the automotive industry:
Extended reporting obligations for security incidents in the NIS 2 directive:
Companies in the automotive industry must ensure that they report cyber incidents to the BSI quickly and effectively to ensure the effectiveness of their security strategies.
The BSI receives these reports, evaluates them, and coordinates the response to the security incident if necessary. It ensures that incidents are dealt with quickly and effectively to prevent major damage.
The NIS 2 directive requires incidents to be reported to the relevant authorities within 24 hours of detection. This includes not only reporting security incidents but also an initial assessment of the situation.
A detailed report on the incident must be submitted within 72 hours, containing information on the cause, the systems affected, and the measures taken. This strict deadline ensures that threats can be detected and countered early to prevent major damage.
Stricter information security requirements in the automotive industry
The NIS 2 directive extends the security focus to all IT and OT (operational technology) systems used in the automotive sector.
This means that not only traditional IT systems such as servers, networks, and end devices need to be protected, but also production systems. As modern vehicles are increasingly connected to the internet and become part of a global network, they must be protected against cyber attacks just like other IT systems. You must ensure that all systems are checked for vulnerabilities and that regular security updates are carried out.
Supply chain management for critical infrastructure:
A core element of the NIS 2 directive is the protection of the entire supply chain. Companies in the automotive industry work with numerous suppliers and service providers who may have access to sensitive data or critical infrastructure.
The directive requires companies to actively monitor the security of their supply chain and ensure that all partners involved implement appropriate security measures. This can be done through contracts, audits, and regular security assessments to improve cyber hygiene. A vulnerability at one supplier can potentially jeopardize the entire supply chain, which is why this topic should be taken very seriously.
Risk management for critical infrastructure - NIS 2 requires constant monitoring in the automotive industry
As a company, you need to introduce specific risk management for critical infrastructures tailored to the particular threats in the automotive sector.
Risks in the supply chain must be constantly monitored and managed to avoid security incidents. This means that risks to all IT and OT systems that are essential to operations and production must be regularly identified, assessed, and mitigated.
This risk management must be dynamic and adapt to the constantly changing threat landscape. Companies need to develop processes to respond quickly to emerging risks. Their systems must be robust enough to fend off cyber attacks.
Consistent implementation is required for compliance responsibility
Every company must appoint a person responsible for ensuring compliance with the NIS 2 directive. This role is often assumed by a Chief Information Security Officer (CISO) or Information Security Officer (ISO), who is responsible for implementing the security guidelines throughout the entire company. These officers are often supported by experienced consultants.
They also monitor compliance with the new requirements and are the point of contact for the competent authorities. This person bears considerable responsibility, as violations of the directive can lead to significant penalties.
Sanctions for non-compliance with NIS 2 requirements:
The NIS 2 directive introduces stricter sanctions to ensure compliance with security regulations. Non-compliance can result in fines of up to 2% of the company’s global annual turnover.
These high penalties are intended to motivate companies to take the requirements seriously and take proactive measures to protect their systems. In addition, breaches of security standards can lead to reputational damage that could have a serious long-term impact on business, especially in a highly regulated sector.
2) Essential requirements that are new compared to ISO 27001
Systematic threat analysis as a new requirement:
While ISO 27001 already requires a risk assessment, NIS 2 goes one step further by prescribing a systematic and regular threat analysis. Companies must continuously monitor the threat landscape and adapt their protective measures to new threats.
These analyses must be documented and integrated into the company’s security strategy. The aim is not only to identify existing risks but also to anticipate possible future threats and take proactive measures.
Obligatory cooperation with public administration (authorities):
A key difference to ISO 27001 is the mandatory cooperation with and between companies and authorities as well as other players within the industry.
The NIS 2 directive requires the exchange of information on threats, incidents, and best practices. This is intended to increase collective security and ensure that all affected companies can react quickly to new threats. Companies are encouraged to set up appropriate communication channels and participate in initiatives to improve cyber security.
Protection of critical services and systems:
The NIS 2 directive requires companies to provide special protection for critical services and systems and important facilities that are of national interest. In the automotive sector, these could be systems required for safety-critical components production or autonomous vehicle operation. Such systems should be protected through strengthening measures like multi-factor authentication.
These systems must be specially secured and monitored to ensure that their integrity and availability are not jeopardized by cyber attacks. This often requires additional security measures that go beyond the basic requirements of ISO 27001.
Industry-specific mandatory awareness training for employees
The NIS 2 directive emphasizes the importance of regular and specific training for all employees. While ISO 27001 provides for general security awareness programs, NIS 2 requires that this training is tailored to the specific threats and challenges of the industry to increase effectiveness.
Employees must be informed not only about basic security principles but also about current threats and correct incident response mechanisms. This training needs to be updated regularly to reflect the latest developments in the cyber security landscape.
Increased reporting obligations through regular safety reports to authorities
NIS 2 introduces stricter reporting obligations that go beyond the requirements of ISO 27001. Not only must incidents be reported to the BSI, but regular reports on their security measures, risk assessments, and threat analyses must also be submitted.
These reports must be detailed and enable the authorities to assess the company’s security situation and request additional measures if necessary. The increased transparency should help develop a comprehensive understanding of the cyber security landscape and take targeted protective measures.
Extended due diligence by reviewing cyber security measures at suppliers
The NIS 2 directive introduces an extended due diligence that goes beyond the requirements of ISO 27001. Companies are obliged to check not only their own systems but also those of their suppliers and service providers for security risks.
This requires close cooperation with all parties involved in the supply chain and the implementation of security standards at all levels. Companies are required to ensure that their partners implement similar security measures and that these measures are regularly reviewed. Our ISO 27001 consultants will be happy to help you.
These detailed requirements illustrate how NIS 2 is changing and strengthening the cybersecurity landscape for businesses, particularly in the automotive sector. A thorough implementation of this directive is crucial to countering the growing threats in the networked world effectively.
The NIS 2 requirements bring new responsibilities for management and specific measures per sector
1. Extended scope and sector-specific requirements
- Extension to new sectors: The NIS 2 directive extends the scope of application to more sectors than before. These include the healthcare industry, digital infrastructure, and medical equipment manufacturers.
- Sector-specific requirements: Each industry has its specific cybersecurity challenges. Companies have to develop sector-specific security measures that are tailored to their particular risks and threats.
2. Responsibility at the management level
- Management liability and responsibility: Senior management is fully responsible for compliance with cybersecurity regulations. Managers must ensure that all requirements of the NIS-2 directive are implemented in the company. They can be held personally accountable for violations.
- Establishing governance structures: By establishing clear governance structures, companies define their responsibilities for cyber security. This includes establishing cyber security committees and appointing persons responsible for implementing and monitoring security measures.
3. Measures to increase resilience
- Resilience strategies: Companies are required to develop resilience strategies that go beyond IT systems protection. These strategies must be designed to ensure the company remains operational during and after a cyberattack, allowing it to resume normal operations quickly.
- Business Continuity Management (BCM): Companies and organizations must develop plans to ensure that critical business processes can continue not only in the event of IT failures but also in the event of all failures (electrical or other exceptional situations).
4. Technical and organizational measures
- Data Encryption: Strong encryption technologies should be used to protect sensitive data both at rest (data at rest) and in transit (data in transit). All critical data stored or transmitted in their systems must be secured using suitable encryption methods. This significantly reduces the risk of data loss or theft in case of cyberattacks.
Technical protective measures: In addition to general IT security precautions, specific measures, such as continuous network monitoring and the implementation of intrusion detection systems (IDS), are also required. These measures are necessary to detect and avert potential threats at an early stage.
- Organizational measures: Organizational structures must be geared towards rapid response and effectively managing security incidents. This includes the establishment of incident response teams and the regular implementation of emergency drills.
5. International cooperation and exchange of information
- Cooperation between EU member states: The new guideline promotes increased cooperation among EU member states. Large companies with an international presence must be prepared to cooperate across borders to effectively counter threats.
- Information exchange at the EU level: The NIS 2 directive calls for the active exchange of information on cyber threats and security incidents at the European level. The necessary channels must be set up to support this exchange.
6. Extended documentation and verification obligations
- Extended obligations to provide evidence: Affected companies must keep comprehensive documentation that proves compliance with the NIS 2 requirements. This documentation must be updated regularly and submitted to the competent authorities if required.
- Retention periods for documentation: There are strict requirements for retaining security-related documentation. Companies are responsible for ensuring these documents are stored and easily accessible for a specified period.
7. Security requirements for cloud services and third-party providers
- Cloud security: There are clear requirements for the security of cloud services. Cloud solutions used must meet the highest security standards and be regularly checked for vulnerabilities.
- Third-party obligations: The security of the entire supply chain is crucial. Regularly check whether your third-party providers have also implemented strict security measures.
8. New requirements for reporting and communication channels
- Procedures for reporting security incidents: Affected companies and organizations must establish clear and effective procedures for reporting security incidents. These procedures must be organized so that security incidents are reported quickly and completely to enable a timely response.
- Extended reporting to supervisory authorities: In addition to incident reporting requirements, companies must also submit regular reports to regulators on the status of their cybersecurity measures and risk management.
9. Alignment and integration with other safety standards
- Integration with existing standards: Companies must adapt their security measures so that they meet the requirements of the NIS-2 directive as well as other relevant standards such as ISO 27001 or TISAX®. This requires careful analysis and adaptation of current processes.
- Standardization of security processes: Companies should standardize their cybersecurity processes to avoid redundancies and facilitate compliance with different standards. This leads to more efficient security operations and better compliance.
10. Future developments and adaptability
- Adapting to future threats: The threat landscape is constantly evolving. Companies need to develop dynamic security strategies that are flexible enough to respond to new threats and technologies.
- Further development of the directive: NIS 2 may evolve to respond to future challenges. Companies should, therefore, continuously review their security strategies and adapt them to new legal requirements.
About the Author
Can Adiguzel is the founder of 360 Digital Transformation. He is a TISAX consultant and ISO 27001 Lead Auditor. He has been working in IT project management for more than 11 years. His passion is information security for SMEs and he helps SMEs overcome their information security challenges with a hands-on consulting approach.
