NIS2: Many businesses are not prepared yet – what can be done?

By Tresorit Team compliance
NIS2: Many businesses are not prepared yet – what can be done?

The draft of the NIS2 Implementation Act has been issued and had to be transposed into national legislation by the 17th of October. This left businesses very little time to address how they will put the NIS2 requirements into practice within their own company.

Alarming numbers: affected businesses are lagging behind

It is about time that organizations address the issue of NIS2. This means specifically: checking if they are affected and getting relevant measures underway, because their implementation will not happen overnight.

Many businesses, however, do not seem to be aware of this. That’s at least what the figures of a study regarding the implementation of NIS2 in Germany suggest – a recent joint publication by market research firm TechConsult and telecommunications provider Plusnet. Here, two thirds of the surveyed IT managers, safety officers, and CEOs of 200 companies and organizations with 50+ employees stated that the implementation of the respective NIS2 measures has not taken place yet.

This is particularly interesting, since the participants in the study work for organizations in sectors affected by NIS2. The hesitant approach does not seem to stem from a lack of problem awareness. Namely, because the study also showed that three quarters of the companies had suffered one attack or more on their IT infrastructure in the 12 months leading up to the study. And according to the study, two thirds believe that incidents like these will become much more frequent in the future.

Thus the NIS2 Directive  is right on cue – 38 percent even call it “way overdue”.  How can businesses, however, start to take action and initiate implementation?

Practical steps for preparation

Is my business affected by NIS2?

First of all, you need to clarify whether your organization is affected by the NIS2 Directive. The focus is on so-called “Operators of Essential Services” (OES), i.e. all entities that operate essential services or infrastructures. These are then subdivided into two categories: essential and important entities.

Essential entities include:

  • energy (electricity, district heating and cooling, oil and gas)
  • transport (air, rail, water. and road)
  • banking
  • financial market infrastructures
  • health
  • manufacture of pharmaceutical products including vaccines
  • drinking water
  • waste water
  • digital infrastructure (internet exchange points, DNS providers, TLD name registries, cloud computing service providers, data center service providers, content delivery networks, trust service providers, and public electronic communications networks and electronic communications services)
  • public administration
  • space

 Important entities include:

  • postal and courier services
  • waste management
  • chemicals
  • food
  • manufacturing of medical devices, computers and electronics, machinery equipment, motor vehicles
  • digital providers (online marketplaces, online search engines, and social networking service platforms)

In addition to the sector in which a business operates, other thresholds come into play. These refer to the organization size, which is measured in terms of revenue, balance, and the number of employees.

For essential entities, the following applies:

  • more than 250 employees
  • revenue: more than 50 million Euros
  • balance: more than 43 million Euros

Small businesses in these sectors with the following parameters are not affected by NIS2:

  • more than 50 employees
  • revenue: more than 10 million Euros
  • balance: more than 10 million Euros

The exception are some special cases, which are affected by NIS2 as an essential entity, independent of their size.

What are the requirements of NIS2?

Once it has been determined whether your business is affected by NIS2 regulation, you should take a look at the requirements. Article 20 of the NIS2 Directive states that measures to increase cybersecurity within the company must be taken, which ensure the protection of IT infrastructures and networks. These measures include, among other things:

  • Risk analysis and policies: in the sense of policies for risks and information security
  • Incident management: such as prevention, but also detection and management of cyber incidents. Additionally, secure emergency communication systems must be in place.
  • Business continuity: business continuity management with backup, but also a systematically drawn-up crisis management
  • Supply chain: Businesses must keep an eye on their entire supply chain and estimate its safety, also in terms of suppliers.
  • Procurement: Organizations must enable the secure procurement of IT and network systems.
  • Effectiveness: The effectiveness of cyber and risk measures must be measurable, hence KPIs must be defined.
  • Training: Employees must be sensitized to the topic of cyber risks. Additionally, training and education need to be provided, as well as guidelines and recommendations for action.

In addition to the above list, there are further important measures – and those are specifically where Tresorit comes into play. 

How does Tresorit facilitate NIS2 implementation?

Cryptography as a weapon against cyber attacks

Tresorit’s zero-knowledge end-to-end encryption offers comprehensive protection of users and data in the cloud. Specifically, this means: The data is encrypted with a key on the sender’s device. Only the recipient, who is in possession of another randomly generated key, can decrypt the data. All of this takes place automatically, and using Tresorit’s services requires no additional effort. Since only the sender and recipient have the respective keys, but not Tresorit, the in-transit or at-rest data remains confidential – even if an attack on Tresorit’s servers was to be successful.

Data security in internal and external communication

Our daily work routine relies on communication and collaboration – which of course means data has to be shared. If this happens in virtual data rooms and with automatically encrypted email attachments or via a Cooperative Link to protect the file exchange in both directions, all content is completely safe, both internally and externally. Tresorit offers integrations into Gmail, MS Outlook, Teams, Sentinel, Entra ID (previously AD) and Okta, so that your employees can continue using all the popular programs, but with additional security thanks to E2EE.

Access control for more security and transparency

Many cyber attacks aim to take advantage of vulnerabilities in access control to infiltrate a network. You can counter this with resolutely configurable access rights. With Tresorit, you have the option to decide on a granular level who can access which data for how long. This does not only ensure transparency but prevents unauthorized users or systems from accessing sensitive information. Thus, the risk of data leaks and potential misuse is mitigated.

NIS2-compliant asset management with E2EE

Tresorit’s automated data activity logs enable transparent and secure asset management. With the help of cryptographic authentication, which can easily be applied to data in the formats HMAC and AEAD, file content can no longer be modified in secret. Hence you are always in complete control of what happens to your data.

Setting and complying with security policies

Who is allowed to change what and how sensitive content can be handled is something that organizations should define in their internal security policies. To facilitate compliance with these policies, Tresorit offers 2-step verification, IP filtering, and timeout and data exchange policies. These can be set and adjusted at an individual or group level.

Guaranteeing NIS2 compliance, enhancing resilience

We can only speculate about the exact reasons as to why so many of the surveyed organizations are yet to take measures towards NIS2  compliance. But if we look at the sheer number of different areas of activity that businesses must find resilient solutions for, we can conclude that a significant part of their hesitation is down to them feeling overwhelmed.

They would be well advised to invest in a solution which covers a substantial part of the requirements at once – not just to comply with the requirements of the NIS2 Directive, but also to strengthen the cyber resilience of the entire company.

Would you like to find out more about how Tresorit can help you on your NIS2 journey? Visit our dedicated NIS2 page fore more information!

 

Suggested Articles