With the NIS2 Directive, the EU has taken an important step towards improving cybersecurity.
This directive not only affects large and medium-sized companies, but also their service providers
and suppliers. Particularly when awarding software and web development contracts, companies now have
to pay more attention to compliance with security requirements.
What does the NIS2 Directive mean for clients?
For companies that outsource software and web development tasks, the NIS2 Directive means that
they must ensure their service providers comply with the prescribed security standards. This
includes the implementation of risk management measures, ensuring security in the supply chain, and
fulfilling reporting obligations in the event of security incidents.
- Supply Chain Security:
Clients must evaluate the security practices of their service providers and ensure that they comply
with the requirements of the NIS2 Directive. This also includes that service providers monitor their
own subcontractors and enforce security standards.
- Reporting obligations:
In the event of a security incident, service providers are required to report it to the responsible
CSIRT (Cybersecurity Incident Response Team) within 24 hours. Clients should ensure that their
service providers have the appropriate processes in place to meet these requirements.
- Contractual Safeguards:
Companies should specify security requirements and reporting obligations in their contracts with
service providers. This not only protects the client, but also ensures that the service provider
takes all necessary measures to comply with the NIS2 Directive.
Steps to NIS2 Compliance for IT Companies
To ensure NIS2 compliance, IT companies must take a series of measures. Here are the specific
steps that IT companies must carry out:
- Conducting a risk analysis: Analyze the potential security risks in your company and identify
vulnerabilities in your network and information systems.
- Implementation of a risk
management system:
Develop a comprehensive risk management system that includes both preventive and reactive measures
to prevent and manage security incidents.
- Supply chain security measures:
Ensure that all suppliers and service providers you work with are also NIS2 compliant. This includes
regular security checks and ensuring they have appropriate security protocols.
- Cybersecurity training:
Regularly train all employees in cybersecurity practices to ensure they are informed about the
latest threats and security protocols.
- Establishment of a
reporting procedure:
Set up clear processes for reporting security incidents to ensure that they are quickly and
efficiently reported to the relevant authorities.
- Regular security checks:
Conduct regular audits and security checks to verify the effectiveness of the implemented measures
and make continuous improvements.
Risk management measures for NIS2 compliance
To comply with the NIS2 Directive, companies must implement ten basic risk management measures.
Here are the measures and examples of how companies can implement them:
- Concept of Risk Analysis and Security for Information Systems: Conduct regular risk analyses to
identify threats and assess their impact on your information systems. For example, use software
tools to scan for vulnerabilities in networks and identify security gaps.
- Handling Security Incidents: Implement an incident response plan to be able to respond quickly
and efficiently to security incidents. For example, set up an incident response team that is
available around the clock.
- Business Continuity and
Crisis Management:
- Develop business continuity plans to
maintain operations even in severe disruptions.
Example: Create backups of critical data and regularly test recovery processes.
- Supply Chain Security:
- Evaluate and monitor the security
practices of your suppliers. Example: Regularly request security reports and audits from your
suppliers.
- Security measures for acquisition/development/maintenance of ICT:
- Integrate security requirements
throughout the entire lifecycle of ICT systems. Example: Conduct security reviews during the
development of new software.
- Concepts and procedures for evaluating the effectiveness of risk management measures:
- Regular review and updating of
security measures. Example: Use metrics and KPIs to assess and adjust the effectiveness of security
measures.
- Cyber hygiene and
cybersecurity training:
- Regular training for employees to
raise awareness of security threats. Example: Conduct regular security training and phishing
simulations.
- Cryptography and possibly encryption: Use encryption to protect sensitive data. Example:
Implement end-to-end encryption for all communication channels.
- Staff safety, access control concepts: Ensure that access to information is based on necessity
and authorization. Example: Implement role-based access controls and regular access reviews.
- Multi-Factor
Authentication:
- Use multi-factor authentication to
enhance the security of user accounts. For example,
implement MFA for all users who access critical systems.
In doing so, companies should consider the state of the art, European and international
standards, the cost of implementation, and the existing risk. The proportionality of the measures
must be evaluated depending on the risk exposure and the size of the company.
Challenges and Opportunities
Compliance with the NIS2 Directive brings both challenges and opportunities. While the
implementation of the required measures can incur costs, it also offers companies the opportunity to
improve their security standards and position themselves as trustworthy partners.
- Costs:
The implementation of security measures may require significant investments, especially for small
and medium-sized businesses.
- Competitive advantage: Companies that successfully implement the NIS2 Directive can position
themselves as secure and reliable partners in the market.
- Improved Security:
Compliance with NIS2 requirements leads to improved cybersecurity and stronger protection against
potential threats.
Source:
Austrian Federal Economic Chamber
Conclusion
The NIS2 Directive presents companies with new challenges, particularly in the outsourcing of IT
services. However, through careful selection of service providers, the adaptation of contracts, and
the implementation of strict security measures, companies can effectively meet the requirements of
the directive and significantly improve their cybersecurity.