NIS2: Mandatory cyber security training for management boards
The NIS2 legislation stipulates training for management. A look at the content of these and how often they must take place.
(Image: FON's Fasai/Shutterstock.com)
- Manuel Atug
The European Union developed cybersecurity requirements as part of the NIS2 Directive EU 2022/2555 and adopted them in 2022 in order to ensure joint cooperation in cyberspace in the future. The EU member states had a deadline of October 17, 2024 to transpose this directive into national legislation.
Germany most recently published a draft law on this subject from the Federal Government as printed matter 20/13184 dated October 2, 2024, the NIS2 Implementation and Cyber Security Strengthening Act, or NIS2UmsuCG for short. However, the draft was not passed during this legislative period as there were too many disagreements and politicians were unable to reach a compromise until the collapse of the traffic light coalition.
However, because there is an adopted EU NIS2 Directive, postponement is not abolition and the principles will come. Probably not before the fall, but the time until then can be constructively viewed as implementation time. One of the obligations that needs to be taken into account is the training obligation for management boards.
Mandatory training for management
NIS2UmsuCG § 38 paragraph (3) specifies a training obligation for the management of important and particularly important institutions in order to meet the requirements for the implementation and monitoring obligation. Accordingly, the management level must acquire sufficient knowledge and skills to identify and assess risks and risk management practices in IT security. They should also be able to assess their impact on the services provided by their own organization. These requirements are sensible and appropriate for the management of EU-relevant institutions.
These particularly important facilities include the already known critical infrastructures as operators of critical facilities. Depending on the number of employees, annual turnover and annual balance sheet total, the digital infrastructure and digital service provider sectors will also be considered important and particularly important institutions in future. Other facilities from the energy, transport and traffic, finance, healthcare, water and research and waste management sectors are also affected. The manufacturing industry and the production and distribution of food and chemicals are also included.
Management must be able to assess risks
But what exactly can such an implementation look like and what exactly needs to be done? The explanatory memorandum to the draft NIS2UmsuCG goes into more detail on the scope and regularity, so that it can be used as a guide to action. It states that the regularity of corresponding training for management is given if it is offered every three years. As far as the time required is concerned, another passage in the explanatory memorandum to the law states that a duration of four hours is to be assumed.
Management should understand risk management in the area of information technology security and be able to assess risks. For this purpose, management must receive awareness training against phishing or CEO fraud elsewhere, but here it is a matter of acquiring methodical knowledge for assessment within the framework of functioning risk management. Methodological knowledge does not change that quickly, but many people are unable to assess risks appropriately. In this respect, the basic requirement is very sensible and the time frame for regularity is unbureaucratic and appropriately defined.
The important core of such training is and remains risk management in information security. It should therefore include a basic introduction. Furthermore, the identification of IT security risks is essential in order to understand what is at stake. The risks must then be analyzed and subsequently assessed. This is followed by the treatment of risks and finally the monitoring of IT risk management as a whole. The methodological knowledge is already in place and the management can understand and assess risks appropriately and adequately.
Management in the federal administration also obliged
Section 43 NIS2UmsuCG sets out similar requirements for the management of federal administration institutions with regard to information management. They should also acquire sufficient knowledge and skills to identify and assess risks as well as risk management practices in information security.
However, the responsibility for organizing the training lies elsewhere. For example, the explanatory memorandum to the unadopted NIS2UmsuCG initially refers to Section 43(2) for the management of federal administration institutions, stating that the Federal Academy of Public Administration in the Federal Ministry of the Interior provides the training courses. This is the central training service provider of the federal administration, which is therefore also responsible for the content of the training. Consequently, it should include suitable and appropriate courses in its portfolio, which the management of federal administration institutions must attend.
Videos by heise
As long as the German implementation of the European NIS2 Directive has not yet been adopted and is legally binding, each management board must decide for itself whether and when exactly what is to be implemented. This is entrepreneurial freedom, but also entrepreneurial responsibility. The supposedly most important point is, of course, that no effort should be made to implement the NIS2 Directive until the legal requirements are in place. On the other hand, cyber damage is now devouring huge sums of money and there remains a fundamental responsibility to act here and maintain trust. Customers and partners no longer understand when attacks can be successfully carried out because basic security measures have not been implemented.
Manuel Atug, the author of this article, will also be giving a presentation at the iX conference "NIS2 – what to do now". At the online conference on April 3, renowned experts will explain which companies are affected by NIS2, what exactly NIS2 and the German NIS2 Implementation Act require and which measures need to be implemented and by what deadlines. There will be plenty of room for questions from participants.
Further information and registration at https://nis-2.heise.de
(sfe)
