Comment: Don't let NIS2 drive you crazy!

If there is one current topic in cybersecurity that has been reported on everywhere recently, but which is still in the dark for the vast majority of people, then it is probably NIS2. In Germany at least, national implementation is still a long time coming - other countries such as Croatia are already much further along. However, the latest European legal act on cybersecurity casts its shadow far ahead: in the future, it will not only place obligations on critical infrastructures, but will also declare the defense against cyber threats to be a management task right down to SMEs. There is good reason for the excitement, as the fines for non-compliance with the new EU cybersecurity requirements can be enormous – not to mention the personal liability of company directors! And all this although the date of application in this country is still written in the stars.

An opinion by Dennis-Kenji Kipker

Dennis-Kenji Kipker is the Scientific Director of the cyberintelligence.institute in Frankfurt am Main and a Professor of IT Security Law.

What is rarely mentioned in all the reporting on NIS2, however, is the fact that NIS2 does not change everything, but is merely the successor regulation to NIS1. And that makes one thing obvious: we don't all need to drive ourselves crazy that on this as yet unknown deadline – presumably sometime at the beginning of 2025, when NIS2 is finally implemented nationally – countless BSI assessors will swarm out of Bonn early in the morning to knock on the doors of SMEs and check them for NIS2 compliance. The following scenario is much more realistic: nothing happens at first. And not without reason because the BSI will not sanction anything that it does not know itself. For many sectors that are now covered by NIS2 for the first time, there are neither standards nor other best practices for cybersecurity management. As was the case with NIS1 in 2016, it is therefore a matter of first establishing such standards – and that takes time.

Of course, this statement should not tempt us to do nothing. But let's be completely honest: Neither the BSI nor the responsible Ministry of the Interior have the capacity and expertise to develop and test many new cybersecurity standards for all conceivable sectors and companies of all sizes throughout Germany. That's why, at the beginning - and here we're talking about the liability of business managers again – it's primarily about being able to prove that you weren't grossly negligent in failing to initiate operational cybersecurity risk management in the first place. And precisely because cybersecurity best practices do not simply fall from the sky, at least one recommendation should be made here: Companies that want more legal certainty in the implementation of NIS2 can proactively contribute to the development of their own industry-specific standards through their industry associations by forming working groups.

iX Newsletter: Exciting background information on the new issue every month

Do you already know about the free iX newsletter? Sign up now and don't miss anything on the monthly publication date: heise.de/s/NY1E The next issue will focus on the cover topic of the July iX: Developing software with AI.

This commentary is the editorial for iX 7/2024, which will be published in the heise Shop on June 27 and at newsstands on June 28. The most important topics are AI coding assistants, the new Linux file system Bcachefs and how ransomware tricks AV software.

(fo)