NIS2 for more IT security: Many companies are not yet well prepared

Two thirds of companies affected by the EU's NIS2 Directive are lagging behind with implementation, a recent study by market researcher TechConsult and telecommunications provider Plusnet has found. In June 2024, IT managers, security officers and managing directors from 200 companies and organizations with 50 or more employees from the sectors subject to the NIS2 Directive were surveyed.

NIS2 obliges around 30,000 companies in Germany, including many SMEs, to step up their IT security efforts. There is a lot to be done: NIS2 requires, among other things, the introduction of an information security management system (ISMS), technical measures to increase cyber security, security in the supply chain, the implementation of emergency plans and risk management, business continuity management, employee training and comprehensive documentation.

What has already been done – and what has not

Only 29 percent of companies stated that they had already implemented all the necessary technical security measures, while a further 32 percent had partially implemented them. While half or more of those surveyed already use data encryption, backup software, security information and event management (SIEM) and update and patch management via a central software administration system, less than a third use the attack simulations required by NIS2. Only 42 percent of companies have mandatory security training. 22% do not yet have mechanisms in place to detect, report and respond appropriately to security incidents.

Companies are well aware of the dangers of cyber attacks: three quarters of respondents had already experienced at least one attack on their IT infrastructure in the 12 months prior to the survey. Two thirds assume that the number of attacks will increase in the future. As a result, 38% of the companies surveyed consider the NIS2 directive to be long overdue. The study is available for download in exchange for personal data.

By October 17, 2024, Germany should have transposed the EU's NIS Directive on strengthening cyber resilience into national law. The current draft of the "NIS-2 Implementation and Cyber Security Strengthening Act" has already been approved by the cabinet. It will probably not come into force until spring 2025, after the Bundesrat has been consulted and the Bundestag has given its approval.

Online conference: NIS2 – what to do now

On November 5, renowned IT law and security experts will explain which companies are affected by NIS2, what exactly NIS2 and the German NIS2 Implementation Act require and which measures need to be implemented and by what deadlines. Other topics include the interaction of NIS2 with established security concepts such as ISO 27001 and IT baseline protection, the impact of the directive on incident response and the significance of NIS2 for suppliers and service providers. There will be plenty of room for questions from participants.

Further information and registration at https://nis2.heise.de

(odi)