Cyber-attacks, reporting obligations, emergency plans: What the NIS-2 directive means for businesses

Companies from critical sectors such as energy, transport, water, health or finance are affected by the NIS-2 directive – but also IT services such as DNS services, telecommunications providers or internet exchange points. Cloud providers, data centres or less obvious sectors such as IT service providers or e-commerce platforms must also comply with the new directive. All of these companies must take strict security precautions, report incidents and carry out regular assessments of their systems. The EU NIS Directive also sets out clear reporting obligations to strengthen cooperation between companies and the competent national authorities.

The 18 sectors mentioned above are divided into "Essential Entities" (eleven sectors) and "Important Entities" (seven sectors or medium-sized operators of all sectors). This determines the scope of state supervision and the penalties that are due in the event of non-compliance.

Supply chain management and compliance within the framework of NIS-2 are key points in the directive. This can be used as a competitive advantage: Companies that have implemented NIS-2 solidly are an attractive alternative on the market. A potential customer, who is himself obliged to comply with NIS-2, must ultimately decide in favour of the competitor that meets the high requirements of the directive.

Even if you are not affected by NIS-2, you should, of course, take cyber security seriously. Often, big issues like this can seem overwhelming at first glance: Where do I start, what do I need to consider? What rules are there, which tools are useful? The BSI has therefore defined the so called “IT-Grundschutz” (Basic IT Protection Compendium), which provides support here.

BSI Basic IT Protection Compendium exists since 2017. It addresses all people responsible for information security in their work – regardless of whether they work for a public authority, a company or an institution. It contains rules, instructions and checklists and is based on the so-called Basic IT Protection Modules. This enables large companies that use an information security management system (ISMS) and smaller institutions without an ISMS to quickly implement important security requirements. It takes a holistic approach that considers not only technical aspects but also organisational, personnel and infrastructural issues.

BSI Basic IT Protection Compendium is not mandatory for most companies. However, it is a specific method for meeting the requirements of the ISO 27001 certification. ISO 27001-certified companies can thus demonstrate that they meet information security requirements that comply with international standards.

Protecting core processes and securing operations regularly emerge as the most important products to offer as a service provider. This is because NIS-2 requires companies to implement a security incident handling policy that ensures all threats are quickly recognised and reported. These measures also include employee training, the introduction of technical protection mechanisms and the continuous monitoring of IT systems. However, preventative measures that reduce the likelihood of a critical process failing are also part of the NIS-2 requirements.

With the NIS-2 directive, business continuity management is no longer just a good idea to make a company crisis-proof, but a legal requirement. Various service providers have specialised in analysing business-critical processes and provide support in the creation of emergency concepts and security guidelines.

Even if a company does not have to operate in compliance with NIS 2, it should still have an emergency plan in place. After all, all companies that use a transport management system (TMS) share the concern that a cyber-attack could paralyse their systems and thus all warehouse processes. The ability to continue working even in an emergency is thus invaluable – regardless of whether it is a large cooperative or a smaller freight forwarder.

When establishing business continuity management, the first step is to work with the IT service provider to develop a contingency plan. Which processes are critical and must be protected at all costs, and what data is needed to do so? A backup system is then implemented that can be activated at the touch of a button in an emergency. It comes from the cloud, so it is always independent of compromised systems and seamlessly switches from the secondary to the main system. This allows critical functions such as warehouse scanning, dispatching, input and output processing, and status updates to partners to continue running. Once calm is restored, the system returns to the main TMS, which contains all the data from the crisis period.