Low awareness of NIS 2 requirements in German companies

According to Bitkom, cyberattacks cost the German economy over 200 billion euros per year. Reason enough for affected organisations to make cyber security a top priority - or so you might think. However, the reality is different: A recent survey shows that half of all employees believe a cyberattack on their own company is unlikely, while only one in four line managers is considered to have exemplary behaviour when it comes to IT security.

The discrepancy between this and the actual likelihood of companies falling victim to a cyberattack is alarming: In 2022, the Federal Criminal Police Office registered over 130,000 cases of cybercrime - which is one of the phenomenon areas with the highest potential for damage in Germany. In particular, the number of offences originating from abroad and causing damage in Germany is rising sharply. 49 per cent of CRITIS infrastructure operators state that they are experiencing a sharp increase in cyberattacks on their company.

NIS 2 implementation in German KRITIS companies

In Germany, KRITIS operators must fulfil both the requirements of KRITIS legislation and the specifications of the NIS-2 directive. Anyone hearing about this for the first time usually has no precise idea of what this means in concrete terms. In cases of doubt, external cyber security service providers help with the step-by-step implementation of NIS-2-compliant security concepts. Networks and information systems are first subjected to a comprehensive risk analysis, on the basis of which suitable security measures are then evaluated and implemented.

These include access controls, encryption technologies and an incident response plan (IRP), which enables quick and effective countermeasures to be taken in the event of a cyberattack and limits the potential damage. Raising employee awareness of cyber threats through appropriate training measures is also an integral part of any NIS-2-compliant security concept. ISO27001 provides guidance: those who are ISO27001-certified can assume that they fulfil the majority of NIS2 requirements.

Security and risk management in accordance with NIS 2

KRITIS operators as well as "important" and "particularly important" institutions are legally obliged by the NIS 2 directive to take suitable, proportionate and effective technical and organisational measures. This enables them to protect the IT and processes of the services they provide, avoid disruptions and minimise the impact of security incidents. Important to know: Companies affected by NIS2 must proactively register with the BSI. Failure to do so can result in severe penalties.

It is therefore important for those affected to promptly determine the extent to which they are affected by NIS-2 - and what measures are required by October 2024 in order to fulfil the new requirements. The numerous security-relevant areas of action include, for example

• Vulnerability management,
• Cryptography and encryption,
• secure communication via voice, video and text channels and
• Sector-specific regulations (depending on the type of institution or organisation)

Implementing the NIS-2 directive via UEM

Ultimately, the NIS-2 directive is about the continuous monitoring and updating of security measures in order to be able to react to dynamic threat situations and the associated requirements. UEM systems play an important role here: they are predestined to support organisations in implementing the requirements of NIS-2.

UEM stands for Unified Endpoint Management. UEM systems manage and control end devices centrally and provide security updates and patches automatically. They also enable the configuration of security settings in accordance with company guidelines and the monitoring of compliance standards in real time. Unified endpoint systems thus improve the ability to respond to security incidents - and give companies exactly the capabilities they need to fulfil the requirements of NIS-2.

ACMP Suite with new NIS-2 security features

There is currently no transition period for the implementation of the NIS-2 directive. This means that affected companies are under great pressure to implement the requirements by October 2024. Aagon is also keeping an eye on developments in connection with NIS-2 and will be adding new features to the ACMP Suite over the course of the year that are aimed at implementing the NIS-2 requirements, such as multi-factor authentication for the ACMP Console, which will be available soon. Our ACMP Suite also offers important functions for documentation and therefore for risk assessment via reports and in asset and licence management.

Through our interpretation of SOAR (Security Orchestration Automation Response), we also combine various security tools and programs from the ACMP environment: Managed Software, Desktop Automation, CAWUM, Vulnerability, Defender and BitLocker Management. This bundling enables companies to react to detected threats in an automated, prioritised and therefore efficient manner with the ACMP Suite. Comprehensive patch management also ensures that deployed software is always provided with the latest security updates.