These new regulations will make cybersecurity measures mandatory for all market participants. This will ensure greater security and a level playing field: companies that invest in security will no longer be at a competitive disadvantage. As a result, investing in the latest security standards makes more sense from a business point of view—failure to comply results in the high costs associated with a successful attack and the penalty of sanctions. At the same time, many cyber insurance policies depend on compliance with these standards. Failure to implement the necessary measures (e.g., contingency management, backup management, anti-virus protection) may result in reduced insurance coverage or none at all, which is a risk of its own. What should you do first? Even before the legal requirements are finalized, preparations can be made to strengthen your company’s cybersecurity posture significantly. › Conduct an impact assessment: If it’s unclear whether your company will be affected by NIS2 legislation, you should take advantage of a free assessment offered by national security institutions such as BSI (Germany) or the WKO Online Ratgeber (Austria). › Define responsibilities: Identify and train individuals responsible for IT and OT system information security. These individuals should also become the single contact point for reporting requirements. › Involve senior management: Senior management must communicate cybersecurity information to the rest of the organization. › Determine security status: Use requirement catalogs such as ISO 27001 Annex A, NIST CSF, or the ICT Minimum Standard to assess your organization’s security status and prioritize actions. Service providers also offer specialized cyber risk assessments for this purpose. A complete asset inventory is the foundation for effective risk and vulnerability management, especially in OT. Following the “I can only protect what I know” principle makes creating an inventory a top priority. External experts can help establish security processes more effectively in an earlier stage. However, the knowledge gained by a company must be sustainably integrated. Using NIS2 for concrete implementation Cyber risk management is a key requirement for companies covered by NIS2 legislation. As mentioned above, the first step is identifying a cyber risk. The process consists of several steps: 1. Identify key business processes: What processes are critical to your business or the delivery of business-critical services? 2. Identify the relevant IT/OT components: Map processes to the appropriate assets, such as IT/OT assets or buildings, including responsibilities. 3. Perform risk analysis: Use the asset inventory to determine the magnitude of damage and the likelihood of risks occurring. Relevant standards (ISO 27005, BSI IT-Grundschutz) may or may not be used. 4. Plan actions: Reduce risks to an acceptable level with state-of-the-art measures. Implementing legally required measures, such as attack detection systems in Germany, should be a priority. 5. Document comprehensively: All specifications, plans and implementation of measures must be documented. This includes regularly monitoring the effectiveness of measures. «External experts can help establish security processes more effectively in an earlier stage. However, the knowledge gained by a company must be sustainably integrated.» 10
RkJQdWJsaXNoZXIy NTkxNzY=