The European directive NIS-2
With the increase in digitalisation, industrial espionage and the current political situation in relation to the war in Ukraine, the potential threat from cyber-attacks is also on the rise. To counter this threat, the European Directive NIS-2 (“NIS-2”) imposes higher security requirements on many organisations, helping them to respond faster and better to cyber crises, both at national and EU level. The Directive must be implemented into national law by October 2024. Document management plays an important role and can contribute to the implementation of NIS-2 and the operation of an Information Security Management System (ISMS). However, in most cases, adjustments will also be necessary.
The NIS 2 Directive and the sectors affected
Those who previously thought they could ‘hide’ from cybersecurity regulations because of their size, sector of activity or perceived low risk must now realise that the circle of affected companies has been significantly extended. The regulations apply to companies with 50 or more employees in 18 market sectors.
Thus, in addition to the expected CRITIS sectors (energy, transport, water, health, waste, digital infrastructure, public administration or space), NIS-2 also affects qualified trust service providers, top-level domain registries and DNS service providers, providers of public electronic communications networks or publicly available electronic communications services and public administrations.
Furthermore, NIS-2 is relevant to postal and courier services, waste management, chemicals (production and trade), food (production, processing, distribution), manufacturers of certain goods (including medical devices, data processing equipment, mechanical engineering, motor vehicles), digital service providers (social networking platforms) and research organisations.
The measures based on NIS-2
The Directive provides for uniform and more comprehensive measures for operators. It is necessary to effectively implement the risk management measures according to a risk-based approach. And they are the responsibility of senior management. They include, but are not limited to
(a) approaches to risk analysis and security for information systems;
(b) security incident management;
(c) business continuity, such as backup management, disaster recovery and crisis management;
(d) supply chain security, including security aspects of relationships between individual institutions and their direct suppliers or service providers;
(e) security measures in the acquisition, development and maintenance of network and information systems, including vulnerability management and disclosure;
(f) policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
(g) basic cyber hygiene procedures and cybersecurity training;
(h) policies and procedures for the use of cryptography and, where appropriate, encryption;
(i) personnel security, access control policies and asset management;
j) the use of multifactor authentication or continuous authentication solutions, secure voice, video and text communications and, where appropriate, secure emergency communication systems within the facility.
Finally, information security training for employees and managers is required. The latter are particularly important as the training is based on the premise that they should be able to initiate and monitor the measures!
Significant incidents and significant threats must be reported to the authorities in accordance with the reporting obligations. The draft contains detailed provisions on the procedure, content and timeframe of such reports: Among other things, a so-called early warning must be issued immediately, but in any case within 24 hours of becoming aware of it.
A management manual based on a document management solution can be used to store and distribute information on how to proceed in each of these cases. In this way, everyone involved in the company will always have the latest guidelines, instructions and tools, such as forms, to help them comply with legal requirements.
Supervision and enforcement measures, sanctions and liability for non-compliance
In addition, NIS-2 provides for strengthened supervisory and enforcing measures. In particular, competent authorities may carry out on-site inspections, periodic security audits and ad hoc inspections, as well as request specific information or access to data.
Infringements will be sanctioned in accordance with national law. The range of fines is capped at a minimum of €10 million or 2% of global turnover (whichever is higher) for major companies. For significant entities, the maximum amount is slightly lower; if a violation results in a fine under the GDPR, no fine will be imposed under NIS-2.
In addition to this risk of fines, NIS-2 poses a significant liability risk for senior management. The management bodies of significant and important institutions must monitor the implementation of risk management measures. In the event of non-compliance, they may be held personally liable.
With a DMS, the organisation can ensure that the relevant regulations are available and that employees are actually aware of them. For example, the knowledge of risk management measures can be documented with read receipts.
All-Hazards approach and ISMS implementation guidance
The “All-Hazards Approach” includes the consideration of the physical and environmental security of network and information systems, as well as the protection of these systems against system failure, human error, malicious acts or natural events.
The implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001 is recommended for the implementation of the above measures, as risk management measures in accordance with European and international standards (e.g. the ISO/IEC 27000 series) must be explicitly included. If an institution takes this to heart and adds provisions for reporting obligations and Business Continuity Management, NIS-2 loses its terror, becomes applicable and significantly increases the level of protection.
For the establishment and operation of an ISMS according to ISO 27001, a document management system is invaluable. A proper ISMS requires systematic documentation of security policies, procedures and protocols, which can be efficiently organised and centralised in a DMS. A DMS also allows storing documents in a structured and audit-proof manner. This is essential for maintaining and verifying security standards. Permissions and access rights can be tightly controlled through the DMS to ensure that only authorised persons have access to sensitive information. Changes to documents can also be tracked, providing a clear audit trail, which is important for ISO 27001 certification. Finally, a DMS facilitates continuous improvement by helping to review, update and communicate security documents on a regular basis.
Who should be involved in the implementation process?
Implementing NIS-2 is a major task that requires the involvement of many stakeholders in an organisation. The following people and teams should be involved in the implementation process: Executive Management, IT, Facilities Management, HR, Legal and Production or other specialist departments and external partners.
What does all this mean for document management?
For adequate information security and proof of compliance with NIS-2, it is helpful to store guidelines, process descriptions, evidence, etc. in a protected manner, but also to make them accessible to all relevant bodies as needed (“need to know”). To avoid fines, but also to provide evidence of intellectual property, audit-proof storage is a good choice. In addition, the ISMS and privacy policies define many storage rules that need to be implemented. High quality document control with process support is also helpful for an ISMS.
Applicability in daily work, in internal or external audits, is another task that good document management can support. Special software solutions can help here.
In addition to the functional and procedural requirements, a DMS should also be intuitive to use and should fit seamlessly into the existing IT infrastructure. That is the only way to ensure that the various user groups are able to effectively access and apply the relevant rules and regulations on a daily basis. The integration of the latest technologies, such as artificial intelligence, also opens up potential for corporate knowledge management, which is fed by the documents stored in the DMS.
NIS-2 will bring a higher level of information and operational security to many industries. The implementation will initially require some effort. But in the end, it will contribute to more cybersecurity throughout the EU!
And especially with increasing digitisation, it is important to create the basis for audit-proof archiving and documentation of procedures so that information cannot be deleted or altered.
Webinar: European Security Directive NIS-2 and Document Management
In this webinar, experts Klaus Kilvinger (Opexa Advisory GmbH) and Patrick Carl (Portal Systems AG) will explain the basics of NIS-2 and the specific requirements that will arise for companies as a result.
The statements reflect the opinion of the author and are not binding. They do not constitute legal advice. To that extent, all information is provided without warranty of accuracy or completeness. Advice is always required for individual implementation.