Further increase in cyber security: NIS-2 implementation at KISTERS
26 July 2024
The German government has introduced sweeping changes to IT security legislation to better protect the country’s economy and government from cyber attacks. The draft national law to implement the EU’s second Network and Information Security Directive (NIS 2 Directive), which has now been approved by the Federal Cabinet, not only implements the new EU requirements, but also adds a number of stricter obligations for companies in Germany.
Many KISTERS customers are affected
The obligations to implement cyber security measures and report cyber attacks will affect many more businesses and public sector organisations in the future – including many of our clients and ourselves. As the transposition of the EU Directive into national law may vary, international companies in particular should keep a close eye on what is required for their customers and locations in different countries.
“We are monitoring the progress of the legislative process very closely and are providing our customers with the best possible support in implementing NIS-2,” says Dr Heinz-Josef Schlebusch, CISO of the KISTERS Group.
KISTERS categorised as a “essential entity”
In addition to KRITIS, the NIS 2 requirements distinguish between ‘important entities’ and ‘essential entities’. The categorisation depends not only on the sector in which a company operates, but also on the number of employees and turnover.
Many of our customers fall into the ‘important entities’ category, which includes companies of a certain size in the energy, transport, finance, healthcare, water, digital infrastructure, waste management, chemicals and other sectors.
As a provider of cloud computing services, KISTERS belongs to the ‘digital infrastructure’ sector and is classified as an ‘essential entity’ due to the number of employees. KISTERS is therefore subject to the extended requirements of the NIS 2 Directive, e.g. in terms of risk management, reporting obligations, registration, information obligations and proof. “Thanks to our security certification to DIN ISO/IEC 27001, we already meet many of the NIS 2 requirements,” explains Dr Schlebusch.
Planned entry into force in October 2024
The law is expected to come into force in October 2024, once it has been passed by the German Bundestag. Delays are possible and there are likely to be transitional periods for some aspects of implementation.
For more information, the main provisions and to check whether you are affected, please see the official press release (in German) of the German Federal Ministry of the Interior (BMI):