The requirements of the NIS-2 directive pose major challenges for many small and medium-sized companies. Often the following topics remain unclear:
In our article you will learn how to implement the NIS-2 policy and what role Mobile Device Management (MDM) plays while doing it.
The NIS-2 guideline is a revised and expanded version of the European Security Directive NIS, which came into force in 2016. Its aim is to strengthen cybersecurity in EU member states - especially in view of increasingly sophisticated attacks on critical infrastructure. Although NIS-2 should theoretically come into force in October 2024, implementation in Germany is not expected to take place until March 2025. Use this extra time to make necessary arrangements.
Which companies are affected?
With a quick Google search you can find numerous (and free) tools to check whether your company is affected by NIS-2 at all. The NIS-2 applies to companies in critical infrastructure, including:
An important innovation is the introduction of the so-called “size cap” rule, which enables a differentiated classification of the affected companies.
For companies that have already taken security precautions in accordance with GDPR or KRITIS, the adaptation to NIS-2 will probably be manageable. However, companies without existing measures can face greater challenges. The German Federal Office for Information Security (BSI) provides orientation.
Even if your company isn't directly affected, it's worth thinking about cybersecurity. Ultimately, all companies are subject to the GDPR and must protect customers’, employees’ and suppliers’ data. You don't have to invest a lot of time or budget, as there are already cheap and time-saving methods to secure all digital data and processes in your company and to stay one step ahead of attackers.
Our small checklist can help you to effectively implement the first steps in order to meet the NIS-2 requirements in the future:
1. Analyze the current security situation:
Start with a comprehensive assessment of your organization's security posture to identify potential vulnerabilities. Also pay attention to seemingly small things, such as employees using their own technical devices, such as USB sticks, data cables or similar. The use of private laptops or mobile devices should also be taken into account. Determine your employees' level of knowledge in the area of cybersecurity in order to be able to specifically assess their training needs.
2. Build a risk management plan:
In the area of cybersecurity, prevention and active defense measures are not only more time-saving, but also significantly more cost-effective than reacting to an attack and repairing the resulting damage. It is therefore essential to create a plan that effectively secures all identified vulnerabilities. For example, if you notice that employees regularly use private email accounts for professional purposes, you should not only prohibit this but also effectively prevent it using technical measures such as blockers. This can be achieved on mobile devices by using a Mobile Device Management (MDM) system.
3. Schedule Regular Training:
The biggest risk factor remains the human. That's why it's very important that you conduct regular training on data protection and current security threats. In 2024, the BSI conducted a major survey on knowledge of cyber security measures: 26% of those surveyed stated that they felt overwhelmed with the choice of measures. The training should therefore contain practical tips that your employees can implement directly in their everyday work in order to minimize security risks. Additionally, it can be helpful to post small written reminders in strategic locations throughout your organization to further increase cybersecurity awareness.
4. Create a plan in case an incident occurs (Incident Response Plan):
Despite the best safety precautions, problems can arise. In this case, you should already have a plan in place for how you will respond: Which systems need to be disabled immediately? How are employees informed? What actually counts as a violation of security guidelines and how is it punished?
All answers to these questions should also be grouped from minor incident to major (critical) security incident. In addition, you should record when and how any affected third parties, e.g. customers or partner companies, will be informed.
5. Involve partners and suppliers:
Make sure that the companies you work with also comply with data protection regulations and, ideally, have a comprehensive cybersecurity strategy. A security incident at one of your partners could ultimately endanger your company. Inform your partner companies about your company's security policies and, if necessary, establish specific rules of conduct for external parties. Examples of this could be a mandatory registration before entering the company premises or a ban on photo and video recordings. In addition, external companies should not have direct access to your corporate network. Only share access or files if it is absolutely necessary.
Regardless of whether your company has fewer than 50 employees or more: mobile devices have become an integral part of the modern working world. However, if you look at the situation honestly, it quickly becomes clear how little companies, especially in areas that have not previously had to take stricter cybersecurity measures, have dealt with the security of the mobile devices used in the company.
However, this, in view of ever increasing threats, is very critical. A first but very effective step to increase cybersecurity in your company is to secure mobile devices or mobile endpoints. These represent the transition from your company network to the outside world and are therefore also a potential gateway for attackers.
The requirements of the NIS-2 directive can be implemented efficiently through the use of a Mobile Device Management (MDM) system, as MDM solutions offer comprehensive security and compliance tools that make compliance with the directive easier. Here are some ways an MDM system can support NIS-2 requirements:
Device security: MDM enables central management and monitoring of all mobile devices accessing critical infrastructure networks and ensures they comply with security standards.
Regular updates: With an MDM, operating system and app updates can be automated to quickly close known security vulnerabilities.
Device alerts: An MDM can detect security breaches such as rooting, jailbreaking or the use of unauthorized apps and immediately send notifications to administrators.
Incident management: Automated actions, such as locking a device or removing corporate data, can be initiated in the event of a security incident. You can also find out more about this in this article.
Compliance reports: MDM systems generate regular security compliance reports, which is necessary for providing evidence to regulatory authorities.
Policy management: Administrators can integrate specific requirements resulting from NIS-2 directly into the MDM in the form of security guidelines.
Remote-Wipe: Lost or stolen devices can be remotely wiped to protect sensitive data.
Device restrictions: An MDM can temporarily place devices in KIOSK mode after an incident to provide only basic functionality until the security situation is resolved.
Device alerts for users: In addition to administrators, users can also be informed when they violate security guidelines, increasing awareness of security policies.
Policy Acceptance: MDM systems can ensure that users actively accept company policies before gaining access to networks or data.
Even if the numerous specifications and guidelines often seem confusing and overwhelming, it is still possible to meet the increased requirements of NIS-2 in a planned and effective manner. In addition to establishing a plan that covers all areas of cybersecurity, a Mobile Device Management system (MDM) is also an important step to increase security.
Would you like to find out more about how to secure mobile devices in compliance with data protection regulations on a small budget?
Visit our YouTube channel!