NIS2 IT Implementing Act
The EU NIS2 directive (EU 2022/2555) defines extensive cybersecurity requirements for entities in Art. 21, transposed to national laws. EU NIS2 allows the Commission to lay down specific security requirements through Implementing Acts. This article describes the draft Implementing Act mandatory for Internet and IT providers and maps it to ISO 27001:2022 and KRITIS.
Implementing acts take precedence over national legislation without the need for transposition. Two mandatory implementing acts are foreseen for Internet providers to detail out incident definitions of Art. 23 (11) and security measures of Art. 21 (5). The June 2024 draft combines them into a single Commission Implementing Regulation with annex.
This article maps the security requirements of the Internet provider Implementing Act to security standards. The act will be mandatory for providers such Cloud, DNS, TLD, CDN and many managed services. This work and the act are still draft, we have comments on gaps.
Overview and scope
Controls
This Implementing Act for Internet Providers (Commission Implementing Regulation) refers to individual items in Article 21 of the EU NIS2 Directive (EU 2022/2555). It extends each of the NIS2 list items into multiple controls with more details and some new topics as well.
| Group | Ch. | Requirements | # |
|---|---|---|---|
| Management and Policies | 1 2 7 12 |
Policy on the security of network and information systems Risk management policy Effectiveness of cybersecurity Asset management |
8 controls 10 controls 3 controls 13 controls |
| Incident Management | 3 | Incident Management | 22 controls |
| Business Continuity | 4 | Business Continuity | 14 controls |
| Supply Chain | 5 | Supply Chain | 8 controls |
| IT Security and Networks | 6 9 11 |
Security in acquisition and development Cryptography Access control |
31 controls 3 controls 20 controls |
| Personnel Security | 10 8 |
Human resources security Cyber hygiene |
10 controls 8 controls |
| Physical Security | 13 | Physical Security | 9 controls |
Entities in scope
This Implementing Act will be mandatory for a range of providers in the Digital Infrastructure sector of NIS2 and will overwrite and extend national NIS2 security requirements.
- DNS providers and TLDs registries
- Cloud Computing Provider and CDNs
- Data center services
- Managed service providers and managed security service providers
- Online market places, search engines and social networks
- Trust service providers
Security mapping
This mapping to individual ISO 27001:2022 and German KRITIS controls is meant as guidance only and does not imply complete coverage. Numbering (#) is based on the implementing act, NIS2 reference is based on German NIS2 implementation law. All the listed ISO 27001:2022 controls take ISO 27002 details into account but might still not cover everything.
Management and Policies
1. Policy on the security of network and information systems
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 1 | 30.2.1b | Policy on the security of network and information systems Konzepte für IT-Sicherheit (ISMS) |
||
| 1.1 | Policy on the security of network and information systems | |||
| 1.1.1 | 30.2.1b | Policy on the security of network and information systems, including approach to security, strategy and objectives, risk tolerance, commitments, topic-specific policies, formal approval by management bodies | BSI-1 BSI-2 |
4.1-10.2 A.5.1 A.5.2 A.5.4 |
| 1.1.2 | 30.2.1b | Review and update (by management bodies) network and information system and further policies regularly and after significant incidents and changes. | BSI-2 | 6.2 9.3 A.5.1 A.5.2 A.5.4 |
| 1.2 | Roles, responsibilities and authorities | |||
| 1.2.1 | 30.2.1b | Define roles, responsibilities and authorities for network and information system security and communicate | BSI-3 | 4.3 A.5.3 A.5.4 |
| 1.2.2 | 30.2.1b | Require staff and third-parties to implement security policies | BSI-3 BSI-98 |
4.3 A.5.3 A.5.4 A.5.19 A.5.20 A.5.21 A.5.23 |
| 1.2.3 | 30.2.1b | Direct report (CISO) to management bodies on network and information system security | - | - |
| 1.2.4 | 30.2.1b | Dedicated roles for network and information system security | BSI-3 | 4.3 A.5.3 A.5.4 |
| 1.2.5 | 30.2.1b | Segregation of conflicting duties and responsibilities | BSI-4 | A.5.3 |
| 1.2.6 | 30.2.1b | Review and update (by management bodies) roles, responsibilities and authorities regularly and after significant incidents and changes. | - | 5.3 9.3 |
2. Risk management policy
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 2 | 30.2.1a | Risk management policy Konzepte zur Risiko-Analyse (IT-RM) |
||
| 2.1 | Risk management framework | |||
| 2.1.1 | 30.2.1a | Appropriate risk management framework for security of network and information systems, with assessments, treatment plans, and acceptance by management or risk owners plus reporting | BSI-13 | 6.1 8.2 8.3 |
| 2.1.2 | 30.2.1a 30.2.0 |
Cybersecurity risk management process as integral part of overall risk management, with methods, tools, criteria, all-hazards approach, risk owners, criteria, responsibilities, awareness | BSI-14 BSI-16 |
6.1 8.2 8.3 A.5.31 |
| 2.1.3 | 30.2.1a | Review and update risk assessment results and treatment plans regularly or after significant incidents and changes | BSI-14 | 6.1 8.2 8.3 10.1 |
| 2.2 | Compliance monitoring | |||
| 2.2.1 | 30.2.1a | Regular review of compliance with policies, inform management bodies | BSI-85 | A.5.31 A.5.36 |
| 2.2.2 | 30.2.1a | Compliance reporting system to effectively inform management bodies on risks | BSI-85 BSI-86 | 9.2 9.3 A.5.31 A.5.36 |
| 2.2.3 | 30.2.1a | Compliance reviews at regular intervals or after significant incidents and changes | BSI-86 | 9.2 A.5.36 A.8.34 |
| 2.3 | Independent review of information and network security | |||
| 2.3.1 | 30.2.1a | Independent reviews of network and information system security management and implementation | BSI-86 BSI-87 BSI-88 |
9.2 A.5.35 A.5.36 A.8.34 |
| 2.3.2 | 30.2.1a | Processes for independent reviews by people with audit competence and independence | BSI-89 | A.5.36 A.8.34 |
| 2.3.3 | 30.2.1a | Reporting to management bodies of compliance monitoring and corrective actions | BSI-85 | A.5.31 A.5.36 |
| 2.3.4 | 30.2.1a | Independent reviews at regular intervals or after significant incidents and changes | BSI-86 | 9.2 A.5.36 A.8.34 |
7. Effectiveness of cybersecurity
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 7 | 30.2.6 | Policies and procedures to assess the effectiveness of cybersecurity risk-management measures Bewertung der Wirksamkeit von Maßnahmen |
||
| 7.1.1 | 30.2.6 | Implement policy and processes to assess implementation and effectiveness of policies | BSI-1 BSI-86 |
9.1 9.2 A.5.36 A.8.34 |
| 7.1.2 | 30.2.6 | Process, security assessments and security testing of cybersecurity measures with methods, definitions and responsibilities | BSI-86 | 9.2 A.5.36 A.8.34 |
| 7.1.3 | 30.2.6 | Review and update assessment policies and processes regularly or after significant incidents and changes | partial BSI-85 |
9.3 A.5.1 A.5.31 A.5.36 |
12. Asset management
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 12 | 30.2.9c | Asset Management Management von Anlagen |
||
| 12.1 | Asset classification | |||
| 12.1.1 | 30.2.9c | Classification and protection levels for information and assets | BSI-7 | A.5.12 |
| 12.1.2 | 30.2.9c | Classification system applied to assets and information (using C/I/A/A) to indicate protection requirements and objectives | BSI-9 BSI-10 |
A.5.10 A.5.12 A.5.13 |
| 12.1.3 | 30.2.9c | Review and update classification levels of assets and information regularly | BSI-10 | A.5.10 A.5.12 |
| 12.2 | Handling of information and assets | |||
| 12.2.1 | 30.2.9c | Policy for handling of assets and information in accordance with security policy | BSI-7 BSI-10 |
A.5.10 A.7.10 A.5.13 |
| 12.2.2 | 30.2.9c | Policy covers asset and information life cycle, safe use and storage, off-premise and transfer requirements | BSI-7 BSI-12 |
A.5.10 A.6.7 A.7.9 A.7.10 A.7.14 A.8.10 |
| 12.2.3 | 30.2.9c | Review and update asset handling policy regularly or after significant incidents and changes | BSI-7 BSI-66 |
A.5.10 A.5.1 |
| 12.3 | Removable media policy | |||
| 12.3.1 | 30.2.9c | Removable media policy for management of removable storage media at premises and locations | BSI-11 | A.7.10 A.7.14 A.8.10 |
| 12.3.2 | 30.2.9c | Policy covers protective measures for connections, execution, control and encryption of media | BSI-11 BSI-34 |
A.7.10 A.7.14 A.8.10 A.5.33 A.5.34 A.8.24 |
| 12.3.3 | 30.2.9c | Review and update removable media policy regularly or after significant incidents and changes | BSI-11 | A.7.10 A.7.14 A.8.10 |
| 12.4 | Asset inventory | |||
| 12.4.1 | 30.2.9c | Complete and accurate inventory of assets with recorded changes | BSI-5 | A.5.9 |
| 12.4.2 | 30.2.9c | Inventory with appropriate granularity includes list of operations and services, and list of assets (NIS) that support operations and services | BSI-5 | A.5.9 |
| 12.4.3 | 30.2.9c | Review and update inventory of assets regularly and document history | BSI-5 | A.5.9 |
| 12.5 | 30.2.9c | Return or deletion of assets upon termination of employment with appropriate processes | BSI-8 | A.5.11 A.7.10 A.8.10 |
3. Incident Management
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 3 | 30.2.2 | Incident Management Bewältigung von Sicherheitsvorfällen |
||
| 3.1 | Incident handling policy | |||
| 3.1.1 3.1.2 |
30.2.2 | Incident handling policy with roles and processes for detection, analyzing and responding to incidents | BSI-77 | A.5.24 A.6.8 |
| 3.1.3 | 30.2.2 | Review and update of the roles and processes of the incident handling policy | BSI-77 BSI-66 |
A.5.24 A.6.8 A.5.1 |
| 3.2 | Monitoring and logging | |||
| 3.2.1 | 30.2.2 | Procedures and tools for monitoring activities and detecting events | BSI-80 SzA BSI-90 BSI-91 |
A.5.28 A.6.8 A.8.15 8.16 |
| 3.2.2 | 30.2.2 | Automated and continuous monitoring, if feasible | BSI-80 SzA BSI-93 |
A.5.28 A.6.8 A.8.15 A.8.16 |
| 3.2.3 | 30.2.2 | Documentation and review of logs, including much (from network traffic to access to facilities) | BSI-92 | A.8.15 8.16 |
| 3.2.4 | 30.2.2 | Review of logs based on thresholds and possible automated alarms with adequate response | BSI-80 BSI-90 |
A.5.28 A.6.8 A.8.15 A.8.16 |
| 3.2.5 | 30.2.2 | Central storage and backup of logs | BSI-92 BSI-93 BSI-94 |
A.8.9 A.8.13 A.8.15 |
| 3.2.6 | 30.2.2 | Synchronized time sources on systems and list of logging assets | partial BSI-91 BSI-93 |
A.8.17 A.8.9 A.8.15 |
| 3.2.7 | 30.2.2 | Regular review of logging procedures and list of assets | partial BSI-91 |
partial A.8.15 |
| 3.3 | Event reporting | |||
| 3.3.1 | 30.2.2 | Alert reporting mechanism for employees, suppliers and customers | partial BSI-79 BSI-81 |
A.5.2 A.5.24 A.5.25 A.5.26 A.6.8 |
| 3.3.2 | 30.2.2 | Communication and training of the alerting mechanism | partial BSI-81 |
partial A.5.24 |
| 3.4 | Event assessment and classification | |||
| 3.4.1 3.4.2 |
30.2.2 | Assessment of events to determine nature and severity of incidents | BSI-80 | A.5.25 A.5.28 A.6.8 A.8.15 |
| 3.5 | Incident Response | |||
| 3.5.1 3.5.2 |
30.2.2 | Procedures for incident response | BSI-77 BSI-78 |
A.5.24 A.5.25 A.5.26 A.5.28 A.6.8 |
| 3.5.3 | 30.2.2 | Communication plans with CSIRT and stakeholders | BSI-77 | A.5.24 A.6.8 |
| 3.5.4 3.5.5 |
30.2.2 | Logging and testing of incident activities and procedures | unsure | A.5.24 A.5.28 A.5.30 |
| 3.6 | Post-incident reviews | |||
| 3.6.1 3.6.2 |
30.2.2 | Reviews after incident to identify root causes and provide lessons learned to improve network and IT security and reduce risks | BSI-82 | A.5.26 A.5.27 |
| 3.6.3 | 30.2.2 | Regular reviews if post-incident reviews have been performed | - | A.5.26 |
4. Business Continuity
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 4 | 30.2.3a 30.2.3b 30.2.3c 30.2.3d |
Business Continuity and Crisis Management Aufrechterhaltung Betrieb, Backup-Management, Wiederherstellung, Krisenmanagement |
||
| 4.1 | Business continuity and disaster recovery plans | |||
| 4.1.1 4.1.2 |
30.2.3a | Business continuity and disaster recovery plan, based on risk assessments, to be used for recovery | BSI-17 BSI-18 |
partial A.5.29 A.5.30 A.5.31 |
| 4.1.3 | 30.2.3a | Business impact analysis (BIA) to assess disruptive impact, and establish resulting continuity requirements | BSI-15 | partial A.5.29 A.5.30 |
| 4.1.4 | 30.2.3c | Test and review of business continuity and disaster recovery, with updates and lessons learned | BSI-19 | partial A.5.30 |
| 4.2 | Backup management (and redundancy) | |||
| 4.2.1 | 30.2.3b | Backups of informations, with sufficient resources, facilities and staff | partial BSI-22 |
A.8.13 A.8.14 |
| 4.2.2 | 30.2.3b | Backup plans based on risk assessment and business continuity plans with time (RTO/RPO), locations, access controls, etc. | BSI-22 | A.8.13 A.8.14 |
| 4.2.3 | 30.2.3b | Regular integrity checks of backups | partial BSI-23 |
A.8.13 A.8.16 |
| 4.2.4 | 30.2.3b | At least partial redundancy for NIS, assets and facilities, personnel, communications | - | A.8.14 |
| 4.2.5 | 30.2.3b | Monitoring and adjustment of resources informed by backup and redundancy requirements | partial BSI-20 |
partial A.8.6 |
| 4.2.6 | 30.2.3b | Regular testing of backups and redundancies, with documentation and corrective actions | BSI-24 | A.8.13 |
| 4.3 | Crisis management | |||
| 4.3.1 4.3.2 |
30.2.3d | Processes for crisis management with roles, responsibilities, communications, and supporting assets | - | - |
| 4.3.3 | 30.2.3d | Process for receiving and using information from CSIRTs and authorities and incidents, threats and vulnerabilities | BSI-97 | A.5.5 A.5.6 |
| 4.3.4 | 30.2.3d | Regular test and review of crisis management plan | - | - |
5. Supply Chain
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 5 | 30.2.4a 30.2.4b |
Supply Chain Security Sicherheit der Lieferkette, Sicherheitsaspekte zu Anbietern und Dienstleistern |
||
| 5.1 | Supply chain security policy | |||
| 5.1.1 | 30.2.4a | Supply chain security policy to govern suppliers and service providers and mitigate risks to NIS | partial BSI-98 |
A.5.19 A.5.21 |
| 5.1.2 | 30.2.4a | Establish criteria to select and contract suppliers, based on suppliers cybersecurity practices, capabilities, resilience and vendor lock-in | - | A.5.19 |
| 5.1.3 | 30.2.4a | Take into account coordinated security risk assessments of critical supply chains (NIS2) | - | - |
| 5.1.4 | 30.2.4a | Contractual requirements and SLAs with providers, including cybersecurity requirements, staff, incidents, audits, etc. | BSI-98 | A.5.19 A.5.20 A.5.21 A.5.22 A.5.23 |
| 5.1.5 | 30.2.4a | Selection of new providers based on criteria (5.1.2) and risk assessments (5.1.3) | - | partial A.5.19 |
| 5.1.6 | 30.2.4a | Review supply chain policy and monitor and evaluate suppliers and compliance | BSI-66 BSI-99 |
A.5.1 A.5.22 |
| 5.1.7 | 30.2.4a | For provider selection, monitor SLAs reports, review incidents, plan and assess audits, and analyze change risks | - | A.5.22 |
| 5.2 | 30.2.4b | Directory of suppliers and service providers with contact points and list of ICT products, services, etc. | - | A.5.19 A.5.20 A.5.21 |
IT Security and Networks
6. Security in acquisition and development
Note this also covers network security (6.7 and 6.8) and malware (6.9), which are missing from Article 21 NIS2 but are added by the Implementing Act as part of Security in acquisition.
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 6 | 30.2.5a 30.2.5b 30.2.5c 30.2.5d |
Security in Network and Information Systems Acquisition, Development and Maintenance Sicherheitsmaßnahmen bei Erwerb, Entwicklung und Wartung von IT Systemen, Komponenten und Prozessen |
||
| 6.1 | Security in acquisition of ICT services or ICT products | |||
| 6.1.1 | 30.2.5a | Processes to manage risks in the acquisition of ICT services and products that are critical | BSI-43 | A.5.19 A.5.20 A.5.22 A.5.23 A.8.30 |
| 6.1.2 | 30.2.5a | Security requirements, updates, information on cybersecurity functions, compliance and validation | BSI-43 | A.5.19 A.5.20 A.5.22 A.5.23 A.8.30 |
| 6.1.3 | 30.2.5a | Review and update processes for acquisition regularly | BSI-43 BSI-66 |
A.5.19 A.5.20 A.5.22 A.5.23 A.8.30 A.5.1 |
| 6.2 | Secure development life cycle (SDLC) | |||
| 6.2.1 | 30.2.5b | Rules for secure development of network and information systems for all development phases | BSI-43 | A.5.8 A.8.25 A.8.26 A.8.27 A.8.28 |
| 6.2.2 | 30.2.5b | Analysis of security requirements, principles for secure engineering, secure development environments, security testing, data | - | A.5.8 A.8.33 |
| 6.2.3 | 30.2.5b | Include security aspects and supply chain security into outsourced development | BSI-44 | A.5.8 A.8.29 A.8.30 |
| 6.2.4 | 30.2.5b | Review and update processes for secure development regularly | BSI-44 BSI-66 |
A.8.27 A.8.29 A.8.30 A.5.1 |
| 6.3 | Configuration management | |||
| 6.3.1 | 30.2.5c | Document, implement and monitor configurations, including secure configurations | partial BSI-76 |
A.7.13 A.8.9 |
| 6.3.2 | 30.2.5c | Define security configuration and processes to enforce secure configurations for new systems and during operations | partial BSI-45 BSI-25 |
8.1 A.8.9 A.8.19 A.8.31 A.8.32 |
| 6.3.3 | 30.2.5c | Review and update configurations regularly and after significant incidents or changes | - | A.8.9 |
| 6.4 | Change management, repairs and maintenance | |||
| 6.4.1 | 30.2.5c | Management procedures for changes, maintenance of network and information systems | BSI-45 BSI-76 |
8.1 A.8.31 A.8.32 A.7.13 |
| 6.4.2 | 30.2.5c | Application of procedures to releases, modifications and emergency changes of software, hardware and configuration | BSI-46 BSI-47 BSI-48 BSI-49 BSI-50 BSI-51 |
8.1 A.8.9 A.8.32 A.8.33 |
| 6.4.3 | 30.2.5c | Emergency changes documented with explanations | BSI-52 | A.8.32 |
| 6.4.4 | 30.2.5c | Review and update change procedures regularly and after significant incidents or changes | BSI-45 BSI-66 |
8.1 A.8.31 A.8.32 A.5.1 |
| 6.5 | Security testing | |||
| 6.5.1 | 30.2.5d | Policy and processes for security testing | BSI-95 | A.8.8 A.8.34 |
| 6.5.2 | 30.2.5d | Risk-based requirements for security testing, carried out with established methodology, with documentation of findings and mitigation activities | partial BSI-95 |
A.8.29 A.8.33 A.8.34 |
| 6.5.3 | 30.2.5d | Review and update security testing policy and processes regularly | - | 9 A.8.8 A.8.34 |
| 6.6 | Security patch management | |||
| 6.6.1 | 30.2.5d | Processes for management of security patches, with timeframes, testing, trusted sources, and exception handling | BSI-25 BSI-84 BSI-96 |
A.8.19 A.8.8 A.5.7 A.8.32 |
| 6.6.2 | 30.2.5d | Exceptions to security patching allowed if disadvantages outweigh benefits and reasons substantiated and documented | - | A.8.8 |
| 6.7 | Network security | |||
| 6.7.1 | - | Measures to protect networks and information systems against cyber threats | partial BSI-36 BSI-37 |
A.8.20 A.8.21 A.8.23 A.8.26 |
| 6.7.2 | - | Network architecture documentation, network access controls, secure configuration and remote access, secure connections, trusted channels and modern (latest) and secure technologies | partial BSI-40 BSI-36 BSI-41 |
partial A.8.20 A.8.21 A.8.22 |
| 6.7.3 | - | Review and update security measures regularly and after significant incidents or changes | BSI-16 | 6.1.3 8.3 A.5.31 |
| 6.8 | Network segmentation | |||
| 6.8.1 | - | Segmentation of systems into networks or zones based on risk, separated from third-party systems | BSI-37 BSI-38 BSI-39 |
A.8.22 A.8.26 |
| 6.8.2 | - | Security requirements for network segmentations, including releationships, measures, access needs and control, administration and development, etc. | partial BSI-36 BSI-38 BSI-39 BSI-53 |
A.8.22 A.8.26 A.8.27 A.8.31 |
| 6.8.3 | - | Review and update network segmentation regularly and after significant incidents or changes | - | A.8.22 9.1 10.1 |
| 6.9 | Protection against malicious and unauthorised software | |||
| 6.9.1 | - | Protection of network and information systems against malicious and unauthorised software | BSI-21 | A.8.7 A.8.23 |
| 6.9.2 | - | Malware detection and repair software, updated regularly | BSI-21 | A.8.7 |
| 6.10 | Vulnerability handling and disclosure | |||
| 6.10.1 | 30.2.5d | Collection and analysis of information on vulnerabilities and own exposure | BSI-83 | A.8.8 A.5.7 |
| 6.10.2 | 30.2.5d | Monitor announcements of CSIRTs, authorities, perform scans, address vulnerabilities, define procedure and ensure implementation | partial BSI-83 BSI-84 BSI-97 |
A.8.8 A.5.5 A.5.6 A.5.7 |
| 6.10.3 | 30.2.5d | Implement plan for handling vulnerabilities based on impact, document exceptions and reasons | BSI-25 BSI-84 |
A.8.8 A.8.19 |
| 6.10.4 | 30.2.5d | Review and update vulnerability information channels regularly | - | 9.1 10.1 A.8.8 |
9. Cryptography
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 9. | 30.2.8 | Cryptography Kryptografie und Verschlüsselung |
||
| 9.1.1 | 30.2.8 | Policy and procedures for cryptography, to protect information (C/I/A) | BSI-32 | A.5.1 A.8.24 |
| 9.1.2 | 30.2.8 | Policy defines cryptographic measures based on classification, crypto protocols, algorithms, ciphers, key lengths, key management, etc. | BSI-32 BSI-33 BSI-34 BSI-35 |
A.5.14 A.5.31 A.8.20 A.8.21 A.8.24 A.8.33 |
| 9.1.3 | 30.2.8 | Review and update cryptography policy and processes regularly, monitoring crypto state of the art | BSI-32 BSI-66 |
A.5.1 A.8.24 |
11. Access control
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 11. | 30.2.9b | Access control Konzepte für Zugriffskontrolle |
||
| 11.1 | Access control policy | |||
| 11.1.1 | 30.2.9b | Access control policy for logical and physical access control to network and information systems | BSI-27 BSI-58 |
A.5.15 A.8.3 |
| 11.1.2 | 30.2.9b | Access control policy includes staff and external (suppliers, providers) access, access by processes, granted only after authentication | BSI-58 BSI-98 |
A.5.15 A.5.19 A.5.20 A.5.21 A.5.23 A.8.3 |
| 11.1.3 | 30.2.9b | Review and update access control policy regularly and after significant incidents or changes | BSI-58 BSI-66 |
A.5.1 |
| 11.2 | Management of access rights | |||
| 11.2.1 | 30.2.9b | Manage access rights according to access control policy | BSI-59 BSI-60 |
A.5.18 |
| 11.2.2 | 30.2.9b | Access rights based on need-to-know, least privilege, separation of duties, proper authorization, including third-party access and changes, etc. | BSI-58 BSI-60 BSI-61 |
A.5.3 A.5.18 A.8.3 |
| 11.2.3 | 30.2.9b | Review access rights regularly and update based on organizational changes; document review | BSI-62 | 9 A.5.18 |
| 11.3 | Privileged accounts and system administration accounts | |||
| 11.3.1 | 30.2.9b | Policies for management of privileged and administrative accounts | BSI-63 | A.5.3 A.5.18 A.8.2 |
| 11.3.2 | 30.2.9b | Implement strong authentication, MFA and procedures; specific accounts for administrations; individual privileges | BSI-63 | A.5.3 A.5.18 A.8.2 A.8.5 |
| 11.3.3 | 30.2.9b | Review privileged accounts regularly and update based on organizational changes; document review | BSI-62 BSI-63 |
A.5.3 A.5.18 A.8.2 |
| 11.4 | Administration systems | |||
| 11.4.1 | 30.2.9b | Control the use of system administration systems | partial BSI-30 |
A.8.18 A.8.19 |
| 11.4.2 | 30.2.9b | Separated and administration-specific system, specially secured | partial BSI-39 |
A.8.22 partial |
| 11.5 | Identification | |||
| 11.5.1 | 30.2.9b | Full life cycle management of identities of network and information systems and users | partial BSI-58 |
A.5.16 |
| 11.5.2 | 30.2.9b | Unique identities for systems and users; with oversight and logging | BSI-58 | A.5.3 A.5.16 A.8.3 |
| 11.5.3 | 30.2.9b | Shared identities only in special cases where necessary and with explicit approval and documentation | BSI-64 | A.5.16 A.5.17 A.5.18 |
| 11.6 | Authentication | |||
| 11.6.1 | 30.2.9b | Secure authentication procedures and technologies based on access control and policies | BSI-27 | A.5.17 A.8.5 A.8.24 |
| 11.6.2 | 30.2.9b | Strong authentication, controlled authentication process, initial changes, reset and termination | BSI-27 BSI-29 |
A.5.17 A.8.5 A.8.24 |
| 11.6.3 | 30.2.9b | State of the art authentication methods based on risk and classification | BSI-26 BSI-27 BSI-32 |
A.8.5 A.8.24 |
| 11.6.4 | 30.2.9b | Review identities regularly and deactivate if not needed | BSI-62 | A.5.16 |
| 11.7 | Multi-factor authentication | |||
| 11.7.1 | 30.2.10a | Multi-factor or continuous authentication (SSO) to access network and information systems based on system classification | BSI-27 | A.5.17 A.8.5 A.8.24 |
| 11.7.2 | 30.2.10a | Authentication strength shall be appropriate for asset classification | BSI-27 | A.8.5 A.8.24 |
Personnel Security
10. Human resources security
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 10 | 30.2.9a | Human resources security Personalsicherheit (HR-Security) |
||
| 10.1 | Human resources security | |||
| 10.1.1 | 30.2.9a | Ensure employees and third parties committed to security responsibilities in line with policies | BSI-42 BSI-57 |
A.6.2 A.6.6 |
| 10.1.2 | 30.2.9a | Processes to ensure employees and third parties follow cyber hygiene, follow roles and responsibilities including management bodies, etc. | BSI-68 | A.6.3 7.2 7.3 |
| 10.1.3 | 30.2.9a | Review assigned roles and commitment of resources regularly and update if necessary | partial BSI-56 |
5.3 7.1 |
| 10.2 | Background checks | |||
| 10.2.1 | 30.2.9a | Background checks for employees and third parties if required for their role, authorisations | BSI-56 | A.6.1 A.5.20 |
| 10.2.2 | 30.2.9a | Criteria for background checks, only authorized persons, checks performed before assigning roles, based on laws and regulations | BSI-56 | A.6.1 |
| 10.2.3 | 30.2.9a | Review and update background check policy regularly | BSI-66 | A.5.1 A.5.20 |
| 10.3 | Termination or change of employment procedures | |||
| 10.3.1 | 30.2.9a | Responsibilities and duties valid after termination or change are communicated and understood | BSI-70 | A.6.5 |
| 10.3.2 | 30.2.9a | Responsibilities (like confidentiality) are set out in contracts, access control policies ensure compliance, change process | BSI-42 | A.5.8 A.5.14 A.6.2 A.6.6 |
| 10.4 | Disciplinary process | |||
| 10.4.1 | 30.2.9a | Disciplinary process for handling violations of network and information systems | BSI-69 | A.6.4 |
| 10.4.2 | 30.2.9a | Review and update disciplinary process regularly or due to legal or operational changes | BSI-69 BSI-66 |
A.6.4 A.5.1 |
8. Cyber hygiene
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 8. | 30.2.7a 30.2.7b |
Basic cyber hygiene practices and security training Cyberhygiene und Awareness, Schulungen Informationssicherheit |
||
| 8.1 | Awareness raising and basic cyber hygiene practices | |||
| 8.1.1 | 30.2.7a | Awareness by employees of risks, cybersecurity importance and cyber hygiene | BSI-68 | 7.3 A.6.3 A.7.7 |
| 8.1.2 | 30.2.7a | Security awareness raising program for employees and management, repeated schedules, in line with policies, covering measures, practices, advice | BSI-68 | 7.3 A.6.3 |
| 8.1.3 | 30.2.7a | Testing and updating of awareness program regularly, taking into account changes in threat landscape, risks and cyber hygiene | BSI-68 | 7.3 9 |
| 8.2 | Security training | |||
| 8.2.1 | 30.2.7b | Training on network and information systems security for employees | BSI-68 | 7.2 A.6.3 |
| 8.2.2 | 30.2.7b | Training program based on policy, specific security topics and procedures, based on role and position requirements | BSI-68 | 7.2 A.6.3 |
| 8.2.3 | 30.2.7b | Effectiveness assessment of training and its relevance, covering secure configuration and operations, cyber threats, and behaviour | BSI-68 | 9 A.6.3 |
| 8.2.4 | 30.2.7b | Training for employees who transfer or change positions | - | A.6.5 |
| 8.2.5 | 30.2.7b | Update security training program based on policies, rules, roles, threats and technologies | BSI-68 BSI-66 |
7.2 A.6.3 A.5.1 |
13. Physical Security
The Implement Act refers to points c), e) and i) of Article 21 NIS2 for these measures, although physical security is not listed by name in Article 21 NIS2.
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 13 | Environmental and physical security | |||
| 13.1 | Supporting utilities | |||
| 13.1.1 | - | Prevent of loss, damage or compromise due to failure or disruption of supporting utitilies | BSI-71 BSI-75 |
A.7.5 A.7.8 A.7.11 A.7.12 |
| 13.1.2 | - | Measures for prevention: Protection against power failures, redundancies, protection against interception, monitoring, environmental control, etc. | BSI-71 BSI-75 |
A.7.5 A.7.8 A.7.9 A.7.11 A.7.12 A.8.14 |
| 13.1.3 | - | Review, test and update protection measures regularly and after incidents | BSI-71 BSI-75 |
9 A.7.5 A.7.11 |
| 13.2 | Protection against physical and environmental threats | |||
| 13.2.1 | - | Prevent and reduce consequences of environmental and physical threats | BSI-74 | A.7.3 A.7.4 A.7.5 |
| 13.2.2 | - | Design measures for protection based on risk assessment, control thresholds and monitoring of environmental threats | BSI-71 BSI-74 |
A.7.3 A.7.4 A.7.5 |
| 13.2.3 | - | Review, test and update protection measures regularly and after incidents | partial BSI-71 BSI-76 |
9 A.7.13 |
| 13.3 | Perimeter and physical access control | |||
| 13.3.1 | - | Prevent and monitor unauthorized physical access, damage, interference | BSI-72 | A.7.1 A.7.2 A.7.3 A.7.4 |
| 13.3.2 | - | Implement security perimeters, entry controls and access points, physical security for offices and facilities, continuous monitoring | BSI-72 BSI-73 |
A.5.15 A.5.18 A.7.1 A.7.2 A.7.3 A.7.4 |
| 13.3.3 | - | Review, test and update physical control measures regularly and after incidents | partial BSI-76 |
9 A.7.2 A.7.5 |
Comments
Roadmap
This mapping is based on the June 2024 draft of the Implementing Act for public consultation. There will probably be changes in the act and also this mapping.
The Implementing Act for Internet Providers is supposed enter into force in October 2024 and will be mandatory for relevant entities in the Internet sector: DNS, TLD, cloud computing, data centers, CDNs, managed service providers and managed security services, online market places, search engines and social networks.
There might be another implementing act for other sectors, probably not too dissimilar.
Observation and gaps
The Implementing Act in its current form adds many missing details to the existing Article 21 of the NIS2 directive. It also added several new topics that were not covered before in the Article 21 list, like network security. Compared to existing security frameworks like the international ISO 27001 and German KRITIS, there are some deviations:
- Increased focus on crisis management, business continuity management and planning
- Constant emphasis on improvement processes for each topic – update and review
- Frequent explicit extension of requirements to third parties also
- Some very specific requirements and security measures (networks, accounts, systems)
- Existing ISMS and certifications will need to be extended for these gaps
- Some gaps might be compensated by management system processes – controls needed
Some of the collected gaps and our comment in detail – sorted like the mapping above.
| Ch. | Requirements | Comments |
|---|---|---|
| 1 | Policy on the security of network and information systems | Direct CISO reporting Management involvement |
| 2 | Risk management policy | Many mandatory reviews Management reporting |
| 7 | Effectiveness of cybersecurity | Great(er) emphasis on effectiveness |
| 12 | Asset management | Extensive requirements |
| 3 | Incident Management | Extensive controls Emphasis training and awareness Regular testing and reviews Automation |
| 4 | Business Continuity | Formal BCM, BIA, crisis management required Redundancies |
| 5 | Supply Chain | Provider selection and monitoring Directory and monitoring |
| 6 | Security in acquisition and development | Specific: configurations Specific: Patches and vulnerabilities Specific: Network security and segmentation Many reviews and updates |
| 9 | Cryptography | |
| 11 | Access control | So many controls! Many processes and governance required Strong authentication required Specific: MFA and SSO |
| 10 | Human resources security | Specific: Processes, changes and reviews |
| 8 | Cyber hygiene | Broad reading of awareness Much testing and effectiveness |
| 13 | Physical Security | Many specific preventive measures Many reviews and and tests |
More information
Sources
- Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers, Draft act 27 June 2024, European Commission
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), 27.12.2022