NIS2 IT Implementing Act
The EU NIS2 directive (EU 2022/2555) defines extensive cybersecurity requirements for entities in Art. 21, transposed to national laws. EU NIS2 allows the Commission to lay down specific security requirements through Implementing Acts. This article describes the Implementing Act mandatory for Internet and IT providers and maps it to ISO 27001:2022 and KRITIS.
Implementing acts take precedence over national legislation without the need for transposition. Two implementing acts are mandatory for Internet and IT providers: incident definitions Art. 23 (11) and security measures Art. 21 (5). Both are combined in a single Commission Implementing Regulation and Annex, adopted October 2024. We have comments.
Overview
Scope
This Implementing Act for Internet Providers extends NIS2 security requirements from Art. 21 NIS2 and German §30 NIS2UmsuCG into multiple controls with more details and new topics.
| Group | Ch. | Requirements | # |
|---|---|---|---|
| Management and Policies | 1 2 7 12 |
Policy on the security of network and information systems Risk management policy Effectiveness of cybersecurity Asset management |
8 controls 11 controls 3 controls 13 controls |
| Incident Management | 3 | Incident Management | 22 controls |
| Business Continuity | 4 | Business Continuity | 14 controls |
| Supply Chain | 5 | Supply Chain | 8 controls |
| IT Security and Networks | 6 9 11 |
Security in acquisition and development Cryptography Access control |
31 controls 3 controls 21 controls |
| Personnel Security | 10 8 |
Human resources security Cyber hygiene |
10 controls 8 controls |
| Physical Security | 13 | Physical Security | 9 controls |
Entities
This Implementing Act is mandatory for a range of providers in the Digital Infrastructure sector of NIS2 and overwrites and extends national NIS2 security requirements.
- DNS providers and TLDs registries
- Cloud Computing Provider and CDNs
- Data center services
- Managed service providers and managed security service providers
- Online market places, search engines and social networks
- Trust service providers
Security mapping
Overview
This mapping to individual ISO 27001:2022 and German KRITIS controls is meant as guidance only and does not imply complete coverage. Numbering (#) is based on the final Implementing Act, NIS2 reference is based on German NIS2 implementation law. All listed ISO 27001:2022 controls take into account detail from ISO 27002, but might still not cover everything.
Changes between the draft Implementing Act from June 2024 and its final adoption in October 2024, either in numbering or wording of requirements, are marked, where additional details have been added, and crossed out where details have been removed.
Management and Policies
1. Policy on the security of network and information systems
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 1 | 30.2.1b | Policy on the security of network and information systems Konzepte für IT-Sicherheit (ISMS) |
||
| 1.1 | Policy on the security of network and information systems | |||
| 1.1.1 | 30.2.1b | Policy on the security of network and information systems, including approach to security, strategy and objectives, |
BSI-1 BSI-2 |
4.1-10.2 A.5.1 A.5.2 A.5.4 |
| 1.1.2 | 30.2.1b | Review and update (by management bodies) network and information system |
BSI-2 | 6.2 9.3 A.5.1 A.5.2 A.5.4 A.5.36 |
| 1.2 | Roles, responsibilities and authorities | |||
| 1.2.1 | 30.2.1b | Define roles, responsibilities and authorities for network and information system security and communicate | BSI-3 | 5.3 A.5.3 A.5.4 |
| 1.2.2 | 30.2.1b | Require staff and third-parties to implement security policies | BSI-3 BSI-98 |
5.3 A.5.3 A.5.4 A.5.19 A.5.20 A.5.21 A.5.23 |
| 1.2.3 | 30.2.1b | Direct report (CISO) to management bodies on network and information system security | - | - |
| 1.2.4 | 30.2.1b | Dedicated roles for network and information system security | BSI-3 | 5.3 A.5.3 A.5.4 |
| 1.2.5 | 30.2.1b | Segregation of conflicting duties and responsibilities | BSI-4 | A.5.3 |
| 1.2.6 | 30.2.1b | Review and update (by management bodies) roles, responsibilities and authorities regularly and after significant incidents and changes. | - | 5.3 9.3 |
2. Risk management policy
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 2 | 30.2.1a | Risk management policy Konzepte zur Risiko-Analyse (IT-RM) |
||
| 2.1 | Risk management framework | |||
| 2.1.1 | 30.2.1a | Appropriate risk management framework for security of network and information systems, with assessments, treatment plans, and acceptance by management or persons who are accountable and have the authority to manage risks |
BSI-13 | 6.1 8.2 8.3 A.5.7 |
| 2.1.2 | 30.2.1a 30.2.0 |
Cybersecurity risk management process as integral part of overall risk management, with methods, tools, criteria, all-hazards approach, |
BSI-14 BSI-16 |
6.1 8.2 8.3 A.5.31 |
| 2.1.3 | 30.2.1a | Identify and prioritise appropriate risk treatment options and measures, taking into account risk assessment results, effectiveness of measures, cost of implementaiton in relation to benefit, asset classification, BIA | BSI-14 | 6.1 8.2 8.3 A.5.29 A.5.30 |
| 2.1.4 |
30.2.1a | Review and update risk assessment results and treatment plans regularly, at least annually, and when significant incidents and changes occur | BSI-14 | 6.1 8.2 8.3 10.1 |
| 2.2 | Compliance monitoring | |||
| 2.2.1 | 30.2.1a | Regular review of compliance with policies, inform management bodies | BSI-85 | A.5.31 A.5.36 |
| 2.2.2 | 30.2.1a | Compliance reporting system to effectively inform management bodies on risks | BSI-85 BSI-86 | 9.2 9.3 A.5.31 A.5.36 |
| 2.2.3 | 30.2.1a | Compliance reviews at regular intervals or after significant incidents and changes | BSI-86 | 9.2 A.5.36 A.8.34 |
| 2.3 | Independent review of information and network security | |||
| 2.3.1 | 30.2.1a | Independent reviews of network and information system security management and implementation | BSI-86 BSI-87 BSI-88 |
9.2 10.1 A.5.35 A.5.36 A.8.34 |
| 2.3.2 | 30.2.1a | Processes for independent reviews by people with audit competence and independence, separation of line of authority or alternative measures for guaranteed impartiality of reviews | BSI-89 | A.5.36 A.8.34 |
| 2.3.3 | 30.2.1a | Reporting to management bodies of compliance monitoring and corrective actions | BSI-85 | A.5.31 A.5.36 |
| 2.3.4 | 30.2.1a | Independent reviews at regular intervals or after significant incidents and changes | BSI-86 | 9.2 A.5.35 A.5.36 A.8.34 |
7. Effectiveness of cybersecurity
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 7 | 30.2.6 | Policies and procedures to assess the effectiveness of cybersecurity risk-management measures Bewertung der Wirksamkeit von Maßnahmen |
||
| 7.1 |
30.2.6 | Implement policy and processes to assess effectiveness of implementation and |
BSI-1 BSI-86 |
9.1 9.2 A.5.36 A.8.34 |
| 7.2 |
30.2.6 | Process, security assessments and security testing of cybersecurity measures with methods, definitions and responsibilities | BSI-86 | 9.2 A.5.36 A.8.34 |
| 7.3 |
30.2.6 | Review and update assessment policies and processes regularly or after significant incidents and changes | partial BSI-85 |
9.3 A.5.1 A.5.31 A.5.36 |
12. Asset management
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 12 | 30.2.9c | Asset Management Management von Anlagen |
||
| 12.1 | Asset classification | |||
| 12.1.1 | 30.2.9c | Classification and protection levels |
BSI-7 | A.5.12 |
| 12.1.2 | 30.2.9c | Classification system applied to assets (using C/I/A/A) to indicate protection requirements and objectives | BSI-9 BSI-10 |
A.5.10 A.5.12 A.5.13 |
| 12.1.3 | 30.2.9c | Review and update classification levels of assets regularly | BSI-10 | A.5.10 A.5.12 |
| 12.2 | Handling of information and assets | |||
| 12.2.1 | 30.2.9c | Policy for handling of assets in accordance with security policy | BSI-7 BSI-10 |
A.5.10 A.7.10 A.5.13 |
| 12.2.2 | 30.2.9c | Policy covers asset life cycle, safe use and storage, off-premise and transfer requirements | BSI-7 BSI-12 |
A.5.10 A.6.7 A.7.9 A.7.10 A.7.14 A.8.10 |
| 12.2.3 | 30.2.9c | Review and update asset handling policy regularly or after significant incidents and changes | BSI-7 BSI-66 |
A.5.10 A.5.1 |
| 12.3 | Removable media policy | |||
| 12.3.1 | 30.2.9c | Removable media policy for management of removable storage media at premises and locations | BSI-11 | A.7.10 A.7.14 A.8.10 |
| 12.3.2 | 30.2.9c | Policy covers protective measures for connections, execution, control and encryption of media | BSI-11 BSI-34 |
A.7.10 A.7.14 A.8.10 A.5.33 A.5.34 A.8.24 |
| 12.3.3 | 30.2.9c | Review and update removable media policy regularly or after significant incidents and changes | BSI-11 | A.7.10 A.7.14 A.8.10 |
| 12.4 | Asset inventory | |||
| 12.4.1 | 30.2.9c | Complete and accurate inventory of assets with recorded changes | BSI-5 | A.5.9 |
| 12.4.2 | 30.2.9c | Inventory with appropriate granularity includes list of operations and services, and list of assets (NIS) that support operations and services | BSI-5 | A.5.9 |
| 12.4.3 | 30.2.9c | Review and update inventory of assets regularly and document history | BSI-5 | A.5.9 |
| 12.5 | 30.2.9c | Deposit, return or deletion of assets upon termination of employment with appropriate processes | BSI-8 | A.5.11 A.7.10 A.8.10 |
3. Incident Management
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 3 | 30.2.2 | Incident Management Bewältigung von Sicherheitsvorfällen |
||
| 3.1 | Incident handling policy | |||
| 3.1.1 3.1.2 |
30.2.2 | Incident handling policy with roles and processes for detection, analyzing and responding to incidents, in coherence with business continuity and disaster recovery plan (4.1) | BSI-77 | A.5.24 A.6.8 |
| 3.1.3 | 30.2.2 | Review and update of the roles and processes of the incident handling policy | BSI-77 BSI-66 |
A.5.24 A.6.8 A.5.1 |
| 3.2 | Monitoring and logging | |||
| 3.2.1 | 30.2.2 | Procedures and tools for monitoring activities and detecting events | BSI-80 SzA BSI-90 BSI-91 |
A.5.28 A.6.8 A.8.15 8.16 |
| 3.2.2 | 30.2.2 | Automated and continuous monitoring, if feasible | BSI-80 SzA BSI-93 |
A.5.28 A.6.8 A.8.15 A.8.16 |
| 3.2.3 | 30.2.2 | List of assets subject to logging, based on results of risk assessment. Maintenance, documentation and review of logs, including much (from network traffic to access to facilities, where appropriate). | BSI-92 | A.8.15 8.16 |
| 3.2.4 | 30.2.2 | Regular review of logs based on thresholds and possible automated alarms with adequate response | BSI-80 BSI-90 |
A.5.28 A.6.8 A.8.15 A.8.16 |
| 3.2.5 | 30.2.2 | BSI-92 BSI-93 BSI-94 |
A.8.9 A.8.13 A.8.15 |
|
| 3.2.6 | 30.2.2 | Synchronized time sources on systems and list of logging assets, if feasible | partial BSI-91 BSI-93 |
A.8.17 A.8.9 A.8.15 |
| 3.2.7 | 30.2.2 | Regular review of logging procedures and list of assets | partial BSI-91 |
partial A.8.15 A.5.37 |
| 3.3 | Event reporting | |||
| 3.3.1 | 30.2.2 | Alert reporting mechanism for employees, suppliers and customers | partial BSI-79 BSI-81 |
A.5.2 A.5.24 A.5.25 A.5.26 A.6.8 |
| 3.3.2 | 30.2.2 | Communication and training of the alerting mechanism, where appropriate | partial BSI-81 |
partial A.5.24 A.6.8 A.5.19 |
| 3.4 | Event assessment and classification | |||
| 3.4.1 3.4.2 |
30.2.2 | Assessment of events to determine nature and severity of incidents | BSI-80 | A.5.25 A.5.28 A.6.8 A.8.15 |
| 3.5 | Incident Response | |||
| 3.5.1 3.5.2 |
30.2.2 | Procedures for incident response | BSI-77 BSI-78 |
A.5.24 A.5.25 A.5.26 A.5.28 A.6.8 |
| 3.5.3 | 30.2.2 | Communication plans with CSIRT and stakeholders | BSI-77 | A.5.24 A.6.8 |
| 3.5.4 3.5.5 |
30.2.2 | Logging and testing of incident response activities, in accordance with procedures | unsure | A.5.24 A.5.26 A.5.28 A.5.30 |
| 3.6 | Post-incident reviews | |||
| 3.6.1 3.6.2 |
30.2.2 | Where appropriate, post-incident reviews after recovery from incidents, to identify root causes where possible and provide documented lessons learned to improve network and IT security and reduce risks | BSI-82 | A.5.26 A.5.27 |
| 3.6.3 | 30.2.2 | Regular reviews if post-incident reviews have been performed after |
- | A.5.26 A.5.27 |
4. Business Continuity
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 4 | 30.2.3a 30.2.3b 30.2.3c 30.2.3d |
Business Continuity and Crisis Management Aufrechterhaltung Betrieb, Backup-Management, Wiederherstellung, Krisenmanagement |
||
| 4.1 | Business continuity and disaster recovery plans | |||
| 4.1.1 4.1.2 |
30.2.3a | Business continuity and disaster recovery plan, based on risk assessments, to be used for recovery | BSI-17 BSI-18 |
partial A.5.29 A.5.30 A.5.31 A.7.5 |
| 4.1.3 | 30.2.3a | Business impact analysis (BIA) to assess disruptive impact, and establish resulting continuity requirements | BSI-15 | partial A.5.29 A.5.30 |
| 4.1.4 | 30.2.3c | Test and review of business continuity and disaster recovery, with updates and lessons learned | BSI-19 | partial A.5.30 A.7.5 |
| 4.2 | Backup and redundancy management | |||
| 4.2.1 | 30.2.3b | Backups of data |
partial BSI-22 |
A.8.13 A.8.14 |
| 4.2.2 | 30.2.3b | Backup plans based on risk assessment and business continuity plans with time (RTO/RPO), locations, access controls, etc. | BSI-22 | A.8.13 A.8.14 |
| 4.2.3 | 30.2.3b | Regular integrity checks of backups | partial BSI-23 |
A.8.13 A.8.16 |
| 4.2.4 | 30.2.3b | Based on results of risk assessment (2.1), at least partial redundancy for NIS, assets and facilities, personnel, communications | - | A.8.14 |
| 4.2.5 | 30.2.3b | Monitoring and adjustment of resources informed by backup and redundancy requirements, where appropriate | partial BSI-20 |
partial A.8.6 |
| 4.2.6 | 30.2.3b | Regular testing of backups and redundancies, with documentation and corrective actions | BSI-24 | A.8.13 |
| 4.3 | Crisis management | |||
| 4.3.1 4.3.2 |
30.2.3d | Process |
- | - (A.5.26) |
| 4.3.3 | 30.2.3d | Process for receiving and using information from CSIRTs and authorities |
BSI-97 | A.5.5 A.5.6 A.8.8 |
| 4.3.4 | 30.2.3d | Regular test and review of crisis management plan | - | - |
5. Supply Chain
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 5 | 30.2.4a 30.2.4b |
Supply Chain Security Sicherheit der Lieferkette, Sicherheitsaspekte zu Anbietern und Dienstleistern |
||
| 5.1 | Supply chain security policy | |||
| 5.1.1 | 30.2.4a | Supply chain security policy to govern suppliers and service providers and mitigate risks to NIS | partial BSI-98 |
A.5.19 A.5.21 |
| 5.1.2 | 30.2.4a | Establish criteria to select and contract suppliers, based on suppliers cybersecurity practices, capabilities, resilience and vendor lock-in, where applicable | - | A.5.19 |
| 5.1.3 | 30.2.4a | Take into account coordinated security risk assessments of critical supply chains (NIS2) | - | - |
| 5.1.4 | 30.2.4a | Contractual requirements and SLAs with providers, including cybersecurity requirements, staff, incidents, audits, etc. | BSI-98 | A.5.19 A.5.20 A.5.21 A.5.22 A.5.23 |
| 5.1.5 | 30.2.4a | Selection of new providers based on criteria (5.1.2) and risk assessments (5.1.3) | - | partial A.5.19 |
| 5.1.6 | 30.2.4a | Review supply chain policy and monitor and evaluate suppliers and compliance | BSI-66 BSI-99 |
A.5.1 A.5.22 |
| 5.1.7 | 30.2.4a | For |
- | A.5.22 |
| 5.2 | 30.2.4b | Directory of suppliers and service providers with contact points and list of ICT products, services, etc. | - | A.5.19 A.5.20 A.5.21 |
IT Security and Networks
6. Security in acquisition and development
Note this also covers network security (6.7 and 6.8) and malware (6.9), which are missing from Article 21 NIS2 but are added by the Implementing Act as part of Security in acquisition.
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 6 | 30.2.5a 30.2.5b 30.2.5c 30.2.5d |
Security in Network and Information Systems Acquisition, Development and Maintenance Sicherheitsmaßnahmen bei Erwerb, Entwicklung und Wartung von IT Systemen, Komponenten und Prozessen |
||
| 6.1 | Security in acquisition of ICT services or ICT products | |||
| 6.1.1 | 30.2.5a | Processes to manage risks in the acquisition of ICT services and products that are critical | BSI-43 | A.5.19 A.5.20 A.5.21 A.5.22 A.5.23 A.8.30 |
| 6.1.2 | 30.2.5a | Security requirements, updates, information on cybersecurity functions, compliance and validation | BSI-43 | A.5.19 A.5.20 A.5.22 A.5.23 A.8.30 |
| 6.1.3 | 30.2.5a | Review and update processes for acquisition regularly | BSI-43 BSI-66 |
A.5.19 A.5.20 A.5.22 A.5.23 A.8.30 A.5.1 |
| 6.2 | Secure development life cycle (SDLC) | |||
| 6.2.1 | 30.2.5b | Rules for secure development of network and information systems (incl. software) for all development phases, both in-house and outsourced | BSI-43 | A.5.8 A.8.25 A.8.26 A.8.27 A.8.28 A.8.31 |
| 6.2.2 | 30.2.5b | Analysis of security requirements, principles for secure engineering, secure development environments, security testing, data | - | A.5.8 A.8.27 A.8.33 |
| 6.2.3 | 30.2.5b | Include security aspects and supply chain security into outsourced development | BSI-44 | A.5.8 A.8.29 A.8.30 |
| 6.2.4 | 30.2.5b | Review and update rules |
BSI-44 BSI-66 |
A.8.27 A.8.29 A.8.30 A.5.1 |
| 6.3 | Configuration management | |||
| 6.3.1 | 30.2.5c | Appropriate measures to establish, document, implement and monitor configurations, including secure configurations | partial BSI-76 |
A.7.13 A.8.9 |
| 6.3.2 | 30.2.5c | Lay down and |
partial BSI-45 BSI-25 |
A.8.9 A.8.19 A.8.31 A.8.32 |
| 6.3.3 | 30.2.5c | Review and update configurations regularly and after significant incidents or changes | - | A.8.9 |
| 6.4 | Change management, repairs and maintenance | |||
| 6.4.1 | 30.2.5c | Change management procedures |
BSI-45 BSI-76 |
6.3 8.1 A.8.31 A.8.32 A.7.13 |
| 6.4.2 | 30.2.5c | Application of procedures to releases, modifications and emergency changes of software, hardware and configuration. Ensure that changes are documented and, based on risk assessment, tested and assessed in view of potential impact before being implemented. | BSI-46 BSI-47 BSI-48 BSI-49 BSI-50 BSI-51 |
A.8.9 A.8.32 A.8.33 |
| 6.4.3 | 30.2.5c | Emergency changes documented with explanations | BSI-52 | A.8.32 |
| 6.4.4 | 30.2.5c | Review and update change procedures regularly and after significant incidents or changes | BSI-45 BSI-66 |
A.8.32 A.5.1 |
| 6.5 | Security testing | |||
| 6.5.1 | 30.2.5d | Policy and processes for security testing | BSI-95 | A.8.8 A.8.29 A.8.31 A.8.33 A.8.34 |
| 6.5.2 | 30.2.5d | Risk-based requirements for security testing, carried out with established methodology, with documentation of findings and mitigation activities | partial BSI-95 |
A.8.29 A.8.33 A.8.34 |
| 6.5.3 | 30.2.5d | Review and update security testing policy and processes regularly | - | A.8.8 A.5.1 |
| 6.6 | Security patch management | |||
| 6.6.1 | 30.2.5d | Processes for management of security patches, with timeframes, testing, trusted sources, and exception handling. Coherent with change management procedures (6.4.1), vulnerability management, risk management and other relevant procedures. | BSI-25 BSI-84 BSI-96 |
A.8.19 A.8.8 A.5.7 A.8.31 A.8.32 |
| 6.6.2 | 30.2.5d | Exceptions to security patching allowed if disadvantages outweigh benefits and reasons substantiated and documented | - | A.8.8 |
| 6.7 | Network security | |||
| 6.7.1 | - | Measures to protect networks and information systems against cyber threats | partial BSI-36 BSI-37 |
A.8.20 A.8.21 A.8.23 A.8.26 |
| 6.7.2 | - | Network architecture documentation, network access and communication control, secure configuration and remote access, secure connections, trusted channels and modern (latest) and secure technologies | partial BSI-40 BSI-36 BSI-41 |
partial A.6.7 A.8.20 A.8.21 A.8.22 |
| 6.7.3 | - | Review and update security measures regularly and after significant incidents or changes | BSI-16 | 6.1.3 8.3 9.2 A.5.31 |
| 6.8 | Network segmentation | |||
| 6.8.1 | - | Segmentation of systems into networks or zones based on risk, separated from third-party systems | BSI-37 BSI-38 BSI-39 |
A.8.22 A.8.26 |
| 6.8.2 | - | Security requirements for network segmentations, including releationships, measures, access needs and control, administration and development, etc. | partial BSI-36 BSI-38 BSI-39 BSI-53 |
A.8.22 A.8.26 A.8.27 A.8.31 A.5.18 |
| 6.8.3 | - | Review and update network segmentation regularly and after significant incidents or changes | - | A.8.22 8.3 9.2 |
| 6.9 | Protection against malicious and unauthorised software | |||
| 6.9.1 | - | Protection of network and information systems against malicious and unauthorised software | BSI-21 | A.8.7 A.8.23 |
| 6.9.2 | - | Implementation of measures that detect or prevent use of malicious or unauothirised software. Where appropriate, use of malware detection and |
BSI-21 | A.8.7 |
| 6.10 | Vulnerability handling and disclosure | |||
| 6.10.1 | 30.2.5d | Collection and analysis of information on vulnerabilities and own exposure | BSI-83 | A.8.8 A.5.7 |
| 6.10.2 | 30.2.5d | Monitor announcements of CSIRTs, authorities, perform scans, address vulnerabilities, define procedure and ensure implementation | partial BSI-83 BSI-84 BSI-97 |
A.8.8 A.5.5 A.5.6 A.5.7 |
| 6.10.3 | 30.2.5d | Implement plan for handling vulnerabilities based on impact, document exceptions and reasons | BSI-25 BSI-84 |
A.8.8 A.8.19 |
| 6.10.4 | 30.2.5d | Review and update vulnerability information channels regularly | - | 9.1 A.8.8 |
9. Cryptography
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 9. | 30.2.8 | Cryptography Kryptografie und Verschlüsselung |
||
| 9.1 |
30.2.8 | Policy and procedures for cryptography, to protect |
BSI-32 | A.5.1 A.5.31 A.8.24 |
| 9.2 |
30.2.8 | Policy defines cryptographic measures based on classification, crypto protocols, algorithms, ciphers, key lengths, key management, etc. | BSI-32 BSI-33 BSI-34 BSI-35 |
A.5.14 A.8.24 |
| 9.3 |
30.2.8 | Review and update cryptography policy and processes regularly, monitoring crypto state of the art | BSI-32 BSI-66 |
A.5.1 A.5.31 A.8.24 |
11. Access control
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 11. | 30.2.9b | Access control Konzepte für Zugriffskontrolle |
||
| 11.1 | Access control policy | |||
| 11.1.1 | 30.2.9b | Access control policy for logical and physical access control to network and information systems | BSI-27 BSI-58 |
A.5.15 A.8.3 A.7.2 |
| 11.1.2 | 30.2.9b | Access control policy includes staff and external (suppliers, providers) access, access by |
BSI-58 BSI-98 |
A.5.15 A.5.19 A.5.20 A.5.21 A.5.23 A.8.3 |
| 11.1.3 | 30.2.9b | Review and update access control policy regularly and after significant incidents or changes | BSI-58 BSI-66 |
A.5.1 A.5.15 |
| 11.2 | Management of access rights | |||
| 11.2.1 | 30.2.9b | Manage access rights according to access control policy | BSI-59 BSI-60 |
A.5.18 |
| 11.2.2 | 30.2.9b | Access rights based on need-to-know, least privilege, separation of duties, proper authorization, including third-party access and changes, etc. | BSI-58 BSI-60 BSI-61 |
A.5.3 A.5.18 A.8.3 |
| 11.2.3 | 30.2.9b | Review access rights regularly and update based on organizational changes; document review | BSI-62 | A.5.18 |
| 11.3 | Privileged accounts and system administration accounts | |||
| 11.3.1 | 30.2.9b | Policies for management of privileged and administrative accounts as part of access control policy (11.1) | BSI-63 | A.5.3 A.5.18 A.8.2 A.8.18 |
| 11.3.2 | 30.2.9b | Implement strong authentication, MFA and procedures; specific accounts for administrations; individual privileges | BSI-63 | A.5.3 A.5.18 A.8.2 A.8.5 |
| 11.3.3 | 30.2.9b | Review privileged accounts regularly and update based on organizational changes; document review | BSI-62 BSI-63 |
A.5.18 A.8.2 |
| 11.4 | Administration systems | |||
| 11.4.1 | 30.2.9b | Control the use of system administration systems | partial BSI-30 |
A.8.18 A.8.19 |
| 11.4.2 | 30.2.9b | Separated and administration-specific system, specially secured | partial BSI-39 |
A.8.22 partial |
| 11.5 | Identification | |||
| 11.5.1 | 30.2.9b | Full life cycle management of identities of network and information systems and users | partial BSI-58 |
A.5.16 |
| 11.5.2 | 30.2.9b | Unique identities for systems and users; with oversight and logging | BSI-58 | A.5.3 A.5.16 A.8.3 |
| 11.5.3 | 30.2.9b | Shared identities only in special cases where necessary and with explicit approval and documentation, address shared identities in cybersecurity risk management framework (2.1) | BSI-64 | A.5.16 A.5.17 A.5.18 |
| 11.5.4 | 30.2.9b | Review identities and their users regularly and deactivate if not needed formerly 11.6.4 |
BSI-62 | A.5.16 |
| 11.6 | Authentication | |||
| 11.6.1 | 30.2.9b | Secure authentication procedures and technologies based on access control and policies | BSI-27 | A.5.17 A.8.5 A.8.24 |
| 11.6.2 | 30.2.9b | Strong authentication, controlled authentication process, |
BSI-27 BSI-29 |
A.5.17 A.8.5 A.8.24 |
| 11.6.3 | 30.2.9b | State of the art authentication methods based on risk and classification, if feasible | BSI-26 BSI-27 BSI-32 |
A.8.5 A.8.24 |
| 11.6.4 | 30.2.9b | BSI-27 | A.8.5 | |
| 11.7 | Multi-factor authentication | |||
| 11.7.1 | 30.2.10a | Multi-factor or continuous authentication (SSO) to access network and information systems based on system classification | BSI-27 | A.5.17 A.8.5 A.8.24 |
| 11.7.2 | 30.2.10a | Authentication strength shall be appropriate for asset classification | BSI-27 | A.8.5 A.8.24 |
Personnel Security
10. Human resources security
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 10 | 30.2.9a | Human resources security Personalsicherheit (HR-Security) |
||
| 10.1 | Human resources security | |||
| 10.1.1 | 30.2.9a | Ensure employees and third parties committed to security responsibilities in line with policies | BSI-42 BSI-57 |
A.6.2 A.6.6 |
| 10.1.2 | 30.2.9a | Mechanisms to ensure employees incl. management bodies and third parties follow cyber hygiene, follow roles and responsibilities, hiring of personnel qualified for respective roles, etc. | BSI-68 | A.6.3 7.2 7.3 |
| 10.1.3 | 30.2.9a | Review assigned roles and commitment of human resources regularly and update if necessary | partial BSI-56 |
5.3 7.1 |
| 10.2 | Verification of background |
|||
| 10.2.1 | 30.2.9a | Verification of background |
BSI-56 | A.6.1 A.5.20 |
| 10.2.2 | 30.2.9a | Criteria for background checks, only authorized persons, checks performed before |
BSI-56 | A.6.1 |
| 10.2.3 | 30.2.9a | Review and update background check policy regularly | BSI-66 | A.5.1 A.5.20 |
| 10.3 | Termination or change of employment procedures | |||
| 10.3.1 | 30.2.9a | Responsibilities and duties valid after termination or change are |
BSI-70 | A.6.5 |
| 10.3.2 | 30.2.9a | Responsibilities (like confidentiality) are set out in contracts |
BSI-42 | A.5.8 A.6.2 A.6.6 |
| 10.4 | Disciplinary process | |||
| 10.4.1 | 30.2.9a | Disciplinary process for handling violations of network and information systems | BSI-69 | A.6.4 |
| 10.4.2 | 30.2.9a | Review and update disciplinary process regularly or due to legal or operational changes | BSI-69 BSI-66 |
A.6.4 A.5.1 |
8. Cyber hygiene
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 8. | 30.2.7a 30.2.7b |
Basic cyber hygiene practices and security training Cyberhygiene und Awareness, Schulungen Informationssicherheit |
||
| 8.1 | Awareness raising and basic cyber hygiene practices | |||
| 8.1.1 | 30.2.7a | Awareness of employees, incl. management, direct suppliers and service providers for risks, importance of cybersecurity and cyber hygiene practices | BSI-68 | 7.3 A.6.3 A.7.7 A.8.7 |
| 8.1.2 | 30.2.7a | Security awareness raising programme for employees, incl. management, direct suppliers and service providers, with repeated schedules, in line with policies, covering relevant cyber threats, measures, practices, advice | BSI-68 | 7.3 A.6.3 |
| 8.1.3 | 30.2.7a | Where appropriate, testing and updating of awareness programme regularly, taking into account changes in threat landscape, risks and cyber hygiene | BSI-68 | 7.3 9 |
| 8.2 | Security training | |||
| 8.2.1 | 30.2.7b | Identification of employees whose roles require specific security skills and expertice, and regular training on network and information systems security for such employees | BSI-68 | 7.2 A.6.3 |
| 8.2.2 | 30.2.7b | Training program based on policy, specific security topics and procedures, based on role and position requirements | BSI-68 | 7.2 A.6.3 |
| 8.2.3 | 30.2.7b | Effectiveness assessment of training and its relevance, covering secure configuration and operations, cyber threats, and behaviour | BSI-68 | 9 A.6.3 |
| 8.2.4 | 30.2.7b | Training for employees who transfer or change positions | - | A.6.5 |
| 8.2.5 | 30.2.7b | Update security training program based on policies, rules, roles, threats and technologies | BSI-68 BSI-66 |
7.2 A.6.3 A.5.1 |
13. Physical Security
The Implement Act refers to points c), e) and i) of Article 21 NIS2 for these measures, although physical security is not listed by name in Article 21 NIS2.
| # | DE NIS2 | Requirement | KRITIS | ISO 27001 |
|---|---|---|---|---|
| 13 | Environmental and physical security | |||
| 13.1 | Supporting utilities | |||
| 13.1.1 | - | Prevent of loss, damage or compromise due to failure or disruption of supporting utitilies | BSI-71 BSI-75 |
A.7.5 A.7.8 A.7.11 A.7.12 |
| 13.1.2 | - | Measures for prevention, where appropriate: Protection against power failures, redundancies, protection against interception, monitoring, environmental control, etc. | BSI-71 BSI-75 |
A.7.5 A.7.8 A.7.9 A.7.11 A.7.12 A.8.14 |
| 13.1.3 | - | Review, test and update protection measures regularly and after incidents | BSI-71 BSI-75 |
9 A.7.5 A.7.11 |
| 13.2 | Protection against physical and environmental threats | |||
| 13.2.1 | - | Prevent and reduce consequences of environmental and physical threats, based on results of risk assessment (2.1) | BSI-74 | A.7.3 A.7.4 A.7.5 |
| 13.2.2 | - | Design measures for protection based on risk assessment, control thresholds and monitoring of environmental threats, where appropriate | BSI-71 BSI-74 |
A.7.3 A.7.4 A.7.5 |
| 13.2.3 | - | Review, test and update protection measures regularly and after incidents | partial BSI-71 BSI-76 |
8.3 9.2 A.7.13 |
| 13.3 | Perimeter and physical access control | |||
| 13.3.1 | - | Prevent and monitor unauthorized physical access, damage, interference | BSI-72 | A.7.1 A.7.2 A.7.3 A.7.4 |
| 13.3.2 | - | Implement security perimeters, entry controls and access points, physical security for offices and facilities, continuous monitoring | BSI-72 BSI-73 |
A.5.15 A.5.18 A.7.1 A.7.2 A.7.3 A.7.4 |
| 13.3.3 | - | Review, test and update physical control measures regularly and after incidents | partial BSI-76 |
8.3 9.2 A.7.2 A.7.5 |
Comments
Our observations
The Implementing Act adds many missing details to the existing Article 21 of the NIS2 directive. It also added several new topics that were not covered before in the Article 21 list, like network security. Compared to existing security frameworks like the international ISO 27001 and German KRITIS, there are some deviations:
- Increased focus on crisis management, business continuity management and planning
- Constant emphasis on improvement processes for each topic – update and review
- Frequent explicit extension of requirements to third parties also
- Some very specific requirements and security measures (networks, accounts, systems)
- Existing ISMS and certifications will need to be extended for these gaps
- Some gaps might be compensated by management system processes – controls needed
Some of the collected gaps and our comment in detail – sorted like the mapping above.
| Ch. | Requirements | Comments |
|---|---|---|
| 1 | Policy on the security of network and information systems | Direct CISO reporting Management involvement |
| 2 | Risk management policy | Many mandatory reviews Management reporting |
| 7 | Effectiveness of cybersecurity | Great(er) emphasis on effectiveness |
| 12 | Asset management | Extensive requirements |
| 3 | Incident Management | Extensive controls Emphasis training and awareness Regular testing and reviews Automation |
| 4 | Business Continuity | Formal BCM, BIA, crisis management required Redundancies |
| 5 | Supply Chain | Provider selection and monitoring Directory and monitoring |
| 6 | Security in acquisition and development | Specific: configurations Specific: Patches and vulnerabilities Specific: Network security and segmentation Many reviews and updates |
| 9 | Cryptography | |
| 11 | Access control | So many controls! Many processes and governance required Strong authentication required Specific: MFA and SSO |
| 10 | Human resources security | Specific: Processes, changes and reviews |
| 8 | Cyber hygiene | Broad reading of awareness Much testing and effectiveness |
| 13 | Physical Security | Many specific preventive measures Many reviews and and tests |
Changes Implementing Act
Major changes between the draft version of June 2024 and the adopted version are:
- 1.1.2: Topic-specific policies do not need to be reviewed by management bodies.
- 2.1.1, 2.1.2: The term risk owner has been removed and identification of risk owners is not formally required.
- 2.1.2: Risk management methodology and tools do not need to be based on relevant European or international standards (removed).
- 2.1.3 new: Identify and prioritise appropriate risk treatment options and measures, taking into account risk assessment results, effectiveness of measures, cost of implementaiton in relation to benefit, asset classification, BIA.
- 1.1.2, 2.1.4: Regular review of network and information system security policy, risk assessment results and risk treatment plan was specified as at least annually.
- 3.6.3: Post-incident reviews shall be carried out not only for significant incidents (removed), and entities shall review if they were performed.
- 4.2: New title Backup and redundancy management.
- 7: Changes in numbering for all subrequirements.
- 9: Changes in numbering for all subrequirements.
- 10.2: Changed term verification of background instead of background checks.
- 11.5.4 new: Formerly control 11.6.4, has been renumbered.
- 11.6.4 new: Content of control has been completely changed and now requires regular review of authentication procedures and technologies.
- 12.5: In addition to return and deletion, deposit of assets has been added.
- General: Many new references have been added to interrelate topics. In many areas, activities are required to be based on the results of the risk assessment; coherence between policies and procedures is aimed for and demanded.
- General: Adaptation and standardization of various terms, e.g. data and information.
- General: Softening of various details by means of where appropriate, if feasible etc.
More information
Sources
- Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers, Implementing Act 17 October 2024, European Commission
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), 27.12.2022