trends-innovations 
EU-wide legislation on cyber security via the EU-NIS2 (Directive 2022/2555 of the European Union on the security of network and information systems) and EU-RCE 2024 (2022/2557 Office of the European Union Resilience Coordinator) will be transposed into national law in the foreseeable future. Despite any delays by the German government, it is essential that companies in all EU member states prepare for the implementation of these regulations.
In the previous article “Upgrade to ISO 27001:2022 – SEEBURGER mapping table,” we explained how SEEBURGER is dealing with the new ISO 27001:2022 controls. In this article, you will learn how compliance with the EU-NIS2 and EU-RCE requirements can be checked with the help of an ISO 27001-certified information security management system (ISMS).
Certifiable EU regulations?
The European Union Agency for Cybersecurity (ENISA) is planning a certifiable set of rules in accordance with EU NIS2 Articles 46 “European Cybersecurity Certification Framework.” It remains to be seen what this means in concrete terms and how it fits with the existing cyber security certifications and attestations.
Experience since 2018 with EU-GDPR Article 42 on data protection certification mechanisms does not offer much hope for viable solutions from the EU that will find broad acceptance in the market.
EU-NIS2 and ISO 27001 certifications
In the meantime, many companies affected by ISO 27001 certification can use their information security management system (ISMS) in accordance with ISO 27001 as a basis for checking the EU-NIS2 requirements.
Many of the requirements of EU-NIS2 (2022/2555) in Article 20 (Governance) and Article 21 (Measures) and EU-RCE (2022/2557) Article 12 (Risk assessment) and Article 13 (Measures) sound familiar from ISMS and ISO/IEC 27001:2022.
If available, additional controls from ISO 27005 Risk Management, ISO 27031 Business Continuity or the BSI standards 200-3 Risk Management or 200-4 Business Continuity Management can be used.
EU-NIS2 mapping table to ISO 27001:2022 and ISO 27002:2022
For the controls, you need a mapping table of the legal requirements to the hopefully existing and certified controls of your own ISMS. The EU member states are actively pursuing the transposition of EU-NIS2 and EU-RCE into the national law of the respective EU member state. Consequently, the mapping may vary in individual cases and in the various EU member states.
In Germany for example the so-called NIS2UmsuCG is just around the corner. The draft of the German NIS 2 Implementation Act (NIS2UmsuCG) was discussed in the Federal Cabinet on 24.07.2024 and will be debated in the German Bundestag after the summer break.
SEEBURGER currently uses the following ISO 27001 controls:
| EU-NIS2 (EU 2022/2555) Requirement | Typical questions | ISO 27001:2022 Typical chapters and controls to be considered |
| Article 20: Governance | Organization of information security – Who is responsible for information security in your company? – How is the internal organization of information security structured? | A.5.01 Policies for information security A.5.02 Information security roles and responsibilities A.5.03 Segregation of duties |
| Article 20.2: Training | Security awareness, resilience and training – Do you offer training on information security and crisis preparedness for your management and employees? – How do you promote risk awareness among your management team and employees? | 7.3 Awareness 7.4 Communication 7.5 Documented information A.6.3 Information security awareness, education and training |
| Article 21.1 & 21.2 (a): Cybersecurity risk management measures | Risk analysis and security of information systems – How do you identify information security risks? – What measures do you take to deal with identified risks? | 4.4 Information security management system 5.2 Information security policy 6.1.2 Information security risk assessment 6.1.3 Information security risk treatment 8.2 Information security risk assessment 8.3 Information security risk treatment A.5.01 Policies for information security Optional: ISO 27005 Risk Management or BSI Standard 200-3 Risk Management |
| Article 21.2 (b): Handling of incidents | Dealing with security incidents – How do you deal with security incidents? – Do you have a defined procedure for reporting and responding to security incidents? – Do you have secure emergency communications in place? | A.5.07 Threat intelligence A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.6.08 Information security event reporting A.8.16 Monitoring activities |
| Article 21.2 (c): Security | Backup management and recovery – What BCM and disaster recovery measures have you prepared? – Are alternative supply chains planned? | A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging |
| Article 21.2 (c): Management of business continuity | Business continuity, e.g. disaster recovery and crisis management | See EU-RCE answers in the section below and A.5.29 Information security during disruption |
| Article 21.2 (d) & 21.3: Management of the supply chain | Security in the supply chain and with service providers – What measures do you take to ensure that your suppliers also meet the information security requirements? – How do you screen your suppliers? | A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the information and communication technology (ICT) supply chain A.5.22 Monitoring, review and change management of supplier services A.5.23 Information security for use of cloud services |
| Article 21.2 (e): Security in the procurement, development and maintenance of networks and information systems | Security in development, procurement and maintenance – What security principles do you apply in software development or in the procurement and maintenance of software? | A.5.20 Addressing information security within supplier agreements A.5.24 Information security incident management planning and preparation A.5.36 Compliance with policies, rules and standards for information security A.5.37 Documented operating procedures A.6.08 Information security event reporting A.8.09 Configuration management A.8.19 Installation of software on operational systems A.8.20 Networks securityA.8.21 Security of network services |
| Article 21.2 (e): Security in network and information systems, including the handling and disclosure of security vulnerabilities | Security in systems – How have you implemented patch and vulnerability management? | A.5.07 Threat intelligence A.6.08 Information security event reporting A.8.07 Protection against malware A.8.08 Management of technical vulnerabilities |
| Article 21.2 (f): Policies and procedures for assessing the effectiveness of cyber security risk management measures | Assessing the effectiveness of cyber security and risk management – How do you monitor the effectiveness of your security measures? – Do you conduct regular security audits and assessments? Which ones? | 4.4 Information security management system 5.2 Information security policy 6.1.2 Information security risk assessment 6.1.3 Information security risk treatment 8.2 Information security risk assessment 8.3 Information security risk treatment 9.1 Monitoring, measurement, analysis and evaluation 9.2 Internal audit 9.3 Management review A.5.01 Policies for information security A.5.35 Independent review of information security A.5.36 Compliance with policies, rules and standards for information security |
| Article 21.2 (g): Basic cyber hygiene practices | Basis of IT security in the company – What are your basic cyber hygiene practices? | ISO 27001:2022: Complete Statement of Applicability (SOA), current TISAX report or ISAE 3402 SOC 1 report with corresponding KPIs etc. |
| Article 21.2 (g): Cybersecurity training | Security awareness, resilience and training – Do you provide information security and crisis preparedness training for your employees? – How do you promote security awareness among your employees? | 7.3 Awareness 7.4 Communication 7.5 Documented information A.6.3 Information security awareness, education and training |
| Article 21.2 (h): Principles and procedures for the use of cryptography and, where appropriate, encryption | Cryptography and encryption – Where do you use encryption? – Which encryption methods do you use? | A.8.20 Network security A.8.21 Security of network services A.8.22 Segregation of networks A.8.24 Use of cryptography |
| Article 21.2 (i): Employees | Staff security – How do you protect sensitive information from unauthorized access? – How do you manage the roles and rights of your employees? | A.5.09 Inventory of information and other associated assets A.5.10 Acceptable use of information and other associated assets A.5.11 Return of assets A.5.33 Protection of records A.6.01 Screening A.6.02 Terms and conditions of employment A.6.04 Disciplinary process A.6.05 Responsibilities after termination or change of employment A.6.06 Confidentiality or non-disclosure agreements A.6.07 Remote working |
| Article 21.2 (i): Access control | Security of access – How do you manage access to information and systems? | A.5.12 Classification of information A.5.13 Labelling of information A.5.14 Information transfer A.5.15 Access control A.5.16 Identity management A.5.17 Authentication information A.5.18 Access rights A.8.01 User end point devices A.8.02 Privileged access rights A.8.03 Information access restriction |
| Article 21.2 (j): Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the facility | Communication security – How do you protect communications over networks (including voice, video and text)? – Do you use encryption technologies for the transmission of sensitive data? | A.5.14 Information transfer A.5.16 Identity management A.5.17 Authentication information A.8.01 User end point devices A.8.24 Use of cryptography |
| Article 23: Reporting obligations | Process for fulfilling reporting obligations – How is the report submitted to the responsible public cyber authority without unnecessary delay, but at the latest within 24 hours (early warning), 72 hours (initial assessment) and one month (final report)? | A.5.14 Information transfer A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.6.08 Information security event reporting |
| Article 24.1: Use of EU cybersecurity certification schemes & Article 25: Standardization | Certifications – Do you have a current certification that covers the services you offer? | ISO 27001:2022: Complete Statement of Applicability (SOA), current TISAX report or ISAE 3402 SOC 1 report with corresponding KPIs, etc. |
| BSI Act – BSIG §8a (1a): Use of intrusion detection systems and security information and event management (Assuming that this is now state of the art anyway and that its use in Germany will be proposed by the NIS2 Implementation Act) | Systems for attack detection (SzA) – Do you offer a critical infrastructure? | A.5.07 Threat intelligence A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.26 Response to information security incidents A.5.27 Learning from information security incidents A.5.28 Collection of evidence A.6.08 Information security event reporting A.8.07 Protection against malware A.8.08 Management of technical vulnerabilities A.8.15 Logging A.8.16 Monitoring activities |
The question is whether, as an affected company, you should already prepare yourself at this point in time and refine the assignments later, if there are additional implementation instructions from EU member states, or whether you should wait until local law and additional implementation instructions are officially available.
Critical infrastructures and EU-RCE
For operators of critical infrastructures and their relevant suppliers, it’s also important to understand the EU-RCE requirements.
| EU-RCE (EU 2022/2557) Requirement | Typical questions | ISO 27001:2022 Typical chapters and controls to be considered |
| Article 13.1 (a): Prevention of security incidents, taking due account of disaster risk reduction and climate change adaptation measures | Prevention: – What preventive measures have you taken against cyber crises and ransomware attacks? – How do you prepare for other disasters and the effects of climate change? | A.5.07 Threat intelligence A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.6.08 Information security event reporting A.7.05 Protecting against physical and environmental threats A.8.07 Protection against malware A.8.08 Management of technical vulnerabilities A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities |
| Article 13.1 b): Adequate physical protection of premises and critical infrastructure, with due regard to, for example, the installation of fences and barriers, perimeter surveillance tools and procedures, detection devices and access controls | Physical security: – What physical security measures are in place to protect your real estate, employees and critical infrastructure? | A.7.01 Physical security perimeters A.7.02 Physical entry A.7.03 Securing offices, rooms and facilities A.7.04 Physical security monitoring A.7.05 Protecting against physical and environmental threats A.7.06 Working in secure areas A.7.07 Clear desk and clear screen A.7.08 Equipment siting and protection A.7.09 Security of assets off-premises A.7.10 Storage media A.7.11 Supporting utilities A.7.12 Cabling security |
| Article 13.1 c): Responding to, preventing and mitigating the consequences of security incidents, with due regard to the implementation of risk and crisis management and predetermined procedures in the event of an alert | Crisis response and crisis management – What defined procedures, protocols and warnings are included in your crisis plans? – How often are these practiced? | A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.8.13 Information backup A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities Optional: ISO 27031 business continuity or BSI standard 200-4 business continuity management |
| Article 13.1 d): to ensure recovery after security incidents, taking due account of business continuity measures and the identification of alternative supply chains to resume the provision of the essential service | BCM and supply chain – How does your BCM and recovery take service providers into account? | A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the information and communication technology (ICT) supply chain A.5.22 Monitoring, review and change management of supplier services A.5.23 Information security for use of cloud services A.5.30 ICT readiness for business continuity |
| Article 13.1 (e) appropriate safety management of employees, establishment of procedures for background checks | Security check – How do you check the staff? | A.6.01 Screening |
| Article 13.1 (f) raise awareness among relevant staff of the measures referred to in points (a) to (e), taking due account of training, information material and exercises | Security awareness, resilience and training – Do you provide information security and crisis preparedness training for your employees? – How do you promote security awareness among your employees? | 7.3 Awareness 7.4 Communication 7.5 Documented information A A.6.3 Information security awareness, education and training |
Conclusion
The EU-NIS2 and its implementation into law in the EU member states will require affected companies to demonstrate compliance through appropriate security measures.
For the sake of simplicity, organizations that are subject to the laws of the relevant EU member state can start with ISO 27001 as a baseline if the relevant departments are included in the scope of the certification. In this way, the actual purpose – namely protection against cyber attacks – can be pursued without spending too much time on formalities.
Source: https://blog.seeburger.com/eu-nis2-verification-through-mapping-to-iso-27001-controls/
You may also like
