NIS2 IT Implementing Act

Mapping picture

The EU NIS2 directive (EU 2022/2555) defines extensive cybersecurity requirements for entities in Art. 21, transposed to national laws. EU NIS2 allows the Commission to lay down specific security requirements through Implementing Acts. This article describes the draft Implementing Act mandatory for Internet and IT providers and maps it to ISO 27001:2022 and KRITIS.

Implementing acts take precedence over national legislation without the need for transposition. Two mandatory implementing acts are foreseen for Internet providers to detail out incident definitions of Art. 23 (11) and security measures of Art. 21 (5). The June 2024 draft combines them into a single Commission Implementing Regulation with annex.

This article maps the security requirements of the Internet provider Implementing Act to security standards. The act will be mandatory for providers such Cloud, DNS, TLD, CDN and many managed services. This work and the act are still draft, we have comments on gaps.

Overview and scope

Controls

This Implementing Act for Internet Providers (Commission Implementing Regulation) refers to individual items in Article 21 of the EU NIS2 Directive (EU 2022/2555). It extends each of the NIS2 list items into multiple controls with more details and some new topics as well.

Group Ch. Requirements #
Management and Policies 1
2
7
12
Policy on the security of network and information systems
Risk management policy
Effectiveness of cybersecurity
Asset management
8 controls
10 controls
3 controls
13 controls
Incident Management 3 Incident Management 22 controls
Business Continuity 4 Business Continuity 14 controls
Supply Chain 5 Supply Chain 8 controls
IT Security and Networks 6
9
11
Security in acquisition and development
Cryptography
Access control
31 controls
3 controls
20 controls
Personnel Security 10
8
Human resources security
Cyber hygiene
10 controls
8 controls
Physical Security 13 Physical Security 9 controls

Entities in scope

This Implementing Act will be mandatory for a range of providers in the Digital Infrastructure sector of NIS2 and will overwrite and extend national NIS2 security requirements.

up

Security mapping

This mapping to individual ISO 27001:2022 and German KRITIS controls is meant as guidance only and does not imply complete coverage. Numbering (#) is based on the implementing act, NIS2 reference is based on German NIS2 implementation law. All the listed ISO 27001:2022 controls take ISO 27002 details into account but might still not cover everything.

Management and Policies

1. Policy on the security of network and information systems

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
1 30.2.1b Policy on the security of network and information systems
Konzepte für IT-Sicherheit (ISMS)
1.1 Policy on the security of network and information systems
1.1.1 30.2.1b Policy on the security of network and information systems, including approach to security, strategy and objectives, risk tolerance, commitments, topic-specific policies, formal approval by management bodies BSI-1
BSI-2
4.1-10.2
A.5.1
A.5.2
A.5.4
1.1.2 30.2.1b Review and update (by management bodies) network and information system and further policies regularly and after significant incidents and changes. BSI-2 6.2
9.3
A.5.1
A.5.2
A.5.4
1.2 Roles, responsibilities and authorities
1.2.1 30.2.1b Define roles, responsibilities and authorities for network and information system security and communicate BSI-3 4.3
A.5.3
A.5.4
1.2.2 30.2.1b Require staff and third-parties to implement security policies BSI-3
BSI-98
4.3
A.5.3
A.5.4
A.5.19
A.5.20
A.5.21
A.5.23
1.2.3 30.2.1b Direct report (CISO) to management bodies on network and information system security - -
1.2.4 30.2.1b Dedicated roles for network and information system security BSI-3 4.3
A.5.3
A.5.4
1.2.5 30.2.1b Segregation of conflicting duties and responsibilities BSI-4 A.5.3
1.2.6 30.2.1b Review and update (by management bodies) roles, responsibilities and authorities regularly and after significant incidents and changes. - 5.3
9.3

2. Risk management policy

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
2 30.2.1a Risk management policy
Konzepte zur Risiko-Analyse (IT-RM)
2.1 Risk management framework
2.1.1 30.2.1a Appropriate risk management framework for security of network and information systems, with assessments, treatment plans, and acceptance by management or risk owners plus reporting BSI-13 6.1
8.2
8.3
2.1.2 30.2.1a
30.2.0
Cybersecurity risk management process as integral part of overall risk management, with methods, tools, criteria, all-hazards approach, risk owners, criteria, responsibilities, awareness BSI-14
BSI-16
6.1
8.2
8.3
A.5.31
2.1.3 30.2.1a Review and update risk assessment results and treatment plans regularly or after significant incidents and changes BSI-14 6.1
8.2
8.3
10.1
2.2 Compliance monitoring
2.2.1 30.2.1a Regular review of compliance with policies, inform management bodies BSI-85 A.5.31
A.5.36
2.2.2 30.2.1a Compliance reporting system to effectively inform management bodies on risks BSI-85 BSI-86 9.2
A.5.31
A.5.36
A.5.36
2.2.3 30.2.1a Compliance reviews at regular intervals or after significant incidents and changes BSI-86 9.2
A.5.36
A.8.34
2.3 Independent review of information and network security
2.3.1 30.2.1a Independent reviews of network and information system security management and implementation BSI-86
BSI-87
BSI-88
9.2
A.5.35
A.5.36
A.8.34
2.3.2 30.2.1a Processes for independent reviews by people with audit competence and independence BSI-89 A.5.36
A.8.34
2.3.3 30.2.1a Reporting to management bodies of compliance monitoring and corrective actions BSI-85 A.5.31
A.5.36
2.3.4 30.2.1a Independent reviews at regular intervals or after significant incidents and changes BSI-86 9.2
A.5.36
A.8.34

7. Effectiveness of cybersecurity

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
7 30.2.6 Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Bewertung der Wirksamkeit von Maßnahmen
7.1.1 30.2.6 Implement policy and processes to assess implementation and effectiveness of policies BSI-1
BSI-86
9.1
9.2
A.5.36
A.8.34
7.1.2 30.2.6 Process, security assessments and security testing of cybersecurity measures with methods, definitions and responsibilities BSI-86 9.2
A.5.36
A.8.34
7.1.3 30.2.6 Review and update assessment policies and processes regularly or after significant incidents and changes partial
BSI-85
9.3
A.5.31
A.5.36

12. Asset management

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
12 30.2.9c Asset Management
Management von Anlagen
12.1 Asset classification
12.1.1 30.2.9c Classification and protection levels for information and assets BSI-7 A.5.12
12.1.2 30.2.9c Classification system applied to assets and information (using C/I/A/A) to indicate protection requirements and objectives BSI-9
BSI-10
A.5.10
A.5.12
A.5.13
12.1.3 30.2.9c Review and update classification levels of assets and information regularly BSI-10 A.5.10
A.5.12
12.2 Handling of information and assets
12.2.1 30.2.9c Policy for handling of assets and information in accordance with security policy BSI-7
BSI-10
A.5.10
A.7.10
A.5.13
12.2.2 30.2.9c Policy covers asset and information life cycle, safe use and storage, off-premise and transfer requirements BSI-7
BSI-12
A.5.10
A.6.7
A.7.9
A.7.10
A.7.14
A.8.10
12.2.3 30.2.9c Review and update asset handling policy regularly or after significant incidents and changes BSI-7
BSI-66
A.5.10
A.5.1
12.3 Removable media policy
12.3.1 30.2.9c Removable media policy for management of removable storage media at premises and locations BSI-11 A.7.10
A.7.14
A.8.10
12.3.2 30.2.9c Policy covers protective measures for connections, execution, control and encryption of media BSI-11
BSI-34
A.7.10
A.7.14
A.8.10
A.5.34
A.8.24
12.3.3 30.2.9c Review and update removable media policy regularly or after significant incidents and changes BSI-11 A.7.10
A.7.14
A.8.10
12.4 Asset inventory
12.4.1 30.2.9c Complete and accurate inventory of assets with recorded changes BSI-5 A.5.9
12.4.2 30.2.9c Inventory with appropriate granularity includes list of operations and services, and list of assets (NIS) that support operations and services BSI-5 A.5.9
12.4.3 30.2.9c Review and update inventory of assets regularly and document history BSI-5 A.5.9
12.5 30.2.9c Return or deletion of assets upon termination of employment with appropriate processes BSI-8 A.5.11
A.7.10
A.8.10

up

3. Incident Management

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
3 30.2.2 Incident Management
Bewältigung von Sicherheitsvorfällen
3.1 Incident handling policy
3.1.1
3.1.2
30.2.2 Incident handling policy with roles and processes for detection, analyzing and responding to incidents BSI-77 A.5.24
A.6.8
3.1.3 30.2.2 Review and update of the roles and processes of the incident handling policy BSI-77
BSI-66
A.5.24
A.6.8
A.5.1
3.2 Monitoring and logging
3.2.1 30.2.2 Procedures and tools for monitoring activities and detecting events BSI-80
SzA
BSI-90
BSI-91
A.5.28
A.6.8
A.8.15
8.16
3.2.2 30.2.2 Automated and continuous monitoring, if feasible BSI-80
SzA
BSI-93
A.5.28
A.6.8
A.8.15
A.8.16
3.2.3 30.2.2 Documentation and review of logs, including much (from network traffic to access to facilities) BSI-92 A.8.15
8.16
3.2.4 30.2.2 Review of logs based on thresholds and possible automated alarms with adequate response BSI-80
BSI-90
A.5.28
A.6.8
A.8.15
A.8.16
3.2.5 30.2.2 Central storage and backup of logs BSI-92
BSI-93
BSI-94
A.8.9
A.8.13
A.8.15
3.2.6 30.2.2 Synchronized time sources on systems and list of logging assets partial
BSI-91
BSI-93
A.8.17
A.8.9
A.8.15
3.2.7 30.2.2 Regular review of logging procedures and list of assets partial
BSI-91
partial
A.8.15
3.3 Event reporting
3.3.1 30.2.2 Alert reporting mechanism for employees, suppliers and customers partial
BSI-79
BSI-81
A.5.2
A.5.24
A.5.25
A.5.26
A.6.8
3.3.2 30.2.2 Communication and training of the alerting mechanism partial
BSI-81
partial
A.5.24
3.4 Event assessment and classification
3.4.1
3.4.2
30.2.2 Assessment of events to determine nature and severity of incidents BSI-80 A.5.25
A.5.28
A.6.8
A.8.15
3.5 Incident Response
3.5.1
3.5.2
30.2.2 Procedures for incident response BSI-77
BSI-78
A.5.24
A.5.25
A.5.26
A.5.28
A.6.8
3.5.3 30.2.2 Communication plans with CSIRT and stakeholders BSI-77 A.5.24
A.6.8
3.5.4
3.5.5
30.2.2 Logging and testing of incident activities and procedures unsure A.5.24
A.5.28
A.5.30
3.6 Post-incident reviews
3.6.1
3.6.2
30.2.2 Reviews after incident to identify root causes and provide lessons learned to improve network and IT security and reduce risks BSI-82 A.5.26
A.5.27
3.6.3 30.2.2 Regular reviews if post-incident reviews have been performed - A.5.26

up

4. Business Continuity

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
4 30.2.3a
30.2.3b
30.2.3c
30.2.3d
Business Continuity and Crisis Management
Aufrechterhaltung Betrieb, Backup-Management, Wiederherstellung, Krisenmanagement
4.1 Business continuity and disaster recovery plans
4.1.1
4.1.2
30.2.3a Business continuity and disaster recovery plan, based on risk assessments, to be used for recovery BSI-17
BSI-18
partial
A.5.29
A.5.30
A.5.31
4.1.3 30.2.3a Business impact analysis (BIA) to assess disruptive impact, and establish resulting continuity requirements BSI-15 partial
A.5.29
A.5.30
4.1.4 30.2.3c Test and review of business continuity and disaster recovery, with updates and lessons learned BSI-19 partial
A.5.30
4.2 Backup management (and redundancy)
4.2.1 30.2.3b Backups of informations, with sufficient resources, facilities and staff partial
BSI-22
A.8.13
A.8.14
4.2.2 30.2.3b Backup plans based on risk assessment and business continuity plans with time (RTO/RPO), locations, access controls, etc. BSI-22 A.8.13
A.8.14
4.2.3 30.2.3b Regular integrity checks of backups partial
BSI-23
A.8.13
A.8.16
4.2.4 30.2.3b At least partial redundancy for NIS, assets and facilities, personnel, communications - A.8.14
4.2.5 30.2.3b Monitoring and adjustment of resources informed by backup and redundancy requirements partial
BSI-20
partial
A.8.6
4.2.6 30.2.3b Regular testing of backups and redundancies, with documentation and corrective actions BSI-24 A.8.13
4.3 Crisis management
4.3.1
4.3.2
30.2.3d Processes for crisis management with roles, responsibilities, communications, and supporting assets - -
4.3.3 30.2.3d Process for receiving and using information from CSIRTs and authorities and incidents, threats and vulnerabilities BSI-97 A.5.5
A.5.6
4.3.4 30.2.3d Regular test and review of crisis management plan - -

up

5. Supply Chain

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
5 30.2.4a
30.2.4b
Supply Chain Security
Sicherheit der Lieferkette, Sicherheitsaspekte zu Anbietern und Dienstleistern
5.1 Supply chain security policy
5.1.1 30.2.4a Supply chain security policy to govern suppliers and service providers and mitigate risks to NIS partial
BSI-98
A.5.19
A.5.21
5.1.2 30.2.4a Establish criteria to select and contract suppliers, based on suppliers cybersecurity practices, capabilities, resilience and vendor lock-in - A.5.19
5.1.3 30.2.4a Take into account coordinated security risk assessments of critical supply chains (NIS2) - -
5.1.4 30.2.4a Contractual requirements and SLAs with providers, including cybersecurity requirements, staff, incidents, audits, etc. BSI-98 A.5.19
A.5.20
A.5.21
A.5.22
A.5.23
5.1.5 30.2.4a Selection of new providers based on criteria (5.1.2) and risk assessments (5.1.3) - partial
A.5.19
5.1.6 30.2.4a Review supply chain policy and monitor and evaluate suppliers and compliance BSI-66
BSI-99
A.5.1
A.5.22
5.1.7 30.2.4a For provider selection, monitor SLAs reports, review incidents, plan and assess audits, and analyze change risks - A.5.22
5.2 30.2.4b Directory of suppliers and service providers with contact points and list of ICT products, services, etc. - A.5.21

up

IT Security and Networks

6. Security in acquisition and development

Note this also covers network security (6.7 and 6.8) and malware (6.9), which are missing from Article 21 NIS2 but are added by the Implementing Act as part of Security in acquisition.

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240711
# DE NIS2 Requirement KRITIS ISO 27001
6 30.2.5a
30.2.5b
30.2.5c
30.2.5d
Security in Network and Information Systems Acquisition, Development and Maintenance
Sicherheitsmaßnahmen bei Erwerb, Entwicklung und Wartung von IT Systemen, Komponenten und Prozessen
6.1 Security in acquisition of ICT services or ICT products
6.1.1 30.2.5a Processes to manage risks in the acquisition of ICT services and products that are critical BSI-43 A.5.8
A.8.25
A.8.26
A.8.27
A.8.28
6.1.2 30.2.5a Security requirements, updates, information on cybersecurity functions, compliance and validation BSI-43 A.5.8
A.8.25
A.8.26
A.8.27
A.8.28
6.1.3 30.2.5a Review and update processes for acquisition regularly BSI-43
BSI-66
A.5.8
A.8.25
A.8.26
A.8.27
A.8.28
A.5.1
6.2 Secure development life cycle (SDLC)
6.2.1 30.2.5b Rules for secure development of network and information systems for all development phases BSI-43 A.5.8
A.8.25
A.8.26
A.8.27
A.8.28
6.2.2 30.2.5b Analysis of security requirements, principles for secure engineering, secure development environments, security testing, data - partial
A.5.8
A.8.33
6.2.3 30.2.5b Include security aspects and supply chain security into outsourced development BSI-44 A.5.8
A.8.29
A.8.30
6.2.4 30.2.5b Review and update processes for secure development regularly BSI-44
BSI-66
A.8.29
A.8.30
A.5.1
6.3 Configuration management
6.3.1 30.2.5c Document, implement and monitor configurations, including secure configurations partial
BSI-76
A.7.13
A.8.9
6.3.2 30.2.5c Define security configuration and processes to enforce secure configurations for new systems and during operations partial
BSI-45
BSI-25
8.1
A.8.9
A.8.19
A.8.31
A.8.32
6.3.3 30.2.5c Review and update configurations regularly and after significant incidents or changes - A.8.9
6.4 Change management, repairs and maintenance
6.4.1 30.2.5c Management procedures for changes, maintenance of network and information systems BSI-45
BSI-76
8.1
A.8.31
A.8.32
A.7.13
6.4.2 30.2.5c Application of procedures to releases, modifications and emergency changes of software, hardware and configuration BSI-46
BSI-47
BSI-48
BSI-49
BSI-50
BSI-51
8.1
A.8.9
A.8.32
A.8.33
6.4.3 30.2.5c Emergency changes documented with explanations BSI-52 A.8.32
6.4.4 30.2.5c Review and update change procedures regularly and after significant incidents or changes BSI-45
BSI-66
8.1
A.8.31
A.8.32
A.5.1
6.5 Security testing
6.5.1 30.2.5d Policy and processes for security testing BSI-95 A.8.8
A.8.34
6.5.2 30.2.5d Risk-based requirements for security testing, carried out with established methodology, with documentation of findings and mitigation activities partial
BSI-95
A.8.29
A.8.33
A.8.34
6.5.3 30.2.5d Review and update security testing policy and processes regularly - 9
A.8.8
A.8.34
6.6 Security patch management
6.6.1 30.2.5d Processes for management of security patches, with timeframes, testing, trusted sources, and exception handling BSI-25
BSI-84
BSI-96
A.8.19
A.8.8
A.5.7
A.8.32
6.6.2 30.2.5d Exceptions to security patching allowed if disadvantages outweigh benefits and reasons substantiated and documented - A.8.8
6.7 Network security
6.7.1 - Measures to protect networks and information systems against cyber threats partial
BSI-36
BSI-37
A.8.20
A.8.21
A.8.23
A.8.26
6.7.2 - Network architecture documentation, network access controls, secure configuration and remote access, secure connections, trusted channels and modern (latest) and secure technologies partial
BSI-40
BSI-36
BSI-41
partial
A.8.20
A.8.21
A.8.22
6.7.3 - Review and update security measures regularly and after significant incidents or changes BSI-16 6.1.3
8.3
A.5.31
6.8 Network segmentation
6.8.1 - Segmentation of systems into networks or zones based on risk, separated from third-party systems BSI-37
BSI-38
BSI-39
A.8.22
A.8.26
6.8.2 - Security requirements for network segmentations, including releationships, measures, access needs and control, administration and development, etc. partial
BSI-36
BSI-38
BSI-39
BSI-53
A.8.22
A.8.26
A.8.27
A.8.31
6.8.3 - Review and update network segmentation regularly and after significant incidents or changes - A.8.22
9.1
10.1
6.9 Protection against malicious and unauthorised software
6.9.1 - Protection of network and information systems against malicious and unauthorised software BSI-21 A.8.7
A.8.23
6.9.2 - Malware detection and repair software, updated regularly BSI-21 A.8.7
6.10 Vulnerability handling and disclosure
6.10.1 30.2.5d Collection and analysis of information on vulnerabilities and own exposure BSI-83 A.8.8
A.5.7
6.10.2 30.2.5d Monitor announcements of CSIRTs, authorities, perform scans, address vulnerabilities, define procedure and ensure implementation partial
BSI-83
BSI-84
BSI-97
A.8.8
A.5.5
A.5.6
A.5.7
6.10.3 30.2.5d Implement plan for handling vulnerabilities based on impact, document exceptions and reasons BSI-25
BSI-84
A.8.8
A.8.19
6.10.4 30.2.5d Review and update vulnerability information channels regularly - 9.1
10.1
A.8.8

9. Cryptography

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
9. 30.2.8 Cryptography
Kryptografie und Verschlüsselung
9.1.1 30.2.8 Policy and procedures for cryptography, to protect information (C/I/A) BSI-32 A.5.1
A.8.24
9.1.2 30.2.8 Policy defines cryptographic measures based on classification, crypto protocols, algorithms, ciphers, key lengths, key management, etc. BSI-32
BSI-33
BSI-34
BSI-35
A.5.14
A.5.31
A.8.20
A.8.21
A.8.24
A.8.33
9.1.3 30.2.8 Review and update cryptography policy and processes regularly, monitoring crypto state of the art BSI-32
BSI-66
A.5.1
A.8.24

11. Access control

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
11. 30.2.9b Access control
Konzepte für Zugriffskontrolle
11.1 Access control policy
11.1.1 30.2.9b Access control policy for logical and physical access control to network and information systems BSI-27
BSI-58
A.5.15
A.8.3
11.1.2 30.2.9b Access control policy includes staff and external (suppliers, providers) access, access by processes, granted only after authentication BSI-58
BSI-98
A.5.15
A.5.19
A.5.20
A.5.21
A.5.23
A.8.3
11.1.3 30.2.9b Review and update access control policy regularly and after significant incidents or changes BSI-58
BSI-66
A.5.1
11.2 Management of access rights
11.2.1 30.2.9b Manage access rights according to access control policy BSI-59
BSI-60
A.5.18
11.2.2 30.2.9b Access rights based on need-to-know, least privilege, separation of duties, proper authorization, including third-party access and changes, etc. BSI-58
BSI-60
BSI-61
A.5.3
A.5.18
A.8.3
11.2.3 30.2.9b Review access rights regularly and update based on organizational changes; document review BSI-62 9
A.5.18
11.3 Privileged accounts and system administration accounts
11.3.1 30.2.9b Policies for management of privileged and administrative accounts BSI-63 A.5.3
A.5.18
A.8.2
11.3.2 30.2.9b Implement strong authentication, MFA and procedures; specific accounts for administrations; individual privileges BSI-63 A.5.3
A.5.18
A.8.2
A.8.5
11.3.3 30.2.9b Review privileged accounts regularly and update based on organizational changes; document review BSI-62
BSI-63
A.5.3
A.5.18
A.8.2
11.4 Administration systems
11.4.1 30.2.9b Control the use of system administration systems partial
BSI-30
A.8.18
A.8.19
11.4.2 30.2.9b Separated and administration-specific system, specially secured partial
BSI-39
A.8.22
partial
11.5 Identification
11.5.1 30.2.9b Full life cycle management of identities of network and information systems and users partial
BSI-58
A.5.16
11.5.2 30.2.9b Unique identities for systems and users; with oversight and logging BSI-58 A.5.3
A.5.16
A.8.3
11.5.3 30.2.9b Shared identities only in special cases where necessary and with explicit approval and documentation BSI-64 A.5.16
A.5.17
A.5.18
11.6 Authentication
11.6.1 30.2.9b Secure authentication procedures and technologies based on access control and policies BSI-27 A.5.17
A.8.5
A.8.24
11.6.2 30.2.9b Strong authentication, controlled authentication process, initial changes, reset and termination BSI-27
BSI-29
A.5.17
A.8.5
A.8.24
11.6.3 30.2.9b State of the art authentication methods based on risk and classification BSI-26
BSI-27
BSI-32
A.8.5
A.8.24
11.6.4 30.2.9b Review identities regularly and deactivate if not needed BSI-62 A.5.16
11.7 Multi-factor authentication
11.7.1 30.2.10a Multi-factor or continuous authentication (SSO) to access network and information systems based on system classification BSI-27 A.5.17
A.8.5
A.8.24
11.7.2 30.2.10a Authentication strength shall be appropriate for asset classification BSI-27 A.8.5
A.8.24

up

Personnel Security

10. Human resources security

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
10 30.2.9a Human resources security
Personalsicherheit (HR-Security)
10.1 Human resources security
10.1.1 30.2.9a Ensure employees and third parties committed to security responsibilities in line with policies BSI-42
BSI-57
A.6.2
A.6.6
10.1.2 30.2.9a Processes to ensure employees and third parties follow cyber hygiene, follow roles and responsibilities including management bodies, etc. BSI-68 A.6.3
7.2
7.3
10.1.3 30.2.9a Review assigned roles and commitment of resources regularly and update if necessary partial
BSI-56
5.3
7.1
10.2 Background checks
10.2.1 30.2.9a Background checks for employees and third parties if required for their role, authorisations BSI-56 A.6.1
A.5.20
10.2.2 30.2.9a Criteria for background checks, only authorized persons, checks performed before assigning roles, based on laws and regulations BSI-56 A.6.1
10.2.3 30.2.9a Review and update background check policy regularly BSI-66 A.5.1
A.5.20
10.3 Termination or change of employment procedures
10.3.1 30.2.9a Responsibilities and duties valid after termination or change are communicated and understood BSI-70 A.6.5
10.3.2 30.2.9a Responsibilities (like confidentiality) are set out in contracts, access control policies ensure compliance, change process BSI-42 A.5.8
A.5.14
A.6.2
A.6.6
10.4 Disciplinary process
10.4.1 30.2.9a Disciplinary process for handling violations of network and information systems BSI-69 A.6.4
10.4.2 30.2.9a Review and update disciplinary process regularly or due to legal or operational changes BSI-69
BSI-66
A.6.4
A.5.1

8. Cyber hygiene

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
8. 30.2.7a
30.2.7b
Basic cyber hygiene practices and security training
Cyberhygiene und Awareness, Schulungen Informationssicherheit
8.1 Awareness raising and basic cyber hygiene practices
8.1.1 30.2.7a Awareness by employees of risks, cybersecurity importance and cyber hygiene BSI-68 7.3
A.6.3
A.7.7
8.1.2 30.2.7a Security awareness raising program for employees and management, repeated schedules, in line with policies, covering measures, practices, advice BSI-68 7.3
A.6.3
8.1.3 30.2.7a Testing and updating of awareness program regularly, taking into account changes in threat landscape, risks and cyber hygiene BSI-68 7.3
9
8.2 Security training
8.2.1 30.2.7b Training on network and information systems security for employees BSI-68 7.2
A.6.3
8.2.2 30.2.7b Training program based on policy, specific security topics and procedures, based on role and position requirements BSI-68 7.2
A.6.3
8.2.3 30.2.7b Effectiveness assessment of training and its relevance, covering secure configuration and operations, cyber threats, and behaviour BSI-68 9
8.2.4 30.2.7b Training for employees who transfer or change positions - A.6.5
8.2.5 30.2.7b Update security training program based on policies, rules, roles, threats and technologies BSI-68
BSI-66
7.2
A.6.3
A.5.1

up

13. Physical Security

The Implement Act refers to points c), e) and i) of Article 21 NIS2 for these measures, although physical security is not listed by name in Article 21 NIS2.

OpenKRITIS compilation ∙ Data from June 2024 ∙ Draft content 20240710
# DE NIS2 Requirement KRITIS ISO 27001
13 Environmental and physical security
13.1 Supporting utilities
13.1.1 - Prevent of loss, damage or compromise due to failure or disruption of supporting utitilies BSI-71
BSI-75
A.7.5
A.7.8
A.7.11
A.7.12
13.1.2 - Measures for prevention: Protection against power failures, redundancies, protection against interception, monitoring, environmental control, etc. BSI-71
BSI-75
A.7.5
A.7.8
A.7.9
A.7.11
A.7.12
A.8.14
13.1.3 - Review, test and update protection measures regularly and after incidents BSI-71
BSI-75
9
A.7.5
A.7.11
13.2 Protection against physical and environmental threats
13.2.1 - Prevent and reduce consequences of environmental and physical threats BSI-74 A.7.3
A.7.4
A.7.5
13.2.2 - Design measures for protection based on risk assessment, control thresholds and monitoring of environmental threats BSI-71
BSI-74
A.7.3
A.7.4
A.7.5
13.2.3 - Review, test and update protection measures regularly and after incidents partial
BSI-71
BSI-76
9
A.7.13
13.3 Perimeter and physical access control
13.3.1 - Prevent and monitor unauthorized physical access, damage, interference BSI-72 A.7.1
A.7.2
A.7.3
A.7.4
13.3.2 - Implement security perimeters, entry controls and access points, physical security for offices and facilities, continuous monitoring BSI-72
BSI-73
A.5.15
A.5.18
A.7.1
A.7.2
A.7.3
A.7.4
A.8.2
13.3.3 - Review, test and update physical control measures regularly and after incidents partial
BSI-76
9
A.7.2
A.7.5

up

Comments

Roadmap

This mapping is based on the June 2024 draft of the Implementing Act for public consultation. There will probably be changes in the act and also this mapping.

The Implementing Act for Internet Providers is supposed enter into force in October 2024 and will be mandatory for relevant entities in the Internet sector: DNS, TLD, cloud computing, data centers, CDNs, managed service providers and managed security services, online market places, search engines and social networks.

There might be another implementing act for other sectors, probably not too dissimilar.

Observation and gaps

The Implementing Act in its current form adds many missing details to the existing Article 21 of the NIS2 directive. It also added several new topics that were not covered before in the Article 21 list, like network security. Compared to existing security frameworks like the international ISO 27001 and German KRITIS, there are some deviations:

Some of the collected gaps and our comment in detail – sorted like the mapping above.

Ch. Requirements Comments
1 Policy on the security of network and information systems Direct CISO reporting
Management involvement
2 Risk management policy Many mandatory reviews
Management reporting
7 Effectiveness of cybersecurity Great(er) emphasis on effectiveness
12 Asset management Extensive requirements
3 Incident Management Extensive controls
Emphasis training and awareness
Regular testing and reviews
Automation
4 Business Continuity Formal BCM, BIA, crisis management required
Redundancies
5 Supply Chain Provider selection and monitoring
Directory and monitoring
6 Security in acquisition and development Specific: configurations
Specific: Patches and vulnerabilities
Specific: Network security and segmentation
Many reviews and updates
9 Cryptography
11 Access control So many controls!
Many processes and governance required
Strong authentication required
Specific: MFA and SSO
10 Human resources security Specific: Processes, changes and reviews
8 Cyber hygiene Broad reading of awareness
Much testing and effectiveness
13 Physical Security Many specific preventive measures
Many reviews and and tests

up

More information

Sources

  1. Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers, Draft act 27 June 2024, European Commission
  2. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), 27.12.2022