NIS2 IT Implementing Act

Mapping picture

The EU NIS2 directive (EU 2022/2555) defines extensive cybersecurity requirements for entities in Art. 21, transposed to national laws. EU NIS2 allows the Commission to lay down specific security requirements through Implementing Acts. This article describes the Implementing Act mandatory for Internet and IT providers and maps it to ISO 27001:2022 and KRITIS.

Implementing acts take precedence over national legislation without the need for transposition. Two implementing acts are mandatory for Internet and IT providers: incident definitions Art. 23 (11) and security measures Art. 21 (5). Both are combined in a single Commission Implementing Regulation and Annex, adopted October 2024. We have comments.

Overview

Scope

This Implementing Act for Internet Providers extends NIS2 security requirements from Art. 21 NIS2 and German §30 NIS2UmsuCG into multiple controls with more details and new topics.

Group Ch. Requirements #
Management and Policies 1
2
7
12
Policy on the security of network and information systems
Risk management policy
Effectiveness of cybersecurity
Asset management
8 controls
11 controls
3 controls
13 controls
Incident Management 3 Incident Management 22 controls
Business Continuity 4 Business Continuity 14 controls
Supply Chain 5 Supply Chain 8 controls
IT Security and Networks 6
9
11
Security in acquisition and development
Cryptography
Access control
31 controls
3 controls
21 controls
Personnel Security 10
8
Human resources security
Cyber hygiene
10 controls
8 controls
Physical Security 13 Physical Security 9 controls

Entities

This Implementing Act is mandatory for a range of providers in the Digital Infrastructure sector of NIS2 and overwrites and extends national NIS2 security requirements.

up

Security mapping

Overview

This mapping to individual ISO 27001:2022 and German KRITIS controls is meant as guidance only and does not imply complete coverage. Numbering (#) is based on the final Implementing Act, NIS2 reference is based on German NIS2 implementation law. All listed ISO 27001:2022 controls take into account detail from ISO 27002, but might still not cover everything.

Changes between the draft Implementing Act from June 2024 and its final adoption in October 2024, either in numbering or wording of requirements, are marked, where additional details have been added, and crossed out where details have been removed.

Management and Policies

1. Policy on the security of network and information systems

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
1 30.2.1b Policy on the security of network and information systems
Konzepte für IT-Sicherheit (ISMS)
1.1 Policy on the security of network and information systems
1.1.1 30.2.1b Policy on the security of network and information systems, including approach to security, strategy and objectives, risk tolerance, commitments, topic-specific policies, formal approval by management bodies BSI-1
BSI-2
4.1-10.2
A.5.1
A.5.2
A.5.4
1.1.2 30.2.1b Review and update (by management bodies) network and information system and further policies regularly, at least annually, and after significant incidents and changes. BSI-2 6.2
9.3
A.5.1
A.5.2
A.5.4
A.5.36
1.2 Roles, responsibilities and authorities
1.2.1 30.2.1b Define roles, responsibilities and authorities for network and information system security and communicate BSI-3 5.3
A.5.3
A.5.4
1.2.2 30.2.1b Require staff and third-parties to implement security policies BSI-3
BSI-98
5.3
A.5.3
A.5.4
A.5.19
A.5.20
A.5.21
A.5.23
1.2.3 30.2.1b Direct report (CISO) to management bodies on network and information system security - -
1.2.4 30.2.1b Dedicated roles for network and information system security BSI-3 5.3
A.5.3
A.5.4
1.2.5 30.2.1b Segregation of conflicting duties and responsibilities BSI-4 A.5.3
1.2.6 30.2.1b Review and update (by management bodies) roles, responsibilities and authorities regularly and after significant incidents and changes. - 5.3
9.3

2. Risk management policy

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
2 30.2.1a Risk management policy
Konzepte zur Risiko-Analyse (IT-RM)
2.1 Risk management framework
2.1.1 30.2.1a Appropriate risk management framework for security of network and information systems, with assessments, treatment plans, and acceptance by management or persons who are accountable and have the authority to manage risks risk owners plus reporting BSI-13 6.1
8.2
8.3
A.5.7
2.1.2 30.2.1a
30.2.0
Cybersecurity risk management process as integral part of overall risk management, with methods, tools, criteria, all-hazards approach, risk owners, criteria, responsibilities, awareness, documentation BSI-14
BSI-16
6.1
8.2
8.3
A.5.31
2.1.3 30.2.1a Identify and prioritise appropriate risk treatment options and measures, taking into account risk assessment results, effectiveness of measures, cost of implementaiton in relation to benefit, asset classification, BIA BSI-14 6.1
8.2
8.3
A.5.29
A.5.30
2.1.4
2.1.3
30.2.1a Review and update risk assessment results and treatment plans regularly, at least annually, and when significant incidents and changes occur BSI-14 6.1
8.2
8.3
10.1
2.2 Compliance monitoring
2.2.1 30.2.1a Regular review of compliance with policies, inform management bodies BSI-85 A.5.31
A.5.36
2.2.2 30.2.1a Compliance reporting system to effectively inform management bodies on risks BSI-85 BSI-86 9.2
9.3
A.5.31
A.5.36
2.2.3 30.2.1a Compliance reviews at regular intervals or after significant incidents and changes BSI-86 9.2
A.5.36
A.8.34
2.3 Independent review of information and network security
2.3.1 30.2.1a Independent reviews of network and information system security management and implementation BSI-86
BSI-87
BSI-88
9.2
10.1
A.5.35
A.5.36
A.8.34
2.3.2 30.2.1a Processes for independent reviews by people with audit competence and independence, separation of line of authority or alternative measures for guaranteed impartiality of reviews BSI-89 A.5.36
A.8.34
2.3.3 30.2.1a Reporting to management bodies of compliance monitoring and corrective actions BSI-85 A.5.31
A.5.36
2.3.4 30.2.1a Independent reviews at regular intervals or after significant incidents and changes BSI-86 9.2
A.5.35
A.5.36
A.8.34

7. Effectiveness of cybersecurity

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
7 30.2.6 Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Bewertung der Wirksamkeit von Maßnahmen
7.1
7.1.1
30.2.6 Implement policy and processes to assess effectiveness of implementation and effectiveness of policies maintenance of cybersecurity risk-management measures BSI-1
BSI-86
9.1
9.2
A.5.36
A.8.34
7.2
7.1.2
30.2.6 Process, security assessments and security testing of cybersecurity measures with methods, definitions and responsibilities BSI-86 9.2
A.5.36
A.8.34
7.3
7.1.3
30.2.6 Review and update assessment policies and processes regularly or after significant incidents and changes partial
BSI-85
9.3
A.5.1
A.5.31
A.5.36

12. Asset management

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
12 30.2.9c Asset Management
Management von Anlagen
12.1 Asset classification
12.1.1 30.2.9c Classification and protection levels for information and assets, including information BSI-7 A.5.12
12.1.2 30.2.9c Classification system applied to assets (using C/I/A/A) to indicate protection requirements and objectives BSI-9
BSI-10
A.5.10
A.5.12
A.5.13
12.1.3 30.2.9c Review and update classification levels of assets regularly BSI-10 A.5.10
A.5.12
12.2 Handling of information and assets
12.2.1 30.2.9c Policy for handling of assets in accordance with security policy BSI-7
BSI-10
A.5.10
A.7.10
A.5.13
12.2.2 30.2.9c Policy covers asset life cycle, safe use and storage, off-premise and transfer requirements BSI-7
BSI-12
A.5.10
A.6.7
A.7.9
A.7.10
A.7.14
A.8.10
12.2.3 30.2.9c Review and update asset handling policy regularly or after significant incidents and changes BSI-7
BSI-66
A.5.10
A.5.1
12.3 Removable media policy
12.3.1 30.2.9c Removable media policy for management of removable storage media at premises and locations BSI-11 A.7.10
A.7.14
A.8.10
12.3.2 30.2.9c Policy covers protective measures for connections, execution, control and encryption of media BSI-11
BSI-34
A.7.10
A.7.14
A.8.10
A.5.33
A.5.34
A.8.24
12.3.3 30.2.9c Review and update removable media policy regularly or after significant incidents and changes BSI-11 A.7.10
A.7.14
A.8.10
12.4 Asset inventory
12.4.1 30.2.9c Complete and accurate inventory of assets with recorded changes BSI-5 A.5.9
12.4.2 30.2.9c Inventory with appropriate granularity includes list of operations and services, and list of assets (NIS) that support operations and services BSI-5 A.5.9
12.4.3 30.2.9c Review and update inventory of assets regularly and document history BSI-5 A.5.9
12.5 30.2.9c Deposit, return or deletion of assets upon termination of employment with appropriate processes BSI-8 A.5.11
A.7.10
A.8.10

up

3. Incident Management

OpenKRITIS compilation ∙ Draft content 202411110
# DE NIS2 Requirement KRITIS ISO 27001
3 30.2.2 Incident Management
Bewältigung von Sicherheitsvorfällen
3.1 Incident handling policy
3.1.1
3.1.2
30.2.2 Incident handling policy with roles and processes for detection, analyzing and responding to incidents, in coherence with business continuity and disaster recovery plan (4.1) BSI-77 A.5.24
A.6.8
3.1.3 30.2.2 Review and update of the roles and processes of the incident handling policy BSI-77
BSI-66
A.5.24
A.6.8
A.5.1
3.2 Monitoring and logging
3.2.1 30.2.2 Procedures and tools for monitoring activities and detecting events BSI-80
SzA
BSI-90
BSI-91
A.5.28
A.6.8
A.8.15
8.16
3.2.2 30.2.2 Automated and continuous monitoring, if feasible BSI-80
SzA
BSI-93
A.5.28
A.6.8
A.8.15
A.8.16
3.2.3 30.2.2 List of assets subject to logging, based on results of risk assessment. Maintenance, documentation and review of logs, including much (from network traffic to access to facilities, where appropriate). BSI-92 A.8.15
8.16
3.2.4 30.2.2 Regular review of logs based on thresholds and possible automated alarms with adequate response BSI-80
BSI-90
A.5.28
A.6.8
A.8.15
A.8.16
3.2.5 30.2.2 Central storage, maintenance and backup of logs, protection from unauthorised access or change BSI-92
BSI-93
BSI-94
A.8.9
A.8.13
A.8.15
3.2.6 30.2.2 Synchronized time sources on systems and list of logging assets, if feasible partial
BSI-91
BSI-93
A.8.17
A.8.9
A.8.15
3.2.7 30.2.2 Regular review of logging procedures and list of assets partial
BSI-91
partial
A.8.15
A.5.37
3.3 Event reporting
3.3.1 30.2.2 Alert reporting mechanism for employees, suppliers and customers partial
BSI-79
BSI-81
A.5.2
A.5.24
A.5.25
A.5.26
A.6.8
3.3.2 30.2.2 Communication and training of the alerting mechanism, where appropriate partial
BSI-81
partial
A.5.24
A.6.8
A.5.19
3.4 Event assessment and classification
3.4.1
3.4.2
30.2.2 Assessment of events to determine nature and severity of incidents BSI-80 A.5.25
A.5.28
A.6.8
A.8.15
3.5 Incident Response
3.5.1
3.5.2
30.2.2 Procedures for incident response BSI-77
BSI-78
A.5.24
A.5.25
A.5.26
A.5.28
A.6.8
3.5.3 30.2.2 Communication plans with CSIRT and stakeholders BSI-77 A.5.24
A.6.8
3.5.4
3.5.5
30.2.2 Logging and testing of incident response activities, in accordance with procedures unsure A.5.24
A.5.26
A.5.28
A.5.30
3.6 Post-incident reviews
3.6.1
3.6.2
30.2.2 Where appropriate, post-incident reviews after recovery from incidents, to identify root causes where possible and provide documented lessons learned to improve network and IT security and reduce risks BSI-82 A.5.26
A.5.27
3.6.3 30.2.2 Regular reviews if post-incident reviews have been performed after significant incidents - A.5.26
A.5.27

up

4. Business Continuity

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
4 30.2.3a
30.2.3b
30.2.3c
30.2.3d
Business Continuity and Crisis Management
Aufrechterhaltung Betrieb, Backup-Management, Wiederherstellung, Krisenmanagement
4.1 Business continuity and disaster recovery plans
4.1.1
4.1.2
30.2.3a Business continuity and disaster recovery plan, based on risk assessments, to be used for recovery BSI-17
BSI-18
partial
A.5.29
A.5.30
A.5.31
A.7.5
4.1.3 30.2.3a Business impact analysis (BIA) to assess disruptive impact, and establish resulting continuity requirements BSI-15 partial
A.5.29
A.5.30
4.1.4 30.2.3c Test and review of business continuity and disaster recovery, with updates and lessons learned BSI-19 partial
A.5.30
A.7.5
4.2 Backup and redundancy management
4.2.1 30.2.3b Backups of data information, with sufficient resources, facilities and staff partial
BSI-22
A.8.13
A.8.14
4.2.2 30.2.3b Backup plans based on risk assessment and business continuity plans with time (RTO/RPO), locations, access controls, etc. BSI-22 A.8.13
A.8.14
4.2.3 30.2.3b Regular integrity checks of backups partial
BSI-23
A.8.13
A.8.16
4.2.4 30.2.3b Based on results of risk assessment (2.1), at least partial redundancy for NIS, assets and facilities, personnel, communications - A.8.14
4.2.5 30.2.3b Monitoring and adjustment of resources informed by backup and redundancy requirements, where appropriate partial
BSI-20
partial
A.8.6
4.2.6 30.2.3b Regular testing of backups and redundancies, with documentation and corrective actions BSI-24 A.8.13
4.3 Crisis management
4.3.1
4.3.2
30.2.3d Processes for crisis management with roles, responsibilities, communications, and supporting assets appropriate measures - -
(A.5.26)
4.3.3 30.2.3d Process for receiving and using information from CSIRTs and authorities and, concerning incidents, threats, vulnerabilities and possible mitigation measures BSI-97 A.5.5
A.5.6
A.8.8
4.3.4 30.2.3d Regular test and review of crisis management plan - -

up

5. Supply Chain

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
5 30.2.4a
30.2.4b
Supply Chain Security
Sicherheit der Lieferkette, Sicherheitsaspekte zu Anbietern und Dienstleistern
5.1 Supply chain security policy
5.1.1 30.2.4a Supply chain security policy to govern suppliers and service providers and mitigate risks to NIS partial
BSI-98
A.5.19
A.5.21
5.1.2 30.2.4a Establish criteria to select and contract suppliers, based on suppliers cybersecurity practices, capabilities, resilience and vendor lock-in, where applicable - A.5.19
5.1.3 30.2.4a Take into account coordinated security risk assessments of critical supply chains (NIS2) - -
5.1.4 30.2.4a Contractual requirements and SLAs with providers, including cybersecurity requirements, staff, incidents, audits, etc. BSI-98 A.5.19
A.5.20
A.5.21
A.5.22
A.5.23
5.1.5 30.2.4a Selection of new providers based on criteria (5.1.2) and risk assessments (5.1.3) - partial
A.5.19
5.1.6 30.2.4a Review supply chain policy and monitor and evaluate suppliers and compliance BSI-66
BSI-99
A.5.1
A.5.22
5.1.7 30.2.4a For provider selection and compliance evaluation of suppliers, monitor SLAs reports, review incidents, plan and assess audits, and analyze change risks - A.5.22
5.2 30.2.4b Directory of suppliers and service providers with contact points and list of ICT products, services, etc. - A.5.19
A.5.20
A.5.21

up

IT Security and Networks

6. Security in acquisition and development

Note this also covers network security (6.7 and 6.8) and malware (6.9), which are missing from Article 21 NIS2 but are added by the Implementing Act as part of Security in acquisition.

OpenKRITIS compilation ∙ Draft content 20241121
# DE NIS2 Requirement KRITIS ISO 27001
6 30.2.5a
30.2.5b
30.2.5c
30.2.5d
Security in Network and Information Systems Acquisition, Development and Maintenance
Sicherheitsmaßnahmen bei Erwerb, Entwicklung und Wartung von IT Systemen, Komponenten und Prozessen
6.1 Security in acquisition of ICT services or ICT products
6.1.1 30.2.5a Processes to manage risks in the acquisition of ICT services and products that are critical BSI-43 A.5.21
A.5.23
6.1.2 30.2.5a Security requirements, updates, information on cybersecurity functions, compliance and validation BSI-43 A.5.21
A.5.22
A.5.23
6.1.3 30.2.5a Review and update processes for acquisition regularly BSI-43
BSI-66
A.5.21
A.5.23
6.2 Secure development life cycle (SDLC)
6.2.1 30.2.5b Rules for secure development of network and information systems (incl. software) for all development phases, both in-house and outsourced BSI-43 A.5.8
A.8.25
A.8.26
A.8.27
A.8.28
A.8.31
6.2.2 30.2.5b Analysis of security requirements, principles for secure engineering, secure development environments, security testing, data - A.5.8
A.8.27
A.8.33
6.2.3 30.2.5b Include security aspects and supply chain security into outsourced development BSI-44 A.5.8
A.8.29
A.8.30
6.2.4 30.2.5b Review and update rules processes for secure development regularly BSI-44
BSI-66
A.8.27
A.8.29
A.8.30
A.5.1
6.3 Configuration management
6.3.1 30.2.5c Appropriate measures to establish, document, implement and monitor configurations, including secure configurations partial
BSI-76
A.7.13
A.8.9
6.3.2 30.2.5c Lay down and implement ensure security in configuration as well as processes to enforce secure configurations for new systems and during operations partial
BSI-45
BSI-25
A.8.9
A.8.19
A.8.31
A.8.32
6.3.3 30.2.5c Review and update configurations regularly and after significant incidents or changes - A.8.9
6.4 Change management, repairs and maintenance
6.4.1 30.2.5c Change management procedures for changes, maintenance to control changes of network and information systems BSI-45
BSI-76
6.3
8.1
A.8.31
A.8.32
A.7.13
6.4.2 30.2.5c Application of procedures to releases, modifications and emergency changes of software, hardware and configuration. Ensure that changes are documented and, based on risk assessment, tested and assessed in view of potential impact before being implemented. BSI-46
BSI-47
BSI-48
BSI-49
BSI-50
BSI-51
A.8.9
A.8.32
A.8.33
6.4.3 30.2.5c Emergency changes documented with explanations BSI-52 A.8.32
6.4.4 30.2.5c Review and update change procedures regularly and after significant incidents or changes BSI-45
BSI-66
A.8.32
A.5.1
6.5 Security testing
6.5.1 30.2.5d Policy and processes for security testing BSI-95 A.8.8
A.8.29
A.8.31
A.8.33
A.8.34
6.5.2 30.2.5d Risk-based requirements for security testing, carried out with established methodology, with documentation of findings and mitigation activities partial
BSI-95
A.8.29
A.8.33
A.8.34
6.5.3 30.2.5d Review and update security testing policy and processes regularly - A.8.8
A.5.1
6.6 Security patch management
6.6.1 30.2.5d Processes for management of security patches, with timeframes, testing, trusted sources, and exception handling. Coherent with change management procedures (6.4.1), vulnerability management, risk management and other relevant procedures. BSI-25
BSI-84
BSI-96
A.8.19
A.8.8
A.5.7
A.8.31
A.8.32
6.6.2 30.2.5d Exceptions to security patching allowed if disadvantages outweigh benefits and reasons substantiated and documented - A.8.8
6.7 Network security
6.7.1 - Measures to protect networks and information systems against cyber threats partial
BSI-36
BSI-37
A.8.20
A.8.21
A.8.23
A.8.26
6.7.2 - Network architecture documentation, network access and communication control, secure configuration and remote access, secure connections, trusted channels and modern (latest) and secure technologies partial
BSI-40
BSI-36
BSI-41
partial
A.6.7
A.8.20
A.8.21
A.8.22
6.7.3 - Review and update security measures regularly and after significant incidents or changes BSI-16 6.1.3
8.3
9.2
A.5.31
6.8 Network segmentation
6.8.1 - Segmentation of systems into networks or zones based on risk, separated from third-party systems BSI-37
BSI-38
BSI-39
A.8.22
A.8.26
6.8.2 - Security requirements for network segmentations, including releationships, measures, access needs and control, administration and development, etc. partial
BSI-36
BSI-38
BSI-39
BSI-53
A.8.22
A.8.26
A.8.27
A.8.31
A.5.18
6.8.3 - Review and update network segmentation regularly and after significant incidents or changes - A.8.22
8.3
9.2
6.9 Protection against malicious and unauthorised software
6.9.1 - Protection of network and information systems against malicious and unauthorised software BSI-21 A.8.7
A.8.23
6.9.2 - Implementation of measures that detect or prevent use of malicious or unauothirised software. Where appropriate, use of malware detection and repair response software, updated regularly BSI-21 A.8.7
6.10 Vulnerability handling and disclosure
6.10.1 30.2.5d Collection and analysis of information on vulnerabilities and own exposure BSI-83 A.8.8
A.5.7
6.10.2 30.2.5d Monitor announcements of CSIRTs, authorities, perform scans, address vulnerabilities, define procedure and ensure implementation partial
BSI-83
BSI-84
BSI-97
A.8.8
A.5.5
A.5.6
A.5.7
6.10.3 30.2.5d Implement plan for handling vulnerabilities based on impact, document exceptions and reasons BSI-25
BSI-84
A.8.8
A.8.19
6.10.4 30.2.5d Review and update vulnerability information channels regularly - 9.1
A.8.8

9. Cryptography

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
9. 30.2.8 Cryptography
Kryptografie und Verschlüsselung
9.1
9.1.1
30.2.8 Policy and procedures for cryptography, to protect information data (C/I/A) BSI-32 A.5.1
A.5.31
A.8.24
9.2
9.1.2
30.2.8 Policy defines cryptographic measures based on classification, crypto protocols, algorithms, ciphers, key lengths, key management, etc. BSI-32
BSI-33
BSI-34
BSI-35
A.5.14
A.8.24
9.3
9.1.3
30.2.8 Review and update cryptography policy and processes regularly, monitoring crypto state of the art BSI-32
BSI-66
A.5.1
A.5.31
A.8.24

11. Access control

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
11. 30.2.9b Access control
Konzepte für Zugriffskontrolle
11.1 Access control policy
11.1.1 30.2.9b Access control policy for logical and physical access control to network and information systems BSI-27
BSI-58
A.5.15
A.8.3
A.7.2
11.1.2 30.2.9b Access control policy includes staff and external (suppliers, providers) access, access by processes network and information systems, granted only after authentication BSI-58
BSI-98
A.5.15
A.5.19
A.5.20
A.5.21
A.5.23
A.8.3
11.1.3 30.2.9b Review and update access control policy regularly and after significant incidents or changes BSI-58
BSI-66
A.5.1
A.5.15
11.2 Management of access rights
11.2.1 30.2.9b Manage access rights according to access control policy BSI-59
BSI-60
A.5.18
11.2.2 30.2.9b Access rights based on need-to-know, least privilege, separation of duties, proper authorization, including third-party access and changes, etc. BSI-58
BSI-60
BSI-61
A.5.3
A.5.18
A.8.3
11.2.3 30.2.9b Review access rights regularly and update based on organizational changes; document review BSI-62 A.5.18
11.3 Privileged accounts and system administration accounts
11.3.1 30.2.9b Policies for management of privileged and administrative accounts as part of access control policy (11.1) BSI-63 A.5.3
A.5.18
A.8.2
A.8.18
11.3.2 30.2.9b Implement strong authentication, MFA and procedures; specific accounts for administrations; individual privileges BSI-63 A.5.3
A.5.18
A.8.2
A.8.5
11.3.3 30.2.9b Review privileged accounts regularly and update based on organizational changes; document review BSI-62
BSI-63
A.5.18
A.8.2
11.4 Administration systems
11.4.1 30.2.9b Control the use of system administration systems partial
BSI-30
A.8.18
A.8.19
11.4.2 30.2.9b Separated and administration-specific system, specially secured partial
BSI-39
A.8.22
partial
11.5 Identification
11.5.1 30.2.9b Full life cycle management of identities of network and information systems and users partial
BSI-58
A.5.16
11.5.2 30.2.9b Unique identities for systems and users; with oversight and logging BSI-58 A.5.3
A.5.16
A.8.3
11.5.3 30.2.9b Shared identities only in special cases where necessary and with explicit approval and documentation, address shared identities in cybersecurity risk management framework (2.1) BSI-64 A.5.16
A.5.17
A.5.18
11.5.4 30.2.9b Review identities and their users regularly and deactivate if not needed
formerly 11.6.4
BSI-62 A.5.16
11.6 Authentication
11.6.1 30.2.9b Secure authentication procedures and technologies based on access control and policies BSI-27 A.5.17
A.8.5
A.8.24
11.6.2 30.2.9b Strong authentication, controlled authentication process, initial changes of credentials initially, at intervals and upon suspicion of compromisation, reset of credentials and termination of sessions BSI-27
BSI-29
A.5.17
A.8.5
A.8.24
11.6.3 30.2.9b State of the art authentication methods based on risk and classification, if feasible BSI-26
BSI-27
BSI-32
A.8.5
A.8.24
11.6.4 30.2.9b Review identities regularly and deactivate if not needed Review authentication procedures and technologies regularly BSI-27 A.8.5
11.7 Multi-factor authentication
11.7.1 30.2.10a Multi-factor or continuous authentication (SSO) to access network and information systems based on system classification BSI-27 A.5.17
A.8.5
A.8.24
11.7.2 30.2.10a Authentication strength shall be appropriate for asset classification BSI-27 A.8.5
A.8.24

up

Personnel Security

10. Human resources security

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
10 30.2.9a Human resources security
Personalsicherheit (HR-Security)
10.1 Human resources security
10.1.1 30.2.9a Ensure employees and third parties committed to security responsibilities in line with policies BSI-42
BSI-57
A.6.2
A.6.6
10.1.2 30.2.9a Mechanisms to ensure employees incl. management bodies and third parties follow cyber hygiene, follow roles and responsibilities, hiring of personnel qualified for respective roles, etc. BSI-68 A.6.3
7.2
7.3
10.1.3 30.2.9a Review assigned roles and commitment of human resources regularly and update if necessary partial
BSI-56
5.3
7.1
10.2 Verification of background checks
10.2.1 30.2.9a Verification of background checks for employees and third parties if required for their role, authorisations, if feasible and necessary for roles BSI-56 A.6.1
A.5.20
10.2.2 30.2.9a Criteria for background checks, only authorized persons, checks performed before assigning persons start exercising roles, based on laws and regulations BSI-56 A.6.1
10.2.3 30.2.9a Review and update background check policy regularly BSI-66 A.5.1
A.5.20
10.3 Termination or change of employment procedures
10.3.1 30.2.9a Responsibilities and duties valid after termination or change are communicated and understood contractually defined and enforced BSI-70 A.6.5
10.3.2 30.2.9a Responsibilities (like confidentiality) are set out in contracts , access control policies ensure compliance, change process BSI-42 A.5.8
A.6.2
A.6.6
10.4 Disciplinary process
10.4.1 30.2.9a Disciplinary process for handling violations of network and information systems BSI-69 A.6.4
10.4.2 30.2.9a Review and update disciplinary process regularly or due to legal or operational changes BSI-69
BSI-66
A.6.4
A.5.1

8. Cyber hygiene

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
8. 30.2.7a
30.2.7b
Basic cyber hygiene practices and security training
Cyberhygiene und Awareness, Schulungen Informationssicherheit
8.1 Awareness raising and basic cyber hygiene practices
8.1.1 30.2.7a Awareness of employees, incl. management, direct suppliers and service providers for risks, importance of cybersecurity and cyber hygiene practices BSI-68 7.3
A.6.3
A.7.7
A.8.7
8.1.2 30.2.7a Security awareness raising programme for employees, incl. management, direct suppliers and service providers, with repeated schedules, in line with policies, covering relevant cyber threats, measures, practices, advice BSI-68 7.3
A.6.3
8.1.3 30.2.7a Where appropriate, testing and updating of awareness programme regularly, taking into account changes in threat landscape, risks and cyber hygiene BSI-68 7.3
9
8.2 Security training
8.2.1 30.2.7b Identification of employees whose roles require specific security skills and expertice, and regular training on network and information systems security for such employees BSI-68 7.2
A.6.3
8.2.2 30.2.7b Training program based on policy, specific security topics and procedures, based on role and position requirements BSI-68 7.2
A.6.3
8.2.3 30.2.7b Effectiveness assessment of training and its relevance, covering secure configuration and operations, cyber threats, and behaviour BSI-68 9
A.6.3
8.2.4 30.2.7b Training for employees who transfer or change positions - A.6.5
8.2.5 30.2.7b Update security training program based on policies, rules, roles, threats and technologies BSI-68
BSI-66
7.2
A.6.3
A.5.1

up

13. Physical Security

The Implement Act refers to points c), e) and i) of Article 21 NIS2 for these measures, although physical security is not listed by name in Article 21 NIS2.

OpenKRITIS compilation ∙ Draft content 20241111
# DE NIS2 Requirement KRITIS ISO 27001
13 Environmental and physical security
13.1 Supporting utilities
13.1.1 - Prevent of loss, damage or compromise due to failure or disruption of supporting utitilies BSI-71
BSI-75
A.7.5
A.7.8
A.7.11
A.7.12
13.1.2 - Measures for prevention, where appropriate: Protection against power failures, redundancies, protection against interception, monitoring, environmental control, etc. BSI-71
BSI-75
A.7.5
A.7.8
A.7.9
A.7.11
A.7.12
A.8.14
13.1.3 - Review, test and update protection measures regularly and after incidents BSI-71
BSI-75
9
A.7.5
A.7.11
13.2 Protection against physical and environmental threats
13.2.1 - Prevent and reduce consequences of environmental and physical threats, based on results of risk assessment (2.1) BSI-74 A.7.3
A.7.4
A.7.5
13.2.2 - Design measures for protection based on risk assessment, control thresholds and monitoring of environmental threats, where appropriate BSI-71
BSI-74
A.7.3
A.7.4
A.7.5
13.2.3 - Review, test and update protection measures regularly and after incidents partial
BSI-71
BSI-76
8.3
9.2
A.7.13
13.3 Perimeter and physical access control
13.3.1 - Prevent and monitor unauthorized physical access, damage, interference BSI-72 A.7.1
A.7.2
A.7.3
A.7.4
13.3.2 - Implement security perimeters, entry controls and access points, physical security for offices and facilities, continuous monitoring BSI-72
BSI-73
A.5.15
A.5.18
A.7.1
A.7.2
A.7.3
A.7.4
13.3.3 - Review, test and update physical control measures regularly and after incidents partial
BSI-76
8.3
9.2
A.7.2
A.7.5

up

Comments

Our observations

The Implementing Act adds many missing details to the existing Article 21 of the NIS2 directive. It also added several new topics that were not covered before in the Article 21 list, like network security. Compared to existing security frameworks like the international ISO 27001 and German KRITIS, there are some deviations:

Some of the collected gaps and our comment in detail – sorted like the mapping above.

Ch. Requirements Comments
1 Policy on the security of network and information systems Direct CISO reporting
Management involvement
2 Risk management policy Many mandatory reviews
Management reporting
7 Effectiveness of cybersecurity Great(er) emphasis on effectiveness
12 Asset management Extensive requirements
3 Incident Management Extensive controls
Emphasis training and awareness
Regular testing and reviews
Automation
4 Business Continuity Formal BCM, BIA, crisis management required
Redundancies
5 Supply Chain Provider selection and monitoring
Directory and monitoring
6 Security in acquisition and development Specific: configurations
Specific: Patches and vulnerabilities
Specific: Network security and segmentation
Many reviews and updates
9 Cryptography
11 Access control So many controls!
Many processes and governance required
Strong authentication required
Specific: MFA and SSO
10 Human resources security Specific: Processes, changes and reviews
8 Cyber hygiene Broad reading of awareness
Much testing and effectiveness
13 Physical Security Many specific preventive measures
Many reviews and and tests

up

Changes Implementing Act

Major changes between the draft version of June 2024 and the adopted version are:

up

More information

Sources

  1. Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers, Implementing Act 17 October 2024, European Commission
  2. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), 27.12.2022