Cybersecurity under acute threat
Threats to cybersecurity are constantly increasing for companies and organizations, not least due to current geopolitical developments. Critical infrastructures, i.e. service and supply systems that are essential to the economy and the livelihoods of the population, are particularly at risk. These include areas such as power supply, medical care and telecommunications, including the associated IT systems and networks.
The European Union’s Network and Information Security (NIS) Directive focuses on the protection of critical infrastructures, with the aim of improving their resilience (resistance, adaptability and ability to regenerate) in order to prevent serious failures as far as possible or to reduce their impact.
What does NIS 2 mean and who does it affect?
In December 2022, the EU introduced the NIS 2 Directive to create a consistent cybersecurity culture in its member states. The Directive has to be transposed into national law by October 2024, meaning that affected companies will have to comply with legal requirements from that date. The European Union has committed to extending its efforts in the area of cybersecurity beyond just critical infrastructures. NIS 2 therefore extends far beyond large corporations to now include smaller companies that provide essential services and whose failures would have a significant impact on society. Companies with more than 50 employees or an annual turnover of at least EUR 10 million in particular are required to meet the security requirements.
The requirements of the NIS 2 Directive
The Directive requires companies to take comprehensive security measures to detect and defend against cyberthreats at an early stage, including:
- Registration with the national competent authority
- Risk assessments and vulnerability management
- Security management throughout the supply chain
- Training in basic cybersecurity and secure authentication
- Reporting of major security incidents to the competent authorities
- Proof of conformity through security reviews or audits
Essentially, NIS 2 calls for an information security management system (ISMS) that encompasses modern security practices such as encryption, access control and secure communication.
Implementation of the NIS 2 Directive
From October 2024, all affected companies must adapt their security measures to meet the requirements of NIS 2 and document them regularly. Implementation will take place at national level and will vary from one member state to another. Individual countries may introduce additional rules or define certain sectors differently.
Implication for Switzerland
The pressure to be armed against cyberattacks is also growing in Switzerland. Although Switzerland is not a member of the EU, Swiss companies may also be affected by the NIS 2 Directive, particularly those offering products or services for the EU market or participating in EU supply chains, who must ensure that they comply with the requirements of the NIS 2 Directive. This also applies to subsidiaries and parent companies in the EU, as these are included in the aforementioned thresholds of 50 employees and EUR 10 million in turnover. By including the supply chain, the EU could also require Swiss suppliers to comply with NIS 2 requirements in future.
Switzerland has introduced its own cybersecurity measures with the Information Security Act (ISG), which came into force in 2024. A planned revision for 2025 could be based on NIS 2 to further strengthen the protection of critical infrastructure.
Recommendations for Swiss companies
Swiss companies operating in the EU or working with EU customers should fully prepare for the NIS 2 Directive by taking the following measures:
- Introduction of an ISMS: implementation of an ISMS, e.g. according to ISO 27001 (including certification), will facilitate compliance with NIS 2 requirements.
- Risk analysis and security concept: regular risk analysis and the development of a comprehensive security concept will help to identify vulnerabilities and address them at an early stage.
- Ensuring conformity: companies should conduct regular security reviews to document compliance with the NIS 2 Directive.
- Involvement of experts: for the implementation of NIS 2 requirements and to ensure compliance, it is advisable to work with specialist consultants and lawyers.
In addition to NIS 2, Swiss companies in the financial sector must also comply with the requirements of the EU’s DORA Regulation (Digital Operational Resilience Act), which sets out specific cybersecurity requirements for financial service providers.
BullWall and DataStore will be happy to assist you
The NIS 2 Directive places high demands on companies operating in the EU. It is crucial for Swiss companies to prepare for the new requirements at an early stage and to ensure that their cybersecurity measures comply with EU standards. Our manufacturer BullWall can support you in meeting security and compliance requirements in an efficient way.
BullWall offers comprehensive protection against ransomware and integrates seamlessly with popular security systems such as security information and event management (SIEM) and network access control (NAC) via a REST API to report and manage incidents quickly. The solution helps companies to comply with legal reporting requirements, for example through automated compliance reports according to standards such as the General Data Protection Regulation (GDPR) and the National Institute of Standards and Technology (NIST). BullWall also helps develop response plans for ransomware attacks and provides additional protection for critical infrastructure through multi-factor authentication (MFA) to meet cyber insurance requirements. The solution is easy to install, minimizes downtime and makes it easier for companies to achieve NIS 2 compliance through real-time monitoring and proactive containment. With Danish roots and extensive European expertise, BullWall offers tailor-made security solutions for the European market.