Vlog #9 Optimizing IT security: New guidelines and deadlines


OSI Insights in our video-blog

To improve IT security, the legislature regularly reviews existing guidelines, draws up new regulations and updates implementation deadlines. How can you find your way safely through the regulatory jungle?

In particular, operators of critical infrastructures must ensure that they implement “state-of-the-art” technical and organizational security measures at all times. Furthermore, it is mandatory to provide proof of this every two years. ISO 27001 and ISO 27002 are two important certifications in this field. EU legislation has been equally responsive and new regulations have been issued. Thus, the new European NIS 2 Directive on reinforcing network and information security has been approved and special regulations for the financial sector have come into effect with DORA.

A discussion between: Slavko Mucic from Sales and Matthias Reidans, who works in the field of Project Consulting Services at Rosenberger OSI.

Focus on: KritisV, ISO 27001/27002, NIS-2 and the Digital Operational Resilience Act


Are you currently working hard to comply with the BSI’s regulations relating to the protection of critical infrastructures and do you have questions on deadlines and updates? I have invited my colleague Matthias Reidans to discuss exactly this topic. Can you enlighten us a little as to what the most recent developments are all about? 

Matthias: I hope we’ll manage to do that. Because the jungle is growing ever thicker. The legislatures are becoming increasingly active. There are new deadlines, new material, new controls. And there is also a new umbrella law which was published in draft form in December 2022. And we can expect more to happen in the future. This also means that the KRITIS regulation will become more differentiated and will be influenced by other regulations. There is also the Cyber Resilience Act for example, the Cyber Security Act. There are then other EU-level directives which are implemented and applied in the specific national context. All of these regulations are relevant for operators, as, too, are the new deadlines.

What exactly are the new deadlines? What are the changes?

Matthias: One crucial point, I think, is that nothing has changed about the KRITIS requirement that operators have to prove that they comply with the state of the art every two years. Except in the special case of operators of power plants. In that case, the competence lies with the Federal Network Agency. In this sector, there is a hard-and-fast date, namely the end of the first quarter of 2024 for power plant operators. So that’s one thing that has changed. 
But as for ISO. ISO 27001 / 002 is also relevant for operators. This also makes an important contribution to KRITIS. And the ISO standard was also updated twice in 2022. Meaning that there are new deadlines there as well. However, as far as the operators are concerned, they will be put to the test with the two ISO standards in February 2024. So operators will have to get ready for this. 

What are the interdependencies between NIS-2 and the ISO 27001 / 27002 certifications?

Matthias: I should like to answer you with a metaphor. Imagine that you have NIS-2 as your front axle. And so your front axle is in good condition. Your vehicle is due for its regulatory technical inspection. And then you take a look at your rear axle, the ISO standard, get ready for the inspection, get the sticker saying you’ve passed and you’re done and dusted! So, this means that they’re important aspects, elements in your KRITIS inspection. Both NIS-2 and ISO 27001.

There is also a new certification, DORA, for the financial sector. Is that right?

Matthias: Yes, DORA. Another completely new regulation, the Digital Operational Resilience Act. However, this time at EU level. To start off with, practically preformulated, but also very, very important for the financial sector at the national level, DORA. And these DORA provisions – you know that in KRITIS – you also have the financial sector with its own thresholds and categories – this DORA and the UP KRITIS, the corresponding controls have not yet been harmonised. We’ll just have to be a bit patient. We’ll see when the time comes. Just what sort of differentiations emerge.