Securing the Digital Frontier: Navigating EU Cybersecurity Regulation, NIS, and DORA

This is the fourth time I am holding this presentation and every time I ask the same question in the beginning and I'm so glad that they are getting more and more hands every time I do it. And when we reach the time, all of the hands or 80% go up, I stop this presentation and I will do a new one.

So we, we had a, this two presentation already today. And in this presentation, the question at the end was, are we five minutes before or five minutes after? And the answer was five minutes after. We are already eight minutes after. So this will be a really speedy presentation because I have many slides or no time for advertisement. We start with all the regulations we see in the European Union. There are a lot, most of them you will have seen in the last time and I did a little service for you.

The, the star is the time when it comes to effect. So we have a lot of regulations and important is the differentiation between regulation and directive regulation like the GDPR, the European Union sets, it's alive and then it's for every European Union member life on the other hand, likeness two, we have directives. They have to be transposed to the national law. So we will have this two implementing in the Swed, in the Swedish, in the Spain, in the France, in Italy, in Italy, and also in Germany. And here's the example, how we will do it in Germany.

And what was the timeline of the NIST two? So it all started I guess with Mark Berg with his book when he wrote about what will happen when the critical infrastructure in Europe will go down. And some people in brussel read this book. And after that we saw with the NIST directive with the IT Z gazettes in Germany with the kit for ordinary in Germany, the first laws about this topic and that our critical infrastructure should do something. But at this time there were only only five and a half thousand companies in Germany, which fell under this legislation.

Then we had a commission draft in institute directive in the end of 2020. And one of the fun facts is that the chairman ministry says nobody can blame us when we are setting it live in April, 2024. And you just have half a year to implement it because everyone in the European Union had the chance to read it since 2020. So in January we have seen in the European Union two the RCE and Dora go live. And as I said, the announcement in Germany with the, not I, what everyone was thinking, but the NISTs, why UMS will go live in April, 2024. And this will change a lot of different laws.

And one of the most important for us in the industry will be the BSI law. So the BSI law will come to effect in the 1st of October, 2024. And then there is no Greece period like with the GDBR. We have seen this two years Greece period, but there will none. And the 1st of October, every company who is yeah, who is affected of this new law has to be compliant to the N two and to the new BSS I law. And why did they do AN two? They had the N one.

So they, there was something but they found out and not everything was good about it. For example, they want to create a bamus tree and not only one bamus tree, they want to for a a hold bamus forest.

We, yesterday we have heard that it's very important to have a lot of entities who are secure and we're helping each other. And this is the idea behind DENI two to have the same level across Europe. They want to eliminate major difference between the member states that when I have a contractor in Spain, I know that they are the same, the same level as security or even higher than in France or in Italy and so on. And they extended the scope for Germany. It means that we don't have four and a half thousand of critical infrastructure in the future.

We have 30,000 companies in Germany affected by this new law. Yeah. And a re really interesting thing, the finance and sector is used to that. They have a regulator and now the BSE becomes a regulator too with their massive control and intervention rights and sanctions with fines. We will see in the future, like in GDPR, we now there are the fines. And here with the cybersecurity we will have a similar topic and one important topic for the management, the personal liability of the management.

So we, we have a lot of laws like acting and so on where the management knows that it's liable. But here in in two they stress this topic really hard. In the article 20 and every CEO of every company in the European Union should read this article. So what is the status in Germany? Three drafts are leaked. In the meanwhile how this new S should look like. And the German side says, we are just copy and paste the catalog of minimum safety requires, we copy and paste the three stage reporting regime. The criti, the critical infrastructure knows a one stage reporting regime.

So when a cyber incident happens, they are calling the BSI. Now there will be a three stage reporting regime. I come to that on one of the next slides. Then they extended the BSI toolbox.

They are, they are now able to do more, for example, to to scan our, our IP addresses for vulnerabilities. This is then possible and they into use a framework for fines like the EU GDPR. So this will get really interesting how this will evolve in the GDPR. We have seen yesterday I I heard a good comparison. We have this bath tube. We have seen some small fines and some really, really huge fines and nothing between. And we will see how this will go with the BSI. So in the first place I want to know is my company really affected? So I have to do a impact analysis. I have two different options.

I'm a large company or I'm a medium-sized enterprise or I'm too small and I'm not affected. So you for yourself can can think about, I think most of the companies here in the room are large companies. The next thing is if you are essential entity, we have the critical systems. This is regardless of the size of the company. When you are so important for your environment, for the people you're serving with your products and with your services, then you are an essential facility. And Germany we say important fac, particularly important facility.

And then you are in, and every large company you remember 2050 people and more. You're a large company and you are in the sectors which you can read here. Most of them are used to the CRI critical infrastructure laws. So there, there is nothing new. But there are new companies also like the drinking water business, wastewater business and space is a new topic. Space is critical in the European Union after October, 2024. And also when you are a medium sized company that provides telecommunication services.

When you are in, in this kind of area with less than 250 employees than you are also in this particularly important facilities within the NS two, most of you will say, okay, I'm not in one of this. And especially the banking and financial infrastructure with the dora, they have their Lex no yes there it says when you're in the financial sector and you are compliant to Dora, that's enough. You don't have to look into other different laws.

So, but the important facilities, they are also in the NI two. And here it comes that we have these 30,000 in Germany we have the, the same on the left side. We have seen on the page before with the medium-sized companies in this different sectors. But now on the right size, on the right side, it becomes interesting because here it doesn't matter if you are a medium sized or large sized. When you are in the logistics in the, in the production industry like you are producing for the automotive sector like our company does, then you are these two relevant.

When you are in the manufacturing industry, you are, it's too relevant. These are really, I, I highlighted it this line because many, many companies will wake up when they read this and realized that they are now under European and then German regulation and Swedish regulation and Spain regulation and so on. And we have chemi chemistry, then we have nutrition. This is a good news for all the edika raver and so on. Before that there were critical infrastructure and they now they are only important facilities. So it's getting a little bit easier for them.

And also the chemistry and researchers also a new sector. They are also, yeah. And then now you know you are in the sector, but I really in how can you find out, and here I have highlighted three different ways.

One, the, the Austrian, how is it called? The, they have a really nice online site where you can click through it, say yes, no, yes, no, yes, no. And then it says, yeah, you earn this too relevant. Then you could look into implants.com or other sites where you can give the name of your company. Then you see the NACA code. What is the NACA code in the European Union? They said we are separating every different sectors in, in the whole European Union from the different companies we have. And then you look it up in the these two NX two and there I highlighted it green.

You'll see then when you are delivering for the automotive sector, you are N two relevant or like we are doing it. We have a big charts invisio where we have all these questions, yes and no. And we did a questionnaire and we are sending it out to all the 80 organizations we have in our corporation to find out which of them is really, is too relevant. So the next thing is that we all have to register and we have to prepare that because we have to give information and this has to be done three months after it comes live in 2024 in October.

So in the, in the last draft, it says on the 17th of January, 2025, every company has to be registered of these 30,000 and who isn't registered risks fines. And you have to give all these information. I like this with the IP address ranges because the DBE will work on it. They will scan your IP address ranges and when they see that other purs or other, yeah specialists will give them information about a text in a different IP address range. They will inform you because you gave the IP to address ranges.

And also interesting, when you change your IP address range or any other information, you have two weeks after that to inform them. And after that you risk fines. Then you have to risk management measures. This is a checklist you have to do. There are a lot of interesting things like you have to have an risk management, how to manage your security incidents. You have a secure supply chains and so on and so on and so on. When you are good in 27 0 1, most of them is already fixed.

But you really have to do a gap analysis to know that you are okay until 1st of October, 2024 because after that date you risk fines. Then there was a definition about significant security incidents in, in the first place.

I thought, yeah, now I have a good definition of it. And then I read it three times and then I thought, okay, I'm not sure.

And they, I, I talked to the ministry who is writing our German law and they said they will give a, a, a guideline that we know exactly what is a significant security incident because we have this three stage reporting line. So within 24 hours, not like in the tube DPR 72, within 24 hours when we think we could get gotten hit or got hit, we have to inform the BSE on the next step. After 27 hours, we have to give them an report with initial assessment, the severity, the impact and indicator of compromises. And then after a month we have to give them a full report.

When we don't do it or we do it too late, we risk fines. And here's the part with the managing director liability. I I really like this one because it really says that even as so, so, so they, when they don't do their job and they don't do their risk management, they really risk their own money until they're bankrupt. They pay for everything.

And there, this is this quote from bar, he is from the European pa, European parliament and he said the CEO and the board needs to know what to do, how they can gain control and where they stand as a company. So it's no longer be handled to saying an IT person, okay, do something to keep us safe. This has to stop in Europe. Yeah. And here are the different supervision and enforcements for important facilities. This is is the small set.

Yeah, the critical sectors, they have even higher measurements. But this is for, for example, for the production. We don't get ex supervision, we get exposed supervision when something has happened, the BS e will come or someone else and they will prove us. Fun facts. What do you think? How many people in addition will the BSI get for all these things they have now to do?

Yeah, exactly. So they, they ask, they ask the finance minister and he said zero. And they are just two and a 2,500 people. And they say even the, the agency in Germany for the river and lakes there are 12 and a half thousand.

So there, you know, there there is much more water than bits and bytes floating in Germany. Yeah. And here are the defines for the important institutions. Like I said, when you don't do your risk management, which measures or you don't implement incorrectly or not in time, you risk up to 7 million euros or maximum amount of at least 1.4 percentage of the total worldwide turnover of the company. This is a huge amount, but where does this number come from?

They ask the negotiators for cyber crime and ransomware and asked them how much is fine and then they said it doesn't matter if we get the money or the ransomware gang. So the companies can decide. Yeah. And so these are my recommendations at first, do your impact analysis. Be sure if you are relevant or not, or indirect relevant because you are in the you, you are supporting one of the affected companies because they will ask you how secure you are. Get management on board there should know their liability.

Do un gap analysis of the management measures, do your implementation projects, prepare direct registration. And the incident reporting process is really important that you don't do that on the day or the day after because your risk fines and do our regulatory monitoring. Thank you.