NIS-2: Taking a holistic approach to cybersecurity

When dealing with the new regulation, many people focus on the obvious technical measures for strengthening information security. However, focusing solely on this is short-sighted – the directive demands much more! 

According to Article 21, the NIS-2 Directive pursues a cross-risk approach that aims to protect not only the network and information systems themselves, but also their physical environment from security incidents. 

This also brings into play hazards such as fire, sabotage, terrorist attacks, or natural disasters. NIS-2 therefore includes measures such as fire protection and burglary protection – and the safety of personnel is also explicitly mentioned. 

While fire alarm systems are already mandatory for many companies affected by NIS-2 due to other requirements, additional physical measures, such as facade protection, may need to be introduced. Secure access management in particular is now indispensable.

Whether virtual or physical attacks – with all threats, it is important to inform the right people as quickly as possible so that immediate action can be taken. This is handled by the secure emergency communication systems specified in the directive, such as the DAKS® alarm server.

Emergency communication or alert systems play an important role in strengthening resilience, as the following examples show:

Example: An AI camera with facial recognition reports an unauthorized person attempting to gain access. The report is sent directly to the security team. Preset duty and substitution rules ensure that a security officer is always available and that the report does not go unnoticed.

(Read more about the integration of AI technologies into alarm systems here.)

Example: A smoke detector goes off in the data center. The fire safety officer is alerted to this urgent message by a loud ring tone and immediately goes to the scene to assess the situation and, if possible, bring the fire under control before the fire department arrives.

(Read more about the interaction between alarm systems and fire alarm systems here.)

Example: If the smoke alarm in the previous example turns out to be a false alarm, the fire safety officer who rushes to the scene has the option of canceling the alarm for the fire department that has already been alerted within the investigation period. This eliminates the fees for an unnecessary fire department call-out and costly downtime due to evacuation of the area affected by the alarm.

Organizational measures to strengthen resilience include incident response planning: Simply creating emergency plans is not enough—they must also be tested and practiced regularly to ensure that operations can be quickly restored in the event of an attack.

Emergency communication or alerting systems such as the DAKS alarm server convert the emergency plans that have been created into an automated process that can be started “at the touch of a button.” This means that in the event of an alarm, even under stress, immediate and safe action can be taken without fear of errors. 

In addition, alarm systems encourage regular testing and practice of emergency plans. Various predefined alarm scenarios can also be started and played through at the touch of a button, just as they would be under live conditions. In addition to the training effect for everyone involved in the emergency plan, the evaluation of the tests provides valuable insights into the functionality and effectiveness of the plans that have been created. For example, procedural errors can be detected and corrected so that everything runs smoothly and reliably in a real-life situation.

Once purchased and installed, (on-premise) systems often have an advantage over SaaS systems in that the exercises do not incur any extra costs and can therefore be carried out as often as desired, which naturally promotes resilience. In addition, the emergency communication systems used should have detailed logging to ensure that incidents are documented in a meaningful and legally compliant manner. 

Example: Due to a bomb threat, the entire data center must be evacuated – work comes to a standstill. On a dashboard, the security officer starts the complete and thoroughly rehearsed alarm process with a simple mouse click. First, the evacuation of the building is carried out in an orderly manner via the employees' mobile phones. The staff on the various floors are guided individually and sequentially to the assembly points via specific escape routes. This prevents accidents involving people, which would cause further delays and increase the damage. Security officers can use feedback from employees' phones to identify who has not yet received the message and may need assistance. In addition, a telephone crisis conference connects the various responsible parties – security officers, crisis management and emergency services – and ensures the effective exchange of information on the status of the hazard situation. Once the threat has been eliminated, all those affected are also informed of the all-clear at the click of a mouse and can resume work. The entire process is documented in a detailed log, including timestamps.

(Read more about evacuation here.)

According to NIS-2, cybersecurity must be considered holistically and includes not only the obvious technical measures but also organizational and physical measures that affect the physical environment of the network and information systems to be protected. Emergency communication systems are an important component in ensuring the effectiveness of the required resilience measures.

As a secure emergency communication system, DAKS thus helps to establish security, increase resilience, and prevent damage at various levels.