The European economies depend on functioning and resilient infrastructures – both in the physical and digital areas – tremendous. Essential services in every aspect of our life have been digitised already. This means that the attack vector and the number of vulnerabilities increased as well. Particularly in critical facilities that supply utilities like electricity and water.
In response, the EU has introduced two new directives to strengthen cybersecurity:
The Russian war against Ukraine and the war in Middle East have further worsened the IT security situation. Since Hamas’ attack on Israel, cyberattacks against Jewish institutions and against countries that support Israel have also increased. European institutions and companies report attacks from hacker groups with connections to Russian special authorities. The biggest threats include DDoS attacks, ransomware attacks, exploitation of vulnerabilities and dependencies on the IT supply chain.
The NIS-2 law addresses the issue of cyber threats and goes beyond the EU requirements. It brings with it various innovations in national cybersecurity law, which is what the name “Cyber Security Strengthening Act” refers to. In my series on cybersecurity, I will present the most important aspects of the current NIS-2 draft bill. The topics covered are:
By the way, the Digital Operational Resilience Act (DORA) takes effect January 17th, 2025. So, whats the difference? In short: in their scope and focus areas, even though both are part of the EU’s cybersecurity and resilience framework. Read an article about NIS2 and DORA.
There are two main categories of companies under NIS2 implementation: “particularly important” and “important facilities“. Each facility is assigned to one of these categories. Both groups must meet several new cybersecurity obligations, which go beyond the previous KRITIS regulations.
A national distinction is introduced with the category of “particularly important facilities.” Since the previously used term “critical infrastructure” has not been included in the draft bill, operators of critical installations now fall under particularly important facilities. In future, the distinction will be between particularly important and important facilities, with the draft referring to “installations” instead of “infrastructure.”
Particularly important facilities include:
There are two main categories of companies under NIS2 implementation: “particularly important” and “important facilities.” Each facility is assigned to one of these categories. Both groups must meet several new cybersecurity obligations, which go beyond the previous KRITIS regulations.
A national distinction is introduced with the category of “particularly important facilities.” Since the previously used term “critical infrastructure” has not been included in the draft bill, operators of critical installations now fall under particularly important facilities. In future, the distinction will be between particularly important and important facilities, with the draft referring to “installations” instead of “infrastructure.”
Particularly important facilities include:
The category of important facilities is broadly defined, significantly expanding the number of affected companies. Important facilities include:
Both particularly important and important companies are classified by size, with a three-tier distinction:
Companies of any size, certain operators and sectors are regulated, such as qualified trust service providers, top-level domain name registrars, DNS services, and central government institutions (e.g., federal ministries and the chancellery).
Large companies or legally dependent units of public bodies with at least 250 employees or an annual turnover of at least €50 million and a balance sheet total of at least €43 million. In the case of particularly important facilities, large companies in sectors like energy, transport, banking, healthcare, water, digital infrastructure, and space overlap with KRITIS.
Medium-sized companies have either 50 to 249 employees and an annual turnover below €50 million or a balance sheet total below €43 million, or fewer than 50 employees with a turnover between €10 and €50 million. This includes telecommunications service providers or public telecommunications networks.
In contrast to the terms “essential” and “important facilities” in NIS2, the German legislator uses “critical installations” as the highest qualification level. Operators of critical installations fall under “particularly important facilities” and must use KRITIS methodology to assess individual installations, e.g.
The term critical installation replaces “critical infrastructure” in the NIS2 implementation draft law (NIS2UmsuCG). A critical installation is essential for societal functioning, where its failure or impairment could lead to supply shortages or public safety risks. These installations span sectors such as energy, transport, banking, healthcare, water, food, digital infrastructure, and waste disposal.
Telecommunication providers are another type of services belong to relevant for NIS-2. These organisations provide services related to internet access, interpersonal telecommunications, and transmission of signals, such as transmission services used for machine-to-machine communication and broadcasting. Beside these, company that are qualified as trust service provider, a top-level domain name registry or a DNS service provider.
NIS-2 might also be relevant for companies that provide post and courier services, waste management, production, manufacture and trade of chemicals, processing and distribution of food, digital service providers, research.
The operator of a critical installation can be an individual, a legal entity, or a legally dependent unit of a public body that exercises significant influence over the installation.
Certain exceptions arise from specific and special laws (lex specialis). For example, facilities regulated by DORA, the financial sector’s operational resilience regulation, are exempt.
Other exceptions pertain to public telecommunications networks and services, which are governed by the Telecommunications Act (TKG), and the telematics infrastructure, which is protected by SGB V regulations.
However, not all lex-specialis provisions may remain applicable. For instance, the IT security regulations for the energy sector are expected to be largely replaced by NIS2UmsuCG. Particularly important and important facilities can also be exempt from obligations under the BSIG (IT Security Act) if equivalent regulations are followed. Partial exemptions may apply to national security, defence, or law enforcement facilities, provided a comparable IT security level is ensured.
The implementation of NIS-2 into national law requires affected institutions to adopt specific measures. The draft law for NIS-2 implementation further details and tightens the regulations for critical infrastructures, including risk management, reporting, registration, compliance, and notification obligations.
Risk management forms the foundation of IT security. Both “particularly important” and “important facilities” must establish adequate risk management to ensure IT security. This requirement includes implementing technical and organizational measures (TOM) aimed at preventing disruptions to the availability, integrity, authenticity, and confidentiality of IT systems, components, and processes.
These measures must reflect the current state of the art and align with European and international standards, requiring continuous adjustment to evolving IT security developments. Notably, the law demands a thorough risk assessment considering the level of risk exposure and the specific conditions of the institution.
Various built-in ServiceNow capabilities ensure comprehensive risk identification, management, and mitigation. The Integrated Risk Management (IRM) and Governance, Risk, and Compliance (GRC) modules provide a unified platform for managing risk frameworks, continuously assessing risks, and ensuring compliance with international standards. ServiceNow enables automated risk assessments, linking identified risks to response plans and control testing, ensuring organizations can swiftly adjust to new vulnerabilities. The platform’s Security Operations (SecOps) allows for real-time threat intelligence integration and automated incident response, minimizing the impact of disruptions on critical services. Additionally, Vendor Risk Management supports supply chain security by assessing third-party risks, while Business Continuity Planning ensures that contingency plans are in place to handle operational disruptions.
ServiceNow Product | ServiceNow Capabilities | Description |
Integrated Risk Management (IRM) | Risk Identification & Assessment | ServiceNow’s IRM application enables organizations to identify, assess, and prioritize risks across the enterprise, including IT-related risks. You can establish a risk register and continuously assess risks based on their likelihood and impact. |
Risk Frameworks & Methodologies | The platform supports custom or standardized risk frameworks, such as ISO 27001, NIST, and others, ensuring that the risk management processes align with European and international norms as required by the NIS-2 Directive. | |
Continuous Monitoring | With real-time dashboards and reports, ServiceNow enables ongoing monitoring of risk exposure, making it easier to adapt to evolving threats and vulnerabilities. | |
Risk Response Plans | Organizations can automate risk response workflows that coordinate actions when specific risks are identified, helping teams address threats proactively. | |
Policy and Compliance Management | Compliance Management helps ensure that the risk management framework complies with regulatory requirements (like NIS-2) by mapping policies to risks and controls. It supports the implementation of technical and organizational measures (TOM) and enforces policy adherence. | |
Risk Controls & Testing | Organizations can define risk controls to mitigate identified risks and schedule automated control testing. This ensures risks are managed in accordance with the “current state of the art” as required by NIS-2. | |
Security Operations (SecOps) | Threat Intelligence Integration | ServiceNow’s SecOps allows for the integration of threat intelligence feeds, helping security teams understand potential threats and vulnerabilities in real time. This allows continuous updating of the risk register with current threat data. |
Automated Incident Response | Security Incidents can trigger automated risk assessments and workflows within the IRM or GRC modules, ensuring immediate evaluation of the threat’s impact on critical business services and rapid mitigation. | |
Vulnerability Response | The platform helps identify vulnerabilities and links them to the risk management process. Automated workflows ensure that vulnerabilities are prioritized based on risk exposure and remediated promptly. | |
Operational Resilience | Business Continuity Planning (BCP) | ServiceNow provides business continuity planning capabilities, which tie directly into risk management. Organizations can simulate various risk scenarios and their impact on business continuity, ensuring they are prepared to manage disruptions effectively. |
Vendor Risk Management | Supply Chain Risk | ServiceNow’s Vendor Risk Management (VRM) module helps manage third-party risks by automating assessments of external suppliers and ensuring their security measures align with internal standards. This is essential for the supply chain security aspect outlined in NIS-2. |
The draft law specifies technical and organisational measures, covering not just IT systems but also the physical environment and human factors. These range from risk analyses, security concepts, crisis management, and cyber hygiene to supply chain security and the development of secure IT systems.
The implementation of the ServiceNow capabilities to support these measures will result in greater operational resilience, compliance with regulatory requirements. Moreover, a proactive approach will help managing IT security risks while aligning with the objectives driven by NIS-2 directive.
To address the threat landscape adequately, the NIS-2 Directive introduces new and stricter reporting obligations for critical infrastructure operators.
This involves strengthening the Federal Office of Civil Protection and Disaster Assistance (BBK), which, together with the Federal Office for Information Security (BSI), serves as a central reporting hub for IT security incidents. The BSI coordinates information exchange on a national level, within the EU, and with the European Union Agency for Cybersecurity (ENISA).
ServiceNow’s Security Incident Response (SIR) module acts as a centralised platform for incident reporting and management. It can integrate with other agencies and systems (such as the BSI) to automatically funnel reports into a shared hub.
Integration with external systems (e.g., ENISA and national systems) using ServiceNow built-in capabilities like Integration Hub ensures smooth coordination across organizations, meeting the requirement of sharing incident information at both national and EU levels.
ServiceNow SIR and and Integration Hub ensure seamless collaboration and real-time reporting across different regulatory bodies, improving the speed and accuracy of incident management and reporting.
A “security incident” is defined as any event impacting the availability, authenticity, integrity, or confidentiality of data or services. A “significant security incident” involves incidents causing severe operational disruptions, financial losses, or material or immaterial harm to others. These definitions form the basis for multi-stage reporting obligations:
There is also the option to involve the public if necessary to raise awareness or manage significant security incidents.
The platform’s playbooks and workflows help classify and prioritise incidents as “significant” or “non-significant” based on customisable parameters, ensuring the appropriate level of attention. Integrating the playbooks and the workflows into the ServiceNow SIR automate the classification and prioritisation of security incidents, ensuring that high-impact incidents are escalated and addressed promptly.
The reporting, analytics and data extractions capabilities as well as an external portal help preparing report and distributing reports among agencies, operators, and the public.
Not only critical infrastructure operators but also particularly important and important facilities are required to register. This registration ensures better oversight and control over facilities and installations that play a central role in maintaining critical services and functions.
ServiceNow’s CMDB acts as a central repository for registering and managing all critical infrastructure, important facilities, and installations. It can store detailed information about each entity, including their critical services, dependencies, and risk levels. It can be also integrated with IT assets but also physical facilities and critical infrastructures, enabling oversight of both digital and physical installations. This ensures that organisations have a single source of truth for all key installations, providing comprehensive control and visibility.
A well defined and managed CMDB ensures a centralised and organised record of all registered entities, improving oversight and control. It enables organisations to quickly identify which facilities or installations are crucial to operations and align with the registration obligations under NIS-2.
If institutions and operators fail to comply, the BSI can autonomously register them. Additionally, the BSI can impose fines for non-compliance with the registration requirement, reflecting the importance the legislation places on comprehensive coverage.
ServiceNow’s Customer Portals can be used to create a self-service platform where operators of critical infrastructure and important facilities can register themselves directly. This portal can guide users through the registration process, ensuring all required information is captured correctly.
Streamlined, user-friendly self-service portals allow operators to fulfill their registration obligations independently, reducing the chances of non-compliance. In case of failure to register, automated workflows ensure compliance through autonomous registrations.
A key element of this framework is the obligation to demonstrate compliance with IT security regulations. This obligation emphasizes the BSI’s model of “cooperation and sanction,” aiming to ensure a high level of security through collaborative partnerships, backed by clear legal requirements.
Centralised management of compliance obligations within ServiceNow IRM ensures consistent tracking and real-time visibility into compliance status, reducing the risk of non-compliance while fostering collaboration across internal teams.
The new law stipulates that compliance obligations particularly apply to facilities deemed “particularly important.” These facilities must demonstrate compliance to the BSI at a specified time after registration and every two years thereafter. This regulation offers flexibility compared to the previous version of the law and allows for a more precise design of the compliance process.
The NOW platform can schedule automated compliance assessments for facilities, ensuring that required documentation, audits, or certifications are submitted on time. Its can also automate recurring compliance tasks every two years or as required by the local regulation.
A new feature is the possibility for the BSI to refine the compliance process after consulting representatives of affected operators, institutions, and business associations. This dialog-oriented approach ensures that the specific needs and challenges of various sectors and institutions are adequately considered, allowing the process to adapt to changing conditions and threats.
The ServiceNow Now Assist AI-driven tool and Virtual Agent can support the dialog-oriented approach. It can provide operators and business associations automated, interactive guidance. In a very human-like, flexible manner. These capabilities can help answer compliance-related queries, provide real-time updates on regulatory changes, and offer guidance on how to adapt to the refined compliance process.
Compliance can be demonstrated through various means, such as security audits, inspections, or certifications conducted by recognized bodies.
By leveraging ServiceNow’s IRM, Virtual Agent, Now Assist, and other capabilities, organisations are able to manage their compliance obligations more efficiently while ensuring that they meet NIS-2 regulations.
The BSI is authorized to instruct particularly important and important facilities to inform their service recipients promptly about significant security incidents that could affect service provision. This notification may also be made public, such as via internet publication. Furthermore, institutions in critical sectors like banking, digital infrastructure, and ICT service management must notify potentially affected service recipients about any measures or remedies they can take in response to a significant cyber threat. These rules aim to enhance transparency and strengthen resilience against cyber threats by enabling affected parties to respond appropriately.
Automated and timely communication within ServiceNow can ensure that notifications are sent out promptly, both privately to service recipients and publicly when required, reducing manual errors and delays. Using the tailored workflows organisations in critical sectors can quickly notify affected parties and suggest remedies to minimise the impact of incidents. And, having a complete audit trail of all notifications organizations can prove their compliance with notification obligations and therefore reduce regulatory risks.
The NIS-2 Directive makes it clear that ensuring corporate IT security is a central responsibility of the management. This principle is extended and reinforced in the proposed revision of the BSIG-E. The law outlines detailed duties for the management of particularly important and important facilities. These duties apply to individuals appointed by law, statutes, or corporate agreements to manage and represent the facility, including boards, directors, special representatives of associations, and leaders in public institutions.
With ServiceNow Strategic Portfolio Management (SPM), management can gain a holistic view of IT security initiatives across the organization. SPM allows for strategic alignment between corporate goals and IT security projects, ensuring that management maintains visibility into how these efforts are progressing and how they align with overall business objectives. And the Workbench and Executive Dashboards provide real-time insights into ongoing initiatives, risks, and actions to be taken.
The direct and timely involvement of management ensures that it has the necessary tools to maintain accountability and oversight over IT security projects, helping them fulfill their obligations under NIS-2.
The explicit involvement of management highlights the importance of an integrated and holistic view of IT security as part of corporate governance. Management is thus responsible not only for strategic direction and financial performance but also for ensuring an adequate level of IT security to safeguard the integrity, availability, and confidentiality of information technology.
Here also, ServiceNow SPM helps management balance strategic business objectives with IT security priorities, ensuring resources are allocated to the most critical security projects.
Teiva Systems provides a guidance on all aspects of ServiceNow platform incl. strategic roadmap, solution design, implementation, delivery, testing, support and training. Let us know, if you need further support with your DORA initiative.
Kostya Bazanov, Managing Director, Oct 23, 2024
Become DORA ready with applications on ServiceNow
The Digital Operational Resilience Act (DORA) will be applicable for financial institution starting 2025. There are less than half a year to make sure you establish you organisation, processes, tools and data, that comply with the requirements for “strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making […]
read moreFeel the power of AI. At the ServiceNow World Forum 2024 in Munich.
Are you ready for the ServiceNow World Forum? A conference fully packed with AI-driven workflows to service people. Meet ServiceNow clients, partners, developer advocates in one place. We will be there as well. So let us know, if you wish to meet and greet! 📍 Location: Messe München, Am Messesee 2, 81829 München, Germany📅 Date: […]
read moreServiceNow Xanadu: Release Notes, New Applications, Platform Capabilities, Hidden Features
ServiceNow Xanadu: Release Notes, New Applications, Platform Capabilities, Hidden Features Shangdu, more popularly known as Xanadu, was the summer capital of the Yuan dynasty of China. Shangdu is located in the present-day Zhenglan Banner, Inner Mongolia. The city was a cultural melting pot that played host to visitors from throughout Asia and even further afield. […]
read more