Press Releases Rhebo

News

OT Security Made Simple | The necessity of NIS2 for bringing cybersecurity to the companies

In this week’s OT Security Made Simple podcast, Andreas Könen, Head of the Cyber and Information Security Department at the German Federal Ministry of the Interior and Homeland, provides insights into the BMI's work to strengthen cybersecurity in Germany. He explains why cybersecurity enforcement needs legislation, why companies are willing to take cyber risks, and why the EU's NIS2 directive is essential for pushing cybersecurity forward.

 

 

 

Listen on:

  

 

Transcript

Klaus Mochalski

Hello and welcome to a new episode of the Rhebo Podcast OT Security Made Simple. I'm sitting here today at the Federal Ministry of the Interior and Community together with Andreas Könen and I'd like to ask you to start by briefly introducing yourself for our listeners.

Andreas Könen

Yes, Andreas Könen, Head of the Cyber and Information Security Department, which has now been in existence for about five and a half years. I have a degree in mathematics and have done a great deal in my professional history in the incipient digitalization or, as it would always be called today, cybersecurity. I was at the Federal Office for Information Security, where I was Vice President at the end, and then I have been here at the Federal Ministry of the Interior and Homeland Affairs for seven years.

Klaus Mochalski

Yes, thank you very much. We agreed in advance that we would like to talk today in particular about the NIS2 Directive, which was adopted by the EU at the beginning of the year, what the implementation in Germany looks like and, of course, what the consequences are for the companies affected. And there are indeed very significant consequences. But before we get to that, I would like to talk about the current regulation, namely the IT Security Act in its last amendment, which is often referred to as IT Security Act 2.0 in the current amendment. And this also affects many operators of critical infrastructures, who are also among our customers. To start with, I'm interested to know from your point of view whether this has been a success? Is it still a success that can be built on today? And what can be learned from its implementation to date?

Andreas Könen

Yes, from my point of view it is definitely a success. If only because with the IT Security Act 2.0 we have now really addressed the CRITIS sector in much greater breadth and not just the critical infrastructures, but in some places we have clearly gone beyond that and, for example, with the defense industry on the one hand and with companies in the special interest of the state on the other, we have included other companies. This was accompanied by a reception from the companies, many of which approached us and saw it as a natural extension of the IT Security Act 1.0. So I can certainly remember someone saying, "Oh, we would have thought that we would have been regulated directly in 1.0. It's good that we're now getting that in two zero. But what does that mean in terms of content? In terms of content, it means we now really have the same approach in many more industries and companies. It will be more reliable for business to know that I need information security standards. I have to implement these information security standards in a suitable way so that they really fit together with my other compliance requirements that I may have elsewhere. These are issues that the BSI can then also track in an audit and can also check again whether they have been implemented in the sense prescribed by law.

Andreas Könen

And the most important thing, the reporting procedure, that now really reports from all areas of the regulated economy come to the BSI, that is thus able to generate a cybersecurity situation Germany and thus also return knowledge about the situation to the companies. 

Klaus Mochalski

You just mentioned the issue of reliability. Planning reliability is always one of the most important things, and the business community is certainly right to demand it. The question I always ask myself here, even when we are dealing directly with customers, is what would the situation be like, the awareness of the risk of cyber attacks, if we did not have this regulation? Has regulation made a positive contribution to awareness here, or has it merely taken up what already existed in the companies anyway, and they have then gratefully accepted what comes in the way of government regulation. After all, there was definitely resistance. Where do you see the contribution of this legislation to what you would call awareness?

Andreas Könen

Yes, in fact, this was already evident with the IT Security Act 1.0. At that time, we had reached a point in the voluntary cooperation with critical infrastructures where obviously no more progress could be made in some sectors. There was no awareness. There were certain industries that told us point blank, no, they don't think cyber, yes, cyber security measures are necessary. They would have enough other physically oriented fallback and resilience options, which we clearly saw differently. The reality of the threat environment absolutely proved us right. But IT Security Act 1.0 and then again 2.0 have really ensured in certain industries with a certain pressure that then an implementation of cyber security standards has taken place. So it was one thing and another. There were companies and industries that didn't need much more telling. It was a very positive development. But there were others that really needed that emphasis. I'm not naming any names now, any industries, who that was, no blaming at this point, but that is reality.

Klaus Mochalski

Yes, if you look at the overall economic situation, it looks as if we are currently heading for difficult times worldwide. That means there's more focus on costs again. And if you look at the cybersecurity industry, internationally, like in the U.S., things always happen a little earlier there than in Europe or in Germany. And the willingness to invest, on the other hand, I can't help but have the feeling that there is a dotted line beyond which you have to get your project, in this case the topic of cybersecurity, to meet with a willingness to invest. And that this has not risen constantly over the years, but that it fluctuates very strongly with the economic situation. That is, when things are going well, people invest in cybersecurity, and when things are not going well, it is again a topic where less investment is made. Especially in many cybersecurity companies, many employees have been laid off in a situation where you actually think we're talking about a shortage of skilled workers and many companies have currently laid off 5 to 15 percent of their workforce in some cases; security companies that also work in critical infrastructure. What do you take from that? How do you see that?

Klaus Mochalski

Is it this lack of willingness to invest? Or is there actually a continuous upward trend here?

Andreas Könen

Yes, first of all, there is a continuous upward trend in terms of investments in information and cyber security. There is now a study published jointly by the TÜV Association and the BSI that shows at least this basic figure. Nevertheless, this is subject to economic fluctuations. This means that when I, as a company, am faced with the situation of how do I make the capital, the investment capital that I have, work? In times of economic downturn, I think very carefully about whether I might have a greater appetite for risk and not cover one or two cyber risks, but also other risks, with appropriate IT security measures, and whether I should relax and spend less money in this area and instead invest more in the pure business success of my company. That is definitely the case, but then you have to take a closer look. And this TÜV study really does show very clearly that it depends on the size of the company. The large companies, which invest continuously in information security, cannot afford to default on their payments to the state because of the regulations that apply. Medium-sized companies of a certain size also invest just as continuously. But there is a dividing line, as you said, below which companies react very, very quickly and sensitively and cut back their investments in information security.

That is dangerous, but that is reality. You're right about that. That is subject to cyclical fluctuations. 

Klaus Mochalski

I think in the end we would have to create such an awareness that cybersecurity is not an optional topic, but that this is considered like electricity, water and building rent, that this is an essential part of the daily operation of a business and not optional, no matter how big my company is.

Andreas Könen

So we are certainly on the same page there. Yes, we have to take care of that. But the reality is always that you put a startup that has exceeded a certain size and will soon perhaps fall under the NIS2 directive, with more than 50 employees, and then an economic situation arises in which the newly launched products do not register as well. Then many of them go and say, maybe I'll sell my product a little cheaper, make it through this economic dip, and the money I don't have, I won't invest in information security. Absolutely dangerous, because that can really lead to a situation where my business comes to a standstill due to a major cyber attack, ransomware attack. You shouldn't do that, but the world is the way it is and some people take these risks.

Klaus Mochalski

I believe that it is always important to make informed risk decisions, i.e. to weigh up the risk for oneself and consciously decide which risks I want to hedge, which risks I accept, but then also to think in terms of resilience about what happens if an incident does occur? How can I then ensure that the affected parts of the business can be restarted? And cyber resilience is also a topic that will be regulated more closely in the future.

 Andreas Könen

Yes, it will be regulated more strongly if NIS-2 we have already indicated several times, but it is also the case that the CR Directive will come into force at the same time and will be implemented in German law, i.e. everything that means the regulation of the analog side. Here at the Federal Ministry of the Interior, we are making an effort to change this, to push it forward together with the CRITIS umbrella law, so that the CR Directive is implemented, NIS2 is implemented, and we have a clear guideline for companies on how they should position themselves in both the physical and the digital world so that they are resilient and can survive certain crisis situations unscathed. That is an overall concept.

Klaus Mochalski

If we take up this point again, it's that smaller companies in particular are less willing to invest in certain areas, including cyber security measures, when there are economic downturns. Who has a homework assignment here? Is it more the companies that have to assess their risk sensibly and then use the budget they have correctly? Or is it up to the providers of the systems, products and services used by these smaller companies to ensure that their offerings are so secure that they can be used safely and that they don't actually have to invest much at all? So is it a manufacturer issue or is it a user, an operator issue?

Andreas Könen

So I think you really have to look at it from both sides. NIS 2 two, for example, or all of our regulations, first of all, really go to the critical infrastructure companies or the companies themselves. That's a business obligation, that just goes with the business capability. But you are absolutely right. I have to look at the other side as well. So it's no use at all for a manufacturer if I don't present products in such a way from the outset that the products are secure, that they are mature, that they actually meet the exact functional and security requirements that the company representing the end customer can then also smoothly embed them in the respective IT environment. And precisely for this purpose, there will also be the Cyber Resilience Act of the European Union, which places precisely the corresponding demands on the manufacturers, on the products there, which will set up a regime, the CAA, with which the quality of products A will ultimately be measured according to standards and also certified. So this is the logical continuation of the Cyber Security Act from a few years ago, where the whole thing was a framework on a voluntary basis. Now manufacturers are being required to clarify precisely these information security properties of their products.

Andreas Könen

And when it comes to safety products in particular, this will be at a higher level of sophistication. As has been the case with EU regulation in recent years, there will be a Basic level, which is more for the consumer market. But there will be a Substantial and High level, in which security products in particular will be found. They will be subject to higher demands, they will need certificates from authorities such as the BSI in order to continue to be used on the market at all. And that, I think, is also associated with an enormous advantage for the companies that use such products.

Klaus Mochalski

That will also drive up the cost of the products, but on the other hand it will certainly relieve the users of these products of some of the burden of assessing the risk, and if the legislation hits the right areas, it will certainly also ensure that the risk in the critical areas is reduced without small companies having to think about it too much.

 Andreas Könen

Yes, indeed. First and foremost, it takes the cheap joke out of the market, which we are now unfortunately also seeing in the digital world. 

Klaus Mochalski

Proverbial IP camera that then drives attacks against banks as a botnet. We have already seen that.

 Andreas Könen

Which is still realized as a botnet. Something where the corporate world can never be updated. We have seen all that. That's times the first that that's taken off the market. That first of all apparently also increases the price immediately, the middle one that I see in the market when the cheap ones are down. But you're right there, of course. But then part of the security is already invested in the product, which otherwise the company would normally have to invest on top of that itself, if that is not already integrated in the product. In other words, this is already leveled out to a certain extent. And it really does happen with signaling, where comparability is achieved in the market. It is very, very difficult for many companies to weigh security products from different manufacturers against each other and to assess their qualities. Such a certificate will make it very clear which manufacturer realizes which properties of its product and at which quality level.

Klaus Mochalski

I think that will be very exciting. We definitely need to talk about NIS again. Before we get to that, however, I would like to point out an observation that we make every day, not only as a solution provider, but also as a service provider in the cybersecurity area, especially in critical infrastructure. We conduct regular cybersecurity audits for all our new customers and also for existing customers, especially in the area of critical infrastructure, which includes many energy suppliers and many distribution network operators. We conduct regular cybersecurity analyses and assessments there, where we simply evaluate the situation. This includes things like this. What components are there with vulnerabilities in the software, with outdated software? What communication is taking place that should not be taking place in critical environments? Over the years, we have gained a relatively clear picture of this with many customers. And that contradicts a bit of the excitement that is sometimes spread about this topic in the media. Of course, the topic always spills over when there has been a spectacular attack, for example on an administrative authority, on a district administration office, and they then have to work with files for four months. We all know about these cases, we hear about them regularly. However, we have to say that we do not systematically observe this with our customers.

We actually find many risks, many vulnerabilities. We keep finding outdated software that is vulnerable, that is also very easily vulnerable. But we very, very rarely observe compromises actually taking place, attacks actually taking place. And so we always ask ourselves the question, and I would also like to ask the question, is that because we are so good as operators of critical infrastructure, so to speak, or have we just been lucky so far? There is always a lot of talk about the geopolitical situation, that now certain states are of course interested in being able to attack the critical infrastructure of another country. So the question is, have they just got their weapons in place now and we don't see those in impact yet and they just haven't pushed the button yet? Or are we actually that good?

Andreas Könen

So that's an exciting question. I would like to answer it with this. We are like this. And do that directly for the federal government as well. But on the other hand, reality teaches us to be cautious. So I would say that, on the whole, the German economy, but also the German public administration, is well positioned in terms of defense against attacks from the criminal area, from the cybercriminal area. I think such a huge amount of these strange standard attacks.

 Klaus Mochalski

Thus, the typical ransomware attacks. 

Andreas Könen

Yes, ransomware, that's where it gets more problematic. No, phishing and many other things. I think we're in a relatively good position today. Or the usual attacks, botscanning and finding certain initial approaches. I think we're in a pretty good position overall, which doesn't rule out the fact that there are a certain number of companies and administrations where obviously nothing has really got through to people yet and where very, very little has actually happened. I believe that they are the ones who make the headlines. I can confirm this, at least for the public sector. If I look at certain municipalities and districts that have fallen victim to attacks somewhere, then that is very public. That's also very tough, and they were also in a really bad position. But I know of others, for example large municipal associations that are really well positioned, where you have never heard of anything major happening to them in 15 years. I'll mention one, the Aachen regional association, which has been in the best possible position for years and comes from the Cologne-Bonn region, so I took a closer look. They have been doing this professionally for many years.

 Klaus Mochalski

I was about to say, what are they doing right? That would be important for our listeners.

 Andreas Könen

They have always stayed on top of it, have oriented themselves to the applicable standards, have always looked at where the danger situation is developing. They have commissioned a central municipal service provider, which only belongs to one region itself, which they have set up consistently, where there are also staff who have been committed to the area for many years and who work there. I think that's a point that has a tremendous effect. So, the other thing that makes me, let's say, cautious again. That is the observation now in Ukraine that attacks are actually taking place that must have been prepared for a long time, that there may very well be - that is where the state attackers come into play, in this case quite clearly Russia - that they fall back on things that have been scouted out beforehand, where hidden cyber attacks have clearly taken place beforehand, where sleeper software exists that has nested somewhere, where complex analyses have been carried out to be able to carry out attacks via the SAT system as a very concrete example. So I say: "Oh, watch out, we have to be prepared for that. A German critical infrastructure must also be prepared to look at this: Don't I have some deeper starting points somewhere? This must be discussed with the BSI, the BFV and also the BND and the BKA. 

Andreas Könen

What can you do against something like that? There one must however in the end extreme caution apply and prepare also for the case of the cases that one with best knowledge and conscience on such an attack with such high goodness could not prepare genuinely, but must have also a reaction in the sense. I must know what I do in the moment when something like this actually occurs.

Klaus Mochalski

That's what I was about to ask. There are two areas where you could invest now. One could try to increase the detection function in the early phase of an attack, which does not yet lead to an actual attack, which is exactly the case that we are observing or that took place in Ukraine, to increase our capabilities there. And on the other hand, we could invest again in cyber resilience in order to be able to start up again more quickly if the worst comes to the worst. What is the right way?

Andreas Könen

We have to do both, because we're not going to get to 100 percent on either solution. We will get to 95 percent in both against such intelligence-savvy attacks maybe with a lot of effort and a lot of money, just grabbed a number. Yes, as always, the last 5 percent are the most expensive and the most complex. In that respect, you have to do both. Together with the BSI as a critical infrastructure, we have to think about how we can increase detection. Are there new methods, but also artificial intelligence, which can process much more data and also evaluate it from a completely different point of view? Something like that is slowly coming and bringing that into the field. But on the other hand, I also have to be prepared, for example, to map banalities in resilience very clearly. And I wonder whether larger IT service providers, for example, will pay attention to everything. In one case, an IT service provider that also supplies the federal government fell victim overnight to an attack, albeit in this case from the criminal sector, and we had to ask ourselves whether they had ever prepared themselves for the kind of communication that would then be required. In other words, external communication.

Andreas Könen

How do I position myself when I am attacked? How do I communicate with the press? How do I communicate with my customers? That didn't seem to be prepared. And above all, how do I maintain certain basic functions of my own company communications? How do I still reach my IT boss? How does the IT boss reach his employees? Is there any way back, so that we at least know that we are going to meet directly at such and such a place and try to analyze our IT? I really had the impression that this is not there, even though we have been preaching it for years. So that is cyber resilience requirement in its basic features IT crisis management.

Klaus Mochalski

So I think service is a good keyword. We talk every day about the shortage of skilled workers that we see in every area, especially in IT and especially in cybersecurity. Of course, all of this will not only cost investment, but also skilled workers, who are already in short supply today. Very few companies, especially if we look at smaller companies, will be able to afford or will even have the opportunity to build up powerful specialist teams. It's often not even worth it, because they have to prepare for Day X in the event of a contingency. And if they do a good job, there's relatively little to do. So it's clear that the whole thing has to shift toward a service business, and that the smaller companies in particular have to be able to work with reliable partners. Do we also need some kind of quality seal for this service so that cases like the one just described no longer occur?

Andreas Könen

Yes, that is definitely necessary. And that is why we are talking about supply chain security in many places. Now, this supply chain security has actually only been established in people's minds for the usual products that you can grab with your hand. In other words, everything that involves hardware and perhaps software. But the same applies to IT services. There, too, there has to be supply chain security, there have to be certain guarantees. For small companies, the only remedy is to have a very, very good IT service provider who also provides these guarantees in writing, who not only has a service level agreement for the days when things are going well and throughput is high, but who also states how IT emergency management can be structured in the end. Is there a new standard, BSI has once updated this emergency standard 100-4, to 200-4 has just now been published in the final version. So these are things that a small company can look up on the BSI website or in the Alliance for Cybersecurity and then simply ask the IT service provider a few questions, are you implementing this along these or comparable guidelines?

I think that is crucial. However, I will say, at the EU level, that has not yet arrived. We just mentioned the Cyber Resilience Act. Unfortunately, exactly for the software and services side, that doesn't exist yet to the extent that I just described. Even there, I still see a gap at the EU.

Klaus Mochalski

Absolutely. At some point, we would be in a situation where we networked a lot of certified, secure products with each other. Then something happens and they all still run.

Andreas Könen

Exactly, because the IT service was not subject to the same rules. To be honest, we've had cases where the BSI wanted to provide support, even when things got really critical with the Mobile Incidence Response Team, but they simply couldn't reach anyone because there was really no phone number left to reach anyone. In the end, at some point they got the managing director on the currents via his cell phone.

Klaus Mochalski

It's crazy that after all that investment, it then fails on such banalities, often.

Andreas Könen

Yes, indeed.

Klaus Mochalski

All right, then, we've touched on it a couple of times. Then let's talk about the NIS-2 directive again at the end. This is now a relatively concrete legislative project. There are already initial drafts for implementation in the member states, including Germany. If I remember correctly, it has to be implemented by October 2024. There are quite a few changes and extensions compared to the previous directive, but also compared to the current IT security law in Germany, which goes beyond the NIS directive, so I think we are quite well prepared in Germany. In your opinion, what are the main changes that companies will have to deal with?

Andreas Könen

Yes, first of all, the very decisive change is that the NIS 2 Directive no longer decides whether a company is subject to regulation or not on the basis of criticality; instead, the threshold criteria are now based on turnover and the number of employees. So, that means that the European Union has moved away from the approach of regulating by criticality. This has certain disadvantages, which I will come back to in a moment. First of all, it has the advantage that for most companies it should be much easier to decide whether I am affected or whether I belong to the group of regulated companies. If I simply have to look at my sales or the number of employees, I know relatively quickly.

Klaus Mochalski

Yes, there are still the essential and the important sectors.

 Andreas Könen

Yes, within this, the companies differentiate once again between essential and important. In German, this is not linguistically differentiated as well as it could be, so important and particularly important are unfortunately not as concise as one would wish. What is meant? Ultimately, what is meant is exactly that those who are essential, i.e. particularly important, are those who provide a service that is crucial for the community. 

Klaus Mochalski

That would be Critical Infrastructure as we define it so far.

 Andreas Könen

Yes, but extended a bit, we are not that unhappy about it, because the balancing acts that we had to make, for example, to include the chemical industry or the defense industry, they are completely done at the moment, they are just essential, yes, from the danger tendency, chemistry or the importance for the functioning of a reasonable defense, that is clear. With the German implementation law, we are now going down the path, and that is what I wanted to mention, that we are actually already staying with the term CRITIS. Precisely because of the implementation, which is taking place at the same time as the CR Directive, with the CRITIS Umbrella Act, with which we are finally creating a basis at the federal level in the legal area, we are finally defining CRITIS in a generally binding way. This term KRITIS will be very, very close to Essential for the digital area, for the NIS-regulated area. It will almost universally be the case that those that are defined as KRITIS are also Essential. So the decision is there for the companies as well.

Klaus Mochalski

And also vice versa, because I now found it interesting, for example, that IT service companies, for example, fall under "Essential". Will that also be the case in Germany?

Andreas Könen

That will be the case, in fact. And that's exactly where the difference lies, because the IT service company, for example, doesn't have a critical position in the analog sector. That is trivial. It will not be the case that the IT service company then falls under this other KRITIS side of the analog world. That is somewhat clear, because the analog functions that come into play here are ultimately energy supply and perhaps water supply and the like and waste management, which then have a secondary impact. But that means that for us it is important, first of all, that we have a large number of companies that are now moving into the regulated area, 29,000 instead of roughly 2,500/4,000, if ITSiG 2.0 had now been fully implemented.

Klaus Mochalski

And these are the companies that are above the sales threshold and above the employee threshold.

Andreas Könen

Yes, exactly. So, 29,000, of which roughly 5,000 are in the Essential area. So that means there are significantly more. That is first of all important, because we can foresee, if all those who implement the corresponding regulations have to increase information security in Germany, that we as the federal government get a much broader feedback basis in the reporting obligations. We see much more, the Germany, the cybersecurity situation Germany will be able to be generated on a broader basis. Very good. And now comes the problem for us. We will have to deal with it. A BSI will have to register 29,000 companies. So far, we have maintained very good cooperation and also relatively direct contact with many companies. That will no longer be possible on such a broad scale. We say that it is all the more important that, together with what is coming via the KRITIS-DACH Act, the so-called KRITIS implementation plan, i.e., the voluntary cooperation with the KRITIS industry, that this continues, that we continue to maintain these structures, that the UB-KRITIS Council, which meets here in the Federal Ministry of the Interior time and again, does its work and that we have the various forums where we continue to talk to each other on a voluntary basis to see whether this regulation is working, how it is working and where it is stuck.

Andreas Könen

So we need that to continue. That is important. I am not happy with what NIS 2 has brought at the European level, because it initially overtaxes such structures, yes, with the breadth.

 Klaus Mochalski

I believe that, compared to other European countries, we in Germany are in a pretty good position with the BSI and also the staffing.

 Andreas Könen

Yes, on the one hand, we are really well positioned in comparison, but even a BSI will be able to cope with the number of employees that are now there, which until now would have been a maximum of 4,000 regulated care, as I said, with 29,000. The only way they can do that is through digitization.

Klaus Mochalski

I was about to say, so just increase the BSI, hire staff. That's not going to be the answer.

Andreas Könen

No, no, we don't get that either. You have witnessed budget debates in recent weeks. That's not going to happen. So we have to digitize ourselves. We have to find ways to address these companies digitally so that the BSI can get in touch with them, so that the companies know how to get in touch with them and, above all, so that we have a slot for messages, as I always say, where it is clearly visible that this is where messages belong and this is where we communicate.

Klaus Mochalski

And I think the bidirectional aspect is very important, also for acceptance, so that a lot of valuable information flows back and you, as someone who submits a report, benefit not only from the specific information or the response to the report, but also from the overall picture that is then returned. So you could say that the BSI should become a kind of national SOC, Security Operations Center?

Andreas Könen

Yes, at least it has to become what we have launched. This is the so-called BISP, which is the BSI Information Sharing Platform. So we have this project running and that will also not fall under the financial restrictions that unfortunately have to be envisioned now, but the BSI will run this project and that is exactly what you are talking about as an exchange and information platform. We don't have to distribute every message we receive to everyone. That is not possible at all. There is a protection of trust to be ensured. But the BSI must be able to use this platform to provide specific information to the sectors that need to know about a particular security event, quite apart from the general security situation. That is crucial.

Klaus Mochalski

One aspect that will certainly be of interest to many companies, including smaller ones, is the increase in penalties. The penalties have been increased once again. How binding will the deadlines be? In the past, we have often observed that things have been sat out, that people have waited and that, of course, people are still reluctant to prosecute violations. How will the reins be tightened in the context of the implementation of the NIS-2 directive?

 Andreas Könen

The fact is that the amounts alone are enough to tighten the reins. So clearly, the revenue shares that are at issue here. The second thing is that I am not at all a fan of tightening the reins in other ways. How does the BSI do it today, even with the low sums? Let's say that it becomes obvious that a violation exists simply because there was no notification from the company that it is to be considered regulated under the current IT Security Act 2.0 regulation and the CRITIS regulation. The BSI takes a random approach by asking such companies why this is not the case, or, if there is a clear indication, it also proceeds in a determined manner, not by means of a random principle, but by asking questions. And it has proved to be really good practice not to threaten directly with fines, but simply to go and say: "Attention, we have identified you. Please give us a reason why you are not to be seen as critical infrastructure in the sense of ITSiG 2.0 or hand in the registration and we will give you a grace period. And we have made the experience that the vast majority of people then react very shocked and come back extremely quickly with the message.

Andreas Könen

And then the BSI always said, fine, come on, forget it. And that's also a good thing. So that builds trust again. But we will also, I think, where things are a bit tighter and the situation is a bit more unruly - there was a case in the past that had to do with Berlin. I don't think we would shy away from taking a company into state or municipal or federal ownership. So there is no mercy. And that's where we will take exemplary action.

Klaus Mochalski

Very nice. But overall, it also shows that cooperation always works better in case of doubt. And anyone who is approached in this way once will probably try to avoid it the second time. And that is also a learning effect that presumably remains in the companies.

 Andreas Könen

And that is quite positive.

Klaus Mochalski

Perhaps finally, the many companies that are now sliding into this regulation. What advice would you give them to create awareness that this is not just a burden or not a burden, but something that is actually essential for their own business?

Andreas Könen

Yes, of course I would first recommend that they take a look at the cyber security situation. Simply ask the BSI or the Federal Criminal Police Office directly and take a look at what happens with ransomware incidents alone - we haven't talked about this in detail now, but it really is a criminal plague. That has to be said. And if you realize that, you see, no matter what business purpose my company serves, I'm directly threatened by that. Always like that. So that means the first thing is to realize once, why have I now fallen into this regulation? What does it mean? What am I threatened with? What do I have to do now as first steps? Certainly an initial legal consultation is always good, you can also get it from the associations, and then just to know how do I have to block myself out from the state side? That this is clear for now, that this is clear for now. The BSI will do one thing and make it visible to the outside world how this process is to be carried out. And I would say not to get nervous. The second step is the content. Then I really have to think about whether there are standards that apply to me. Is there already something that an association can offer me?

Andreas Könen

Is there anything my IT service provider can offer me? You should approach them quickly. If you're not your own IT service provider, then you have a certain IT service provider, i.e. your own IT is of a certain size, so you're pretty well self-sufficient, and you actually know what you're doing. But especially those who have an external service provider. They should confront the external service provider with what is coming and exert pressure to say, "What do I have to do in detail now? Yes, and then at the end there is really the consideration of how do I behave in a crisis? How do I get into a reasonable IT crisis emergency management? So there are three steps in total. First, clarify what NIS-2 means for me and contact the BSI. The second step is to go through my own IT infrastructure at my IT service provider, and the third step is to prepare myself for how I will react in the event of an incident. I think we have everything covered then.

 Klaus Mochalski

That is, I think, a very nice closing. Thank you very much for that. I also think that when I talk to people, when I talk to customers, I always try to make it clear to them that the problems we are solving are by no means new, they have existed for a long time. There are many well-known measures on how to deal with them. There are many international and national standards. That means you don't have to invent anything new, you just have to get information from the appropriate places, as you say. And also the implementation is actually well practiced and understood. This means that it can be implemented with manageable effort. And overall, for these newly affected companies, the incremental effort that will be required there should be limited. In this respect, I can only endorse what you say.

Andreas Könen

 Yes, exactly. It's all been there before. Exactly.

Klaus Mochalski

Okay, thank you very much, Mr. Könen, for talking to us. Thank you, too. It was great fun for me.

Andreas Könen

Yes, thank you. Goodbye. Thank you very much.