How the efficient convergence of management systems helps to implement internal and external requirements.
The NIS-2 Directive, the NIST Cybersecurity Framework, CSA IoT Security Controls Framework (USA), TEC certification in India, CLPRC in China, ISO 27000 series of standards and IEC 62443, the EU Data Act or Supply Chain Law – the list of international regulations is long. At the same time, the regulatory requirements for the operation and use of IT in companies are also becoming increasingly stringent.
IT compliance in accordance with internal and external requirements
The umbrella term of IT compliance includes specific as well as more general laws and regulations for each economic sector, which must be implemented for the purpose of corporate due diligence and risk avoidance. In addition, there are internal requirements for sustainability, compliance & ethics, corporate risk management/ICS, and much more.
For many years, the use of standard frameworks such as ISO 27001/27002, COBIT or COSO has been proven successful for the implementation of high-quality and functional solutions. However, usually these systems were developed in parallel by the different business units of IT security, information security, data protection and compliance.
Considering the increasing density of regulations, this no longer seems adequate, as the fragmentation of disciplines can lead to inconsistencies, redundancies, contradictions, and dysfunctionality.
Stricter requirements lead to more investments in security
According to the 2023 TÜV Cybersecurity Study one in two companies would invest more in IT security if stricter requirements were imposed. And nearly two-thirds of the companies consider the legislators to have a responsibility and demand policies that mandate appropriate measures for cybersecurity in the economy. In nearly half of the companies, these policies help implement additional measures for IT security, prioritize the topic with top management and invest existing budgets in cybersecurity.
Large and medium-sized companies in particular base their cybersecurity measures on the existing standards and regulations. Yet, due to the separation of the different departments within the companies, the standards implemented are largely independent of each other and do not interconnect. However, when it comes to the controllability of a comprehensive governance model, failure to harmonize the different regulatory frameworks poses a major risk.
Convergence of standards and management systems
Most standards and frameworks for implementing IT compliance requirements have a large overlap in the area of the operational implementation (the measures).
Some ISO standards have recognized this and are converging different perspectives – such as ISO 27001 for information security management systems with the scope extension of ISO 27701 for data protection management systems. This synergistic link approach can be expanded to other disciplines and be harmonized with the overarching discipline of compliance.
In addition to harmonizing a company's internal policy structure, it is necessary to overcome the departmental silos that are typical of organizations. For example, setting up a project organization is a common approach for involving the relevant stakeholders – starting with the legal requirements as part of the company-wide compliance responsibilities. It is generally true that it is easier to get "board attention" – i.e., the attention and budget allocation from top management – if the potential implications of non-compliance are presented in the context of corporate liability.
Regulatory drivers and their ranking in terms of increasing requirements:
EU companies operate in a complex environment, and especially large companies rely on global value chains. Thus, with its approval of a European supply chain law (Corporate Sustainability Due Diligence Directive, CSDDD), the European Parliament has taken a significant step towards fairer global supply chains. On June 1, 2023, the majority of the members voted in favor of binding rules for companies. The message is clear: human rights, climate, and the environment must be effectively protected from negative influences of global business in the future. Among other things, the Directive aims to:
- Anchor risk management regarding human rights and environmental impacts more firmly in corporate strategies, including those from value chains.
- Ensure uniform due diligence requirements in the single market and provide legal certainty for companies.
- Hold companies more accountable for negative impacts and clarify their obligations under EU initiatives.
- Provide affected parties better access to remedies in cases of human rights and environmental damages.
- Complement other EU sustainability measures as a higher-level instrument, particularly in specific sectors.
The EU Whistleblower Directive (DIRECTIVE (EU) 2019/1937 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL) is intended to protect individuals, known as whistleblowers, who report breaches of Union law throughout the European Union.
For companies with more than 50 employees or a certain annual turnover, the Directive establishes clear and confidential reporting channels through which violations can be reported. This includes both internal reporting channels within organizations and external channels with the competent authorities. The Directive covers a wide range of EU legal areas, including public procurement, financial services, product safety, environmental protection, and more.
The aim is to protect internal or external whistleblowers and to ensure the proper processing and follow-up of their reports. This requires anonymizing the whistleblower and the communication by using appropriate functions. Additionally, strict data protection requirements must be implemented.
This interaction between compliance and data protection offers the potential to converge already established data protection requirements at the level of process design to protect the rights of data subjects. At the technology level, Identity & Access Management (IAM) as well as encryption and anonymization functions provide the tools necessary to implement the requirements according to the state of the art.
With the Whistleblower Protection Act (HinSchG), the EU Whistleblower Directive was most recently transposed into German law, and the Act came into force on 1st July 2023.
With the NIS2 Directive (EU 2022/2555), legislators launched a revision of the first version of the Network and Information Security Directive. By October 2024, EU member states must adopt the updated standard, which introduces a number of changes with the aim to strengthen cybersecurity standards for critical infrastructure operators (CRIsPs), into national law:
- Eleven critical and seven important sectors bring the total number of affected sectors to 18.
- Companies with more than 50 employees or an annual revenue of more than 10 million Euro must comply with the NIS2 Directive.
- Companies must now report a broader range of security incidents.
- In the event of a security incident, the Directive requires an initial report within 24 hours and a detailed report within 72 hours.
- National regulatory authorities are strengthening their enforcement capabilities and are imposing higher penalties for violations.
The Cybersecurity Framework of the National Institute of Standards and Technology (NIST) provides a set of best practices and guidelines designed to help establish a foundational understanding of one's own cybersecurity, and to organize and enhance it.
It was developed by NIST, an agency of the U.S. Department of Commerce, in collaboration with the industry, to promote a standardized approach to protecting critical infrastructures and other systems from cyberattacks. To this end, the NIST Cybersecurity Framework consists of three main components:
- Core: A set of cybersecurity activities and outcomes divided into five functional areas: Identify, Protect, Detect, Respond, and Recover. Each area has specific categories and subcategories.
- Profiles: Representations of an organization's specific cybersecurity objectives, based on selections and prioritizations from the Core.
- Tiers: Four levels that describe an organization's cybersecurity risk management maturity, ranging from "partial" to "adaptive".
Because cybercrime crosses national borders, cybersecurity must also position itself internationally. This is why there are global security standards such as the ISO 27000 series.
The current version of the ISO 27001:2022 introduces important changes for IT security and data protection (through the supplementary ISO 27701), as well as specific measures for cloud security (information security for the use of cloud services).
In addition, the international IEC 62443 series of standards continues to focus on the cybersecurity of "Industrial Automation and Control Systems" (IACS), which is becoming increasingly important as a comprehensively pursued approach for operators, integrators, and manufacturers in connected production .
Important to know: The transition period for existing ISO 27001 certificates is three years from the last day of the month of publication of the new ISO/IEC 27001:2022 (October 2022). This means that all certificates based on ISO/IEC 27001:2013 or DIN EN ISO/IEC 27001:2017 must be converted to the new ISO 27001 version from 2022 by October 31, 2025.
Learn more about our services in the field of cybersecurity and regulatory requirements.
When it comes to your cybersecurity, there is no one-size-fits-all solution. That's why we offer you a flexible range of services – tailored to your individual needs and requirements.
Do you want to meet the increasingly strict legal and regulatory requirements in the field of cybersecurity? We're happy to help you!
