Latest news with #DennisKenjiKipker
Forbes
08-08-2025
- Business
- Forbes
How NIS 2 Redefines Cybersecurity Standards For Companies Worldwide
Prof. Dr. Dennis-Kenji Kipker is a cybersecurity expert and works as Scientific Director of the In December 2022, the NIS 2 Directive was adopted in the European Union. Countless EU member states have already transposed it into national law, with most other European member states set to follow. This means the new cybersecurity directive applies to all companies doing business in the EU—and, therefore, to companies worldwide. It is well worth looking at the largest European legal act on cybersecurity to date, both to avoid fines and to strengthen your own corporate cybersecurity best practices. The NIS 2 Directive affects not only companies that are critical infrastructures but also all central economic enterprises, their suppliers and their digital supply chains. In this way, cybersecurity is becoming a task of general economic protection—a trend that characterizes the EU and that more countries worldwide are taking up. As many companies covered by NIS 2 pass on the increased cybersecurity requirements in their contracts, particular caution will be required in the future when providing evidence and documentation of their own cybersecurity standards. The directive affects companies from the following sectors: • Energy • Transport • Banking • Financial market infrastructure • Healthcare • Drinking water • Wastewater • Digital infrastructure operators • IT service management • Public administration and government institutions • Space • Postal and courier services • Waste disposal Additionally, it affects countless manufacturing companies, including chemical companies, mechanical and vehicle engineering, food production and providers of digital services such as cloud computing, online marketplaces and online search engines. The new cybersecurity obligations also cover private research institutions. However, sectoral affiliation is not the only decisive factor in whether NIS 2 affects a company; organizations must also achieve minimum values for turnover and number of employees. Companies that employ at least 50 people or have annual turnover and balance sheets that each exceed €10 million are obliged to implement a cybersecurity management system in the EU. In particular, many medium-sized companies—as well as companies from other countries around the world that do business in the EU—are facing increasingly strict cybersecurity compliance obligations. Regarding best practices, however, the new standards don't require an absolute level of digital security but, rather, a level that is appropriate to the given risks. For example, companies that are newly covered by NIS 2 must first and foremost implement cybersecurity risk management that is based on state-of-the-art technology. Measures to be taken could include the following: • Systems for attack detection • Use of AI tools for automated prevention and response to cyber incidents in the company • Network segmentation • Access control (in particular, zero-trust policies) • Awareness for management and employees • Network mapping and network segmentation • Vulnerability management and update policies Cybersecurity is also increasingly becoming a task of holistic digital resilience. With the recent revelation that IT workers from North Korea have even successfully infiltrated large Fortune 500 companies in the United States, every company's cybersecurity policy must increasingly and actively incorporate the factors of industrial espionage and trade secret protection. This is the Achilles' heel of countless companies, as IT management and employee management must increasingly be considered holistically. In an age of global threats, however, the risk analysis for cybersecurity doesn't end here, as non-technical risk factors and the protection of the (digital) supply chain must increasingly be included. This means that in the age of cloud computing, companies themselves are responsible for ensuring their contractors also demonstrably verify the cybersecurity, availability and data confidentiality of their IT systems. On the other hand, bottlenecks in the supply of hardware, for example—which still largely originates in Asia, particularly Taiwan and the People's Republic of China—must also be taken into account. According to the NIS 2 Directive, it's also essential for companies to document every cybersecurity measure they take. Such technical and organizational documentation is not only in the company's own interest to continuously develop an information security management system, but it can also be helpful when it comes to preparing for cybersecurity audits and certifications or when official inspections are pending—which is also possible under European law. As the individual EU member states are responsible for implementing the NIS 2 Directive, the national cybersecurity authorities carry out such reviews. This means that documenting the cybersecurity measures taken can also help to ward off fines, which can easily run into the millions in the event of serious breaches since NIS 2 defines standardized European fine thresholds for breaches in line with the EU GDPR. The maximum fine for significant entities is either €10 million or 2% of global annual turnover, whichever is higher. The documentation to defend against civil claims for damages following IT failures is of similar relevance. However, documentation is also required beyond this, as the NIS 2 Directive stipulates official reporting obligations in the event of cyber incidents. Maximum reporting deadlines of 24 and 72 hours apply to the content of the reports, which must always be submitted immediately. In case of doubt, competent authorities may carry out random on-site inspections of cybersecurity standards in the companies, for which the management can be held liable. As a result, the NIS 2 Directive and its current implementation in all EU member states could massively increase the level of cybersecurity for globally active companies by the end of this year at the latest. Good cybersecurity best practices will become a general corporate warranty responsibility. All international companies operating in the EU are also required to check whether they fall within the scope of the directive and, if so, to establish suitable best practices to defend against digital threats within the company. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Forbes
09-06-2025
- Business
- Forbes
A European Perspective: Why Digital Sovereignty Concerns Us All
Prof. Dr. Dennis-Kenji Kipker is a cyber security expert and works as Scientific Director of the getty There are countless definitions of what constitutes digital sovereignty: Some define it politically, and others define it technically. Then, there are legal and sociocultural attempts to define it. And that makes sense, because digitalization affects all areas of life, society and the economy. That is why this article will not attempt to define the entire possible spectrum of digital sovereignty, because that would be boring. Instead, my aim is to identify specific reasons for the lack of digital sovereignty to date and consider how we can work together to find a way out of this dilemma. Here are just two examples of a lack of digital sovereignty: When President Donald Trump announced that he will make changes to the transatlantic data protection agreement between the EU and the United States—and we in the European Union had to consider what consequences this could have for our economy—I do not believe that is digital sovereignty. Or, when Vice President JD Vance stated in February 2025 that the European Union is digitally overregulated—and the EU Commission then considered reducing European data protection by reforming the GDPR—I do not believe that is digital sovereignty, either. To me, sovereignty therefore means being able to decide freely whether and how to digitize—so that the greatest possible added value can be achieved for everyone, regardless of foreign interference. And digital sovereignty is not just an abstract end in itself: It helps companies in the EU use the best possible IT products at an efficient business price. On the other hand, U.S. companies also benefit from EU digital sovereignty. In a free, sovereign market, it is also easier for startups and scale-ups abroad to build a business case in the EU. Unfortunately, we in the EU are still too far away from this ideal, at least at present. But why is this the case? It's a long story, because a lack of digital sovereignty didn't happen overnight or in just a few years. No, to answer this question, you have to go back almost 30 years in the history of European technology development. The best example of this for Germany is the mobile phone market. Immediately after the start of the cell phone boom in the 1990s, the country began to rely on outsourcing IT development. This ultimately resulted in the closure of Siemens Mobile, a formerly big-name mobile developer in the country. As a result, while companies were initially able to rely on suppliers from abroad, decades later, they became dependent on these same suppliers. And the consequences of this can be felt by everyone today: the European smartphone market has long since ceased to be dominated by European manufacturers, as was the case with cell phones just a few decades ago. This worked well for many years because the credo of the European digital economy and others was always that globalization is the way forward. In the last decade in particular, a lot has been digitized and networked with the expansion of mobile 5G connections, and more and more computing capacities have been outsourced to the global cloud without hesitation. However, the global turnaround that began with Covid-19 in 2020 and that has since continued with political unrest and tension have made this difficult. The insight is clear: While we trusted in digital globalization all those years ago, it is now a question of digital trust. Digitalization without trust is no longer sustainable in these times. Regionalization instead of globalization has therefore become the credo of our decade—and this also includes regaining the digital sovereignty we gave up. But that is, of course, easier said than done. We've had decades to lose our digital sovereignty, but we have been confronted with the global turnaround at such a rapid pace that it will be extremely difficult for us to establish digital sovereignty from now on. But this is where the circle must close. Digital sovereignty affects us all, and therefore, everyone can make a contribution. It's not just about us as the European Union investing more in the development of our own digital economy by supporting startups and scale-ups with targeted funding. It's even more important to get young people interested in training in STEM subjects. And ultimately, it's about how we as states, as individual companies and as individual consumers purchase IT. In this very concrete business context, in order to achieve digital sovereignty and technological resilience, it is first necessary to carry out a risk analysis. What technology do I use? In which areas do I most use it? To what extent are my processes dependent on it, and from which manufacturers does it come from? On the other hand, U.S. manufacturers, for example, should also ask themselves these questions, as the increasing regulatory requirements for cybersecurity as part of digital sovereignty also offer new business opportunities. Where EU-compliant products are offered, European companies can also integrate them more easily into their IT infrastructure. Because of this, ideally, digital sovereignty is a win-win situation for everyone. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
