Interview with Marc Hirtz, CEO of the Cybersecurity Provider Nextron Systems
The Network and Information Security (NIS2) Directive of the European Union represents a significant step toward strengthening cybersecurity within the EU. It targets organizations classified as operators of critical infrastructure and sets binding standards to protect their information systems from cyber threats. With the increasing digitalization and dependence on IT infrastructures, ensuring resilience against cyberattacks in essential and important sectors such as energy, health, finance, and transport is crucial for society. NIS2 not only promotes preventive security architecture but also establishes clear reporting obligations for security incidents to ensure effective response capabilities beyond the affected organization. The directive aims to enhance the resilience of critical infrastructures in Europe and thus secure the continuity of essential services for citizens and the economy.
Given the growing relevance of the NIS2 directive for organizations in the EU, it is crucial to understand how companies can prepare for these new requirements. In the following interview with Marc Hirtz, CEO of cybersecurity provider Nextron Systems, we delve deeper into the impacts of NIS2 and learn how companies can improve their cybersecurity strategies to meet the requirements.
Mr. Hirtz, why do you think the introduction of NIS2 is necessary?
Marc Hirtz: Cybersecurity today affects not just IT security but has direct impacts on the overall functionality of many service providers. IT systems form the backbone for business-critical processes, and deep integration makes us more dependent on their reliability. Particularly in critical sectors such as healthcare, failure is not an option. NIS2 aims to secure these systems and thereby ensure the stability and security of our societal infrastructure. Additionally, NIS2 creates clear guidelines and reporting obligations for security incidents, which enhances transparency and coordination within the EU and improves the response to cyber threats. All organizations can thus benefit from shared experiences.
Who is affected by NIS2, and how can a company best prepare for it, in your opinion?
Marc Hirtz: NIS2 affects organizations within the EU that provide essential and important services, such as internet providers, energy suppliers, banks, and healthcare facilities. Compared to NIS1, NIS2 significantly expands the scope and now covers 35 different sectors, compared to the original 19. Small and medium-sized enterprises (SMEs) with an annual turnover of less than 10 million euros and fewer than 50 employees are exempt from NIS2.
To prepare for the requirements of NIS2, companies should conduct a thorough risk analysis and ensure that their security measures comply with the new guidelines. This includes implementing a robust IT security architecture and integrating best practices such as the NIST Cybersecurity Framework. Most companies can build on already implemented management systems for information security. The requirement catalog is now expanded by NIS2.
You mentioned the globally recognized NIST Cybersecurity Framework, Mr. Hirtz. How can the NIST Cybersecurity Framework help organizations improve their cybersecurity strategy, and what specific advantages does it offer compared to other security standards?
Marc Hirtz: It is important to note that NIS2 is currently only an EU directive and there is no concrete (national) certification directive, so no certification possibility. The directive must be translated into national law, which has not yet been finalized for Germany. ENISA, the European Union Agency for Cybersecurity, refers to both ISO 27001 certification and the NIST framework for NIS2 compliance. The German Federal Office for Information Security (BSI) suggests obtaining ISO 27001 or BSI Basic Protection certifications to prepare for NIS2. I assume that most companies with existing ISO certification already meet 70% of NIS2 requirements. Additional requirements from NIS2 can be identified and addressed internally through the application of the NIST framework but cannot be certified externally.
Through its five core functions, the NIST Cybersecurity Framework provides a structured approach to securing critical infrastructures. With the functions Identify, Protect, Detect, Respond, and Recover, it enables organizations to recognize risks early, implement appropriate protective measures, identify security incidents in a timely manner, respond to them, and restore systems as quickly as possible after an incident. This holistic approach not only enhances resilience against cyberattacks but also supports continuous improvement of security levels by adapting to new threats and technologies. Compared to other standards like ISO/IEC 27001, the NIST Framework is more flexible and practical, facilitating adaptation to the specific needs of various organizations.
How does Nextron Systems position itself within the NIST Cybersecurity Framework, and which specific core functions are supported by your solutions?
Marc Hirtz: Nextron Systems focuses particularly on strengthening the core function of detecting cyberattacks within the NIST Cybersecurity Framework. Our APT scanner THOR detects traces of attacks that AV and EDR systems overlook. THOR provides automated forensic analysis of IT and OT infrastructures for traces of hacker activities, hacking tools, system manipulations, and many other indicators of potential compromises, even if they have occurred in the past and are currently dormant. Our APT scanner thus identifies suspicious activities before they can cause damage.
THOR is the perfect complement to existing security solutions that focus on real-time malware detection but lack in-depth forensic methodology. Combining AV, EDR, and an APT scanner like THOR ensures more comprehensive defense against complex threats and contributes to strengthening the overall security strategy.
How do you see the future development of cybersecurity in the context of the NIS2 directive, and what challenges do you anticipate in the coming years?
Marc Hirtz: The NIS2 directive marks an important step in the right direction, but the threat landscape continues to evolve. In the coming years, we will face even more complex cyberattacks that could exploit new vulnerabilities in our systems. Therefore, it will be crucial for companies to understand NIS2 as an ongoing framework within which they continuously adapt their risk assessments, protective and defensive measures to changing attack vectors. This means always thinking one step ahead, integrating new technologies and approaches to threat detection and defense, and fostering a culture of cybersecurity within the organization.
An important aspect will also be the increased collaboration between various actors – both nationally and internationally. By sharing information about threats and best practices, we can strengthen the collective resilience of our companies and thus our society overall, and respond more quickly to new challenges.
Ultimately, the successful implementation of the NIS2 directive will not only improve the security of critical infrastructures but also strengthen trust in the digital economy and our ability to handle the challenges of the modern world. Companies that prepare early and comprehensively for these new requirements will not only be better protected but also take a leading role in the secure digital transformation.