The NIS-2 Regulation, which will come into force in fall 2024, will for the first time also require small and medium-sized pharmaceutical and medical technology companies to demonstrate effective measures to protect their digital infrastructure. In order to implement the corresponding requirements on time and secure competitive advantages, companies should not only act early but also sustainably and align their IT strategy with the growing requirements of cyber security.

The Network and Information Systems Directive 2 (NIS-2) is a legislative initiative of the European Union that must be transposed into national law by October 17 of this year.  From this date, companies whose critical services fall within the scope of the directive will be obliged to provide evidence of measures to protect their IT infrastructure against cyber attacks. In addition to a risk-based implementation of technical and organizational measures to secure digital systems, this also includes proof of their effectiveness in the form of external audits. Violations can result in severe fines of up to 10 million euros or two percent of annual turnover. In addition, stricter liability rules apply to the management bodies of the companies concerned.

Massive expansion of the scope of application

The regulation affects various sectors in the KRITIS-related environment, including manufacturers of pharmaceutical products, medical technology, and in-vitro diagnostics. As a result of the massive reduction in the thresholds, numerous companies that previously did not count as critical infrastructures fall within the scope of the directive. Whereas previously only pharmaceutical companies with 4.65 million or more packages placed on the market per year or medical technology manufacturers with a turnover of 90 million euros or more per year were subject to KRITIS, according to the current draft, companies with 50 or more employees or an annual turnover of 10 million euros or more are subject to the regulation. This means that many medium-sized companies are also affected. In addition, the NIS-2 Directive takes the entire supply chain into account. This means that, in addition to the manufacturers themselves, critical suppliers and service providers could also be indirectly affected by the regulation.

Impending overload due to multiple regulatory requirements

Smaller companies in particular are facing enormous challenges in view of the additional regulatory requirements: Most of them do not yet have the necessary security infrastructure to meet the requirements, nor do they have the relevant experience in dealing with cyber security guidelines or suitable resources to implement them in a timely manner. What's more, the additional burdens are being imposed on an already heavily regulated industry environment. The additional requirements represent another financial and capacity burden that could push many companies, especially smaller ones, to their limits.

Three success factors for efficient and sustainably beneficial implementation

Conversely, the situation offers the opportunity to gain a competitive advantage over competitors facing the same challenges by acting early and with foresight. Three points are crucial for this:

1. Start early and secure resources:

As a result of the drastically lowered thresholds under NIS-2, many organizations are suddenly faced with the challenge of having to implement and demonstrate the required protective measures within the legally prescribed period. As very few companies will be able to manage this task with their own resources, it can be assumed that the need for specialists in the already strained IT security sector will increase massively or that the demand for external service providers will rise. Small and medium-sized companies in particular could have difficulties securing the experts they need in view of this tight labor and provider market. In addition to specialists and consulting resources, this bottleneck also affects auditors. In order to avoid these difficulties, pharmaceutical and medical technology manufacturers should address future requirements as early as possible and build up the necessary internal resources or secure external resources.

2. Align IT strategy with growing security requirements:

The IT strategy of most pharmaceutical and medical technology companies has so far been strongly geared towards on-premise operation in order to meet the validation requirements of pharmaceutical legislation and ensure compliant operation. Cloud solutions, on the other hand, tended to be avoided due to the perceived loss of control. With the increased regulatory requirements for cyber security due to NIS-2 and a dramatically changed threat situation due to increasing cyber attacks, a rethink is taking place here. Regulation is becoming a driver of cloud transformation. This is because many security requirements can be mapped much more efficiently and comprehensively in the cloud than in self-operated systems. Hyperscaler security concepts often offer a significantly higher level of protection, especially for smaller organizations that do not have the necessary resources and expertise to operate a highly equipped IT security organization themselves on a permanent basis. At the same time, the need for hard-to-find IT security specialists decreases. Companies should consider these aspects in their IT strategy at an early stage. This not only avoids the costs of implementing NIS-2 from the outset, but also enables long-term efficiency and competitive advantages to be realized through an efficient, scalable and highly reliable security architecture.

3. Gain an overview of critical business processes:

In order to be able to implement the requirements of NIS-2 in a timely, efficient and plannable manner, it is important to know the time and personnel required for implementation and auditing. This essentially depends on the size of the company, its business activities and the scope as well as the complexity of the systems used. The first step for companies is therefore to determine what impact the NIS-2 requirements will have on business processes or business activities and the operation of IT systems. The knowledge gained in this way not only provides an indication of the time and resources required, but also forms the basis for an IT strategy geared towards cyber security and enables a sensible prioritization of the initiatives and measures contained therein in the sense of NIS-2 roadmap planning. All systems that are of major importance in the value chain must be taken into account, from the ERP system and production control systems to the laboratory information and management systems (LIMS) as well as logistics control systems. This requires precise knowledge of the technical processes.

Conclusion: Early action secures competitive advantages

Time is running out for companies in the pharmaceutical and medical technology sector: once the NIS-2 regulation comes into force in Germany in mid-October, they will probably have a transitional period of 1-2 years to provide evidence of appropriate measures. This poses immense challenges for small and medium-sized companies in particular. To ensure that the additional regulatory requirements do not overburden companies that are already heavily regulated, manufacturers should proactively address the issue and develop appropriate implementation strategies. A holistic perspective that takes the entire IT strategy into account is crucial. If implemented correctly, companies can not only minimize implementation costs, but also achieve real competitive advantages. Due to the shortage of skilled workers, speed is becoming a decisive factor. The sooner companies take action, the better they can adapt to the requirements.