Qualified Body (QuaSte) for Verification of Compliance with the NIS Act

news

SEC Consult has been available to its customers as a Qualified Body ("QuaSte") for the implementation of the NIS Act since 2021 and has since carried out numerous audits in a wide range of industries. Our customers can also rely on the expertise of our audit-experienced employees when implementing the now extended requirements for NIS 2. What is new compared to the "old" Network and Information Security Directive?

NIS2 extends the previous scope of the Network and Information Security Act to 18 sectors, which are divided into "high criticality sectors" and "other critical sectors". 

Previously, companies and organizations from the affected sectors were informed by the Federal Chancellery (BKA), but now they must check for themselves whether they fall within the scope of NIS2 and register with the competent authority. 
Another new aspect is that in future, compliance with risk management must be monitored by management bodies and they can be held responsible in the event of breaches. The penalties for non-compliance are quite severe: depending on the type of company and the area of activity, a fine of up to 10 million euros or 2 percent of annual global turnover can be expected. In addition, the competent authority can issue instructions to remedy the safety deficiencies. In the event of non-compliance, certifications and authorizations for services and activities of the companies concerned may be suspended. 

In contrast to NIS, companies are no longer subject to the legal regulations solely with their essential service, but the risk management measures must be implemented throughout the entire company. Control and enforcement of the regulations have also been tightened. In future, the authority will have a wide range of supervisory and enforcement measures at its disposal to ensure the resilience of companies' network and information systems. Essential facilities must carry out regular and targeted security checks and undergo spot checks, while important facilities only have to be inspected if there are reasonable grounds for suspicion.

In the event of cyber security incidents, a three-stage reporting procedure must be taken into account: 
1. immediate early warning: as soon as a problem is detected, it must be reported within 24 hours whether the incident is based on an illegal or malicious act or may have cross-border implications.
2. immediate initial assessment of the cyber security incident within 72 hours
3. an interim or final report with a detailed description of the cyber security incident must be submitted no later than one month after the early warning.

When implementing all these requirements, the Qualified Body (QuaSte) comes into play, which checks all measures for their appropriateness and reliability. What a QuaSte is, how to become a QuaSte and what our QuaSte auditors do to support our customers in securing their systems is briefly summarized here.

QuaSte-FAQ's

  • What exactly is a Qualified Body (QuaSte)?
    A Qualified Body is a company authorized by the Federal Office for the Protection of the Constitution and Counterterrorism 1) (BVT) to act as an external auditor of all security measures for the protection of critical infrastructure of operators of essential services.

  • Why can’t any service provider take on this task?
    The public must be able to rely on the fact that those critical systems, that are essential for the functioning of services of general interest and economic life, are adequately protected against cyberattacks. Verifying these safeguards is therefore a highly responsible task, the execution of which requires great knowledge, experience and absolute trustworthiness. Proof of being qualified to do so must be provided by companies wishing to become a QuaSte as part of an accreditation process.

  • How does the accreditation process work?
    After submitting the application, the company receives a unique identifier that must be used in the future when transmitting the evidence. This uniquely identifies the QuaSte and prevents possible misuse. Then, among other things, the company must prove that its own network and information systems are technically and organizationally secure, indicate which tools it uses, and describe the future verification process in detail and in a meaningful way. Once the evidence has been securely submitted to the BMI, the information is checked and, if successful, the company receives the positive news that it can act as a QuaSte via notification.

  • Which requirements must the auditors of a QuaSte fulfill?
    Every auditor must undergo a security check. In this process, his/her trustworthiness is assessed on the basis of personal data that provide information on whether there are any indications that he/she would carry out cyberattacks him/herself. In addition, proof of technical knowledge and relevant professional experience (e.g. through references) as well as any additional training or certifications must be provided.

  • What happens when safety deficiencies are discovered?
    In this case, the experts of SEC Consult do what they usually do when they discover vulnerabilities. They propose appropriate measures that are suitable to close the vulnerabilities sustainably. Our employees bring experience from countless security audits and assessments. Equipped with proven analysis tools and always up to date with the latest threats, they are our most important asset to be a reliable partner for our customers.

  • Many organizations, without being legally obligated, also want to prove to their customers on their own initiative that they are trustworthy partners when it comes to cybersecurity - and this applies to otganizations of all sizes. What can organizations do who want to voluntarily commit themselves to documenting their diligence and sense of responsibility?
    Of course, we at SEC Consult do not only stand by our customers when acute danger or sanctions are imminent. Our security experts continuously support organizations in their efforts to make their networks and systems more secure. A seal of approval that shows that essential minimum security measures for cyber security have been implemented and that the topic has a corresponding priority in the respective organization can offer a decisive competitive advantage.

 

1) Website only available in German. 

How does a review by SEC Consult work?

During the inspection, SEC Consult proceeds in five phases - based on ISO 19011. Everything starts with the initialization of the inspection. Here, the initial contact with the operator is established and the feasibility of the audit is confirmed. For example, we make sure that we receive sufficient information to perform the audit and that the scope is defined.

In the second phase, the inspection is prepared and documented in the inspection plan. An exact test plan is the basis to be able to handle the later steps efficiently and to coordinate with all parties involved on an ongoing basis. Since SEC Consult is also active in the field of standardization, we have first-hand knowledge in defining the corresponding test catalogs.

In the third phase, the SEC Consult auditors check together with the operator's employees whether the technical and organizational security measures are appropriate and effective.

The results are then documented in a test report in the fourth phase. In the audit report, we focus primarily on the comprehensibility of the presentation of the audited areas and the methodology used. With the assessment of the report by a second, non-involved auditor, SEC Consult ensures an objective view on the fulfillment of the requirements. This final report is sent to the audited organization and has to be forwarded to the BMI. In the course of this phase, the presentation of results takes place, in which we present and discuss them with the employees of the operator or derive possible recommendations for action.

The fifth and final phase is post-treatment. In the post-treatment phase, the operator remedies any safety deficiencies. The rectification is subsequently verified and - if satisfactory - confirmed by SEC Consult.