GENESIS - Guidelines for public authorities and SME providers of strategic services for the risk-oriented implementation of the NIS Directive

In recent years, the number of cyber-attacks on enterprises has increased drastically and attackers have shifted their focus more and more towards critical infrastructures. Due to their role as crucial utility providers, incidents within critical infrastructures have far-reaching impacts on society. In order to prevent such incidents and to provide protective measures, the European Parliament has issued the directive on security of network and information systems (NIS Directive) in 2016, which will become Austrian law in 2018 as the "Cybersicherheitsgesetz". The NIS Directive addresses operators of essential services from selected sectors of critical infrastructures as well as digital service providers and thus affects small and medium-sized enterprises (SMEs) to a large amount. However, it is often difficult for SMEs to implement the comprehensive action catalogues specified in the standardized security and risk management frameworks covered by the NIS Directive. The project GENESIS aims to develop a risk management framework for the SMEs affected by the NIS Directive. The goal of this framework is to meet both, the requirements of the NIS Directive, and the results of the current national legislative process. Therefore, a guideline is derived from recognized standards and best practices from the fields of risk management, information security and cybersecurity management. In particular, the risk management framework focusses on modularity, practice orientation and cost-efficiency, as well as individual applicability both for the authorities as well as for SMEs from different areas. Additionally, the project aims to formulate the risk management framework in such a way that a resource-efficient monitoring and audit can be carried out by the "NIS authority", which will be installed in the future. Therefore, the main outcome of the GENESIS project is a flexible and cost-effective risk management framework for SMEs, which implements the requirements of the NIS Directive and the "Cybersicherheitsgesetz". Based on this framework, an application guideline is derived supporting organizations of different size and from different areas to implement the risk management framework. A third core result of the project is a catalogue defining audit objects and their minimum security requirements. The primary audience of the study resulting from the project is both critical infrastructure operators and public authorities. On the one hand, the results will support a cost-efficient, modular and individual implementation of the NIS Directive for SMEs. On the other hand, a clear definition of minimum security requirements as guidance and verification for authorities and SMEs will be provided. The long-term goal of GENESIS is to achieve a sustainable increase of the security level within critical infrastructures of different size in Austria.