From 2024: New cybersecurity requirements for companies under the NIS 2 Directive

What is NIS-2?

With the Network and Information Security (NIS) 2 Directive, mandatory security measures and reporting requirements will apply to many companies and organizations in 18 critical sectors from October 2024 – including many that were not previously affected. NIS-2 replaces the 2016 NIS Directive and aims to improve the overall level of cybersecurity in the EU. Compared to the previous NIS Directive, NIS2 significantly expands the group of affected companies, the obligations, and regulatory oversight. Violations of the NIS2 Directive are subject to heavy fines.

What is the purpose of NIS-2?

The EU has good reason for introducing NIS-2: critical infrastructure is vulnerable.

‍Since the start of the war in Ukraine in 2022, potential digital attacks on critical infrastructure such as dams, power suppliers, and nuclear power plants have attracted the attention of politicians and the public. Given the advanced equipment and power of state actors, there is also a risk of such attacks in the EU.

With NIS-2 and the implementation of the standards it requires, the EU aims to prevent attacks on critical infrastructure and the potentially catastrophic consequences associated with them from becoming a reality.

When will NIS-2 come into force?

• NIS 2 Directive (EU) 2022/2555 has been in force at EU level since 2023
• As a directive, it is not directly applicable, but must first be transposed into national law
• National law must be applied from October 18, 2024
• NIS2 sets minimum standards, i.e., EU member states may enact stricter regulations
• In Germany, a draft bill for the NIS2 Implementation Act has been announced

Who is affected by NIS-2?

In Germany, it is estimated that between 29,000 and 40,000 companies are affected by NIS 2.

In the updated version, significantly more companies are subject to NIS 2 than NIS 1, as the thresholds have been updated (companies in 18 sectors with 50 or more employees and €10 million in turnover). Now, insurance tech start-ups, online marketplaces, and food suppliers could also be affected if they exceed the thresholds. This suddenly makes a whole range of companies responsible that previously only dealt with information security in a rudimentary way.

The logical consequence will be that these companies will have to implement an information security management system (ISMS) that meets the legal requirements. In addition, sanctions and penalties will be significantly increased and can amount to a maximum of 10 million euros or 2% of total worldwide annual turnover.

What do companies have to do under NIS 2?

The introduction of the Network and Information Security 2 (NIS-2) Directive brings with it a host of new obligations and requirements for companies.

First, a company must classify itself into one of the different levels (KRITIS or “particularly important institution” or ‘important’ institution) and register with the Federal Office for Information Security (BSI) within three months of identification. “Particularly important” institutions must participate in the exchange of information via the BSI’s central exchange platform (BISP).

In addition to registering with the competent authority in their own member state and reporting security incidents, companies must also deal with the new strict security requirements under NIS 2. These include:

• Establish risk management as a cornerstone of NIS 2 compliance
• Ensure information security standards in supply chains
• Report security incidents and handle them appropriately

Other important obligations according to the NIS 2 definition

According to the EU NIS 2 Directive, companies must fulfill numerous additional obligations. The management of these critical infrastructure operators is obliged to monitor compliance with these requirements in accordance with national legislation. Companies should be aware that, in the worst case, their management can be held liable for violations.

• Policies: Concepts for risk analysis and security for information systems

• Incident management: detection, analysis, containment, and response to incidents

• Business continuity: backup management and recovery, crisis management

• Supply chain: Security in the supply chain

• Procurement: Security in the acquisition, development, and maintenance of IT systems

• Effectiveness: Assessment of the effectiveness of risk management measures

• Cyber hygiene, training: Cyber hygiene (e.g., updates) and training in cyber security

• Cryptography: Use of cryptography and encryption where appropriate

• Personnel, access, assets: personnel security, access control, and asset management

• Authentication: Multi-factor authentication or continuous authentication

• Communication: Secure voice, video, and text communication, including in emergencies if necessary

Implementing and monitoring all standards according to the NIS 2 definition – how does that work?

The implementation and monitoring of NIS 2 standards will be an enormously complex and time-consuming task for many companies, costing them time, nerves, and money.

5 steps: How to best begin implementing the NIS 2 Directive?

1. Clarify relevance for your own company
2. Define responsibilities
3. Implement measures
4. Ensure business continuity
5. Set up reporting procedures

How can we help?

Do you have any questions or would you like more information about the NIS-2 Directive? Denis Seefeldt and Michael Rode are available to answer your questions.