NIS2 Directive: Everything companies need to know now
Key findings:
- Extended cyber security requirements: Around 30,000 German companies must implement the strict requirements of the NIS2 directive.
- Stricter penalties and liability: Introduction of higher penalties for offences and private liability for managing directors.
- ISMS according to ISO 27001: Implementation of the NIS2 directive can be effectively managed with an information security management system (ISMS) in accordance with ISO 27001.
Cybersecurity is becoming increasingly important in today’s digital world. In light of the growing threats from cyberattacks and other cyber incidents, the European Union (EU) has intensified its efforts to strengthen the protection of network and information systems. A significant step in this direction is the introduction of the revised NIS2 Directive, which will come into effect on October 18, 2024. This directive replaces the previous NIS1 Directive and brings more comprehensive and stricter requirements for companies.
In Germany, around 30,000 companies will be affected by the new regulations and must adapt their cybersecurity measures accordingly. The NIS2 Directive not only introduces higher penalties for violations but also includes personal liability for executives, underscoring the urgency of compliance.
This article provides a comprehensive overview of the NIS2 Directive, explaining the specific requirements and detailing how companies can implement them. It also covers the potential costs and necessary timeframe to ensure timely and effective preparation. The aim is to best prepare companies in Germany and the EU for the upcoming changes and to help them optimize their cybersecurity strategies.
Overview of the NIS2 directive
The NIS2 Directive is a revised and expanded version of the original NIS1 Directive, which was introduced by the EU in 2016. This first cybersecurity directive was a response to the growing threats and rising demands on IT security in Europe, with the aim of ensuring a high level of common security for network and information systems across the EU.
With the NIS2 Directive, the EU is taking it a step further. It focuses on harmonizing cybersecurity standards and strengthens risk management and incident reporting obligations. The directive sets out comprehensive requirements for businesses and authorities to ensure that risks are systematically assessed and appropriate security measures are in place.
A key objective of the NIS2 Directive is to enhance the EU’s cyber resilience. This includes not only the protection of critical infrastructures such as energy supply, healthcare, and transportation but also securing digital services and ensuring compliance among a broader range of companies. The new directive also introduces stricter penalties for non-compliance, increasing the enforceability of the measures.
The NIS2 Directive was officially signed on December 14, 2022, and came into force on December 27, 2022. EU member states, including Germany, now have until October 18, 2024, to implement these new regulations into national law. This means that companies need to start preparing and implementing the necessary measures now to meet the new requirements.
Scope of the NIS2 Directive
The NIS2 Directive significantly expands its scope compared to the previous NIS1. While NIS1 primarily applied to operators of critical infrastructures (CRITIS), NIS2 extends the requirements to a broader range of companies and sectors. This means that not only energy providers, healthcare services, and transportation companies are affected, but also digital marketplaces, the food industry, and many more.
NIS2 also introduces a new classification of companies, distinguishing between “Essential” and “Important” entities. This differentiation is crucial, as it determines which specific security requirements and reporting obligations apply to a company. Additionally, companies operating in multiple EU member states must register with the relevant authorities in each country and comply with respective regulations.
Furthermore, NIS2 expands the definition of affected sectors. There are now eleven “Essential” and seven “Important” sectors. If a company meets the size criteria and operates in one of these sectors, it falls under NIS2. Newly included sectors now cover areas such as wastewater management, public administration, and the space economy. Additionally, postal and courier services, waste management, the chemical industry, and food production and processing are now classified as “Important” entities.
Lastly, the introduction of the “size-cap” rule is significant. This rule states that companies of at least medium size operating in the defined sectors are subject to NIS2 requirements. As a result, the number of affected companies has increased substantially. Consequently, many businesses previously unaffected by NIS1 must now prepare for NIS2 compliance.
Requirements of the NIS2 directive
The NIS2 Directive imposes extensive requirements on affected companies to strengthen cybersecurity within the EU. First, companies must implement a comprehensive cybersecurity risk management system. This involves systematically assessing risks and implementing measures to minimize them, including regular risk analyses, the development and implementation of security concepts, and ensuring security within supply chains.
Second, the NIS2 Directive mandates the establishment of technical and organizational measures (TOM) in line with the current state of technology. These measures must consider recent technological advancements and aim to ensure the security of digital infrastructures and services. Examples of TOM include firewalls, encryption technologies, regular security updates, and employee training in cybersecurity matters.
Additionally, the NIS2 Directive requires companies to establish reporting obligations and processes for security incidents. Security incidents must be reported within 24 hours of detection, with an initial assessment and possible update within 72 hours. A comprehensive report is required no later than one month after the incident’s detection. These reporting obligations are intended to improve transparency and coordination in addressing cybersecurity incidents.
Another important aspect of the NIS2 Directive is participation in information sharing. Companies classified as “essential” entities must actively engage in information exchange through central platforms, such as those of the Federal Office for Information Security (BSI). This ensures effective communication and cooperation during security incidents.
Finally, companies must comply with the security requirements of the NIS2 Directive. These requirements encompass not only technical measures but also organizational and procedural aspects. For instance, companies must ensure they have the appropriate structures and processes in place to respond to security incidents, including establishing emergency plans and regularly conducting security exercises.
Implementation of the NIS2 directive
Implementing the NIS2 Directive requires significant effort and resources from affected companies. The most effective way to meet NIS2’s strict requirements is by implementing a comprehensive Information Security Management System (ISMS) according to the international ISO 27001 standard. An ISMS provides a structured and systematic approach to managing and securing sensitive company information and helps to efficiently fulfill NIS2 requirements.
First, companies need to conduct an assessment of their current security measures and compare them with NIS2 requirements. This gap analysis identifies areas where improvements are needed. The identified gaps must then be addressed through the implementation of new security measures and processes. This includes both technical measures, such as deploying modern security technologies, and organizational measures, like employee training and establishing clear responsibilities.
Additionally, it is crucial for companies to set a clear timeline for implementing the NIS2 Directive. Experience shows that establishing an ISMS can take between six and 18 months, depending on the size and complexity of the company. Therefore, companies should begin planning and implementing early to meet the October 18, 2024 deadline.
Financial planning and regular audits
Another important aspect of implementation is cost planning. Implementing an ISMS and meeting the NIS2 requirements can require significant financial resources. According to estimates from the Federal Statistical Office, the one-time costs for introducing the NIS2 Directive in Germany amount to approximately €1.37 billion, with ongoing annual costs estimated at €1.65 billion. Companies need to incorporate these costs into their budget planning and, if necessary, consider external consultants or service providers to efficiently meet the requirements.
Finally, companies should conduct regular reviews and audits to ensure that the implemented measures comply with NIS2 requirements and are continuously improved. This includes internal audits conducted by the company itself, as well as external audits by independent bodies to verify the effectiveness of the ISMS and to obtain ISO 27001 certification.
Through careful planning and implementation of the NIS2 Directive, companies can not only fulfill legal requirements but also significantly enhance their cybersecurity, thereby strengthening their resilience against cyberattacks.
You can find out more on our social media profiles:
Strafen und Haftung
The NIS2 Directive introduces a significant tightening of penalties and liability regulations to ensure the enforcement of cybersecurity measures. This aims to encourage companies and authorities to take the new regulations seriously and implement them consistently.
Firstly, the NIS2 Directive imposes much higher fines than its predecessor. For essential entities, fines can reach up to €10 million or 2% of global annual turnover, whichever is higher. For important entities, fines can be as high as €7 million or 1.4% of global annual turnover. These severe penalties emphasize the urgency and importance of complying with cybersecurity requirements.
Secondly, personal liability for executives is introduced, extending responsibility to top management. In the German implementation of the NIS2, it is stipulated that executive bodies – specifically management – may be personally liable with their private assets for ensuring compliance with risk management measures. This provision ensures that executives are personally motivated to implement the necessary cybersecurity measures and avoid violations.
Additionally, there is no transition period, as was granted with the introduction of the General Data Protection Regulation (GDPR). Starting October 18, 2024, all affected companies must fully comply with the new requirements. This means that companies must already begin preparing to meet the NIS2 Directive to avoid legal consequences.
Finally, the introduction of these strict penalties and liability regulations means companies must seriously rethink and improve their cybersecurity strategies. Compliance with the NIS2 Directive should be seen as an opportunity to strengthen cybersecurity and, in doing so, gain the trust of customers and partners.
Through these measures, the NIS2 Directive aims to achieve greater commitment and enforcement of cybersecurity requirements. Companies must ensure they take the necessary steps to meet the new regulations, thereby avoiding potential fines and liability risks.
The challenges
Implementing the NIS2 Directive presents both challenges and opportunities for companies. On one hand, the stringent requirements, along with the resources and costs involved, pose a significant challenge, especially for small and medium-sized enterprises (SMEs). On the other hand, the directive also offers numerous opportunities to enhance cybersecurity and strengthen competitiveness.
First, the extensive requirements of the NIS2 Directive represent a major challenge. Companies must invest substantial financial and human resources to meet the new standards. This includes implementing a comprehensive Information Security Management System (ISMS), conducting regular risk analyses, and applying technical and organizational measures. SMEs, in particular, may struggle to allocate the necessary funds and expertise to meet these rigorous requirements.
Additionally, the new reporting obligations and participation in information sharing can add administrative burdens. Companies need to establish effective processes and systems to report security incidents within the specified timeframes and participate in central exchange platforms. This demands close collaboration with the relevant authorities and continuous monitoring of the cybersecurity landscape.
However, the NIS2 Directive also offers numerous opportunities. Establishing an ISMS in line with ISO 27001 can help companies to systematize and improve their cybersecurity strategies. By identifying and addressing security gaps, companies can increase their resilience to cyberattacks and reduce the risk of security incidents. This not only aids in legal compliance but also strengthens the trust of customers and business partners.
Opportunities of the NIS2 Directive
The NIS2 Directive also provides an opportunity to improve collaboration and information sharing between companies and authorities. By actively participating in central exchange platforms and fulfilling reporting obligations, companies can benefit from the experiences and insights of others, continuously optimizing their own security measures. This increased cooperation helps to strengthen cybersecurity across the EU and enables a united approach to combating threats.
Moreover, companies that successfully implement the NIS2 requirements can gain a competitive advantage. Compliance with high cybersecurity standards can serve as a quality feature to build trust with customers and business partners, setting the company apart from competitors. In an increasingly digital world, where cyberattacks are becoming more frequent, strong cybersecurity is a crucial factor for business success.
Overall, the NIS2 Directive presents significant challenges but also numerous opportunities to enhance cybersecurity and strengthen competitiveness. With careful planning and implementation of the required measures, companies can meet the new standards while simultaneously optimizing their security strategies.
Conclusion
The NIS2 Directive marks a significant step forward in the development of the EU’s cybersecurity landscape. It challenges companies to significantly enhance their security measures and meet the new, stricter requirements. Although implementation involves considerable costs and resource investment, it also offers the opportunity to elevate cybersecurity to a new level.
By implementing an Information Security Management System (ISMS) according to ISO 27001, companies can respond systematically and effectively to the NIS2 requirements. This measure not only strengthens protection against cyberattacks but also aids in meeting legal requirements and avoiding substantial fines. The reporting obligations and participation in information sharing further promote collaboration and knowledge exchange between companies and authorities, contributing to a stronger cybersecurity posture across the EU.
The introduction of personal liability for executives and higher fines underscores the urgency and importance of the NIS2 Directive. Companies must therefore ensure they take the necessary steps to comply with regulations in a timely manner. This requires careful planning and early implementation to meet the new standards by the October 18, 2024 deadline.
In conclusion, the NIS2 Directive is not just a legal obligation but also an opportunity to optimize cybersecurity strategies and build trust with customers and business partners. Companies that proactively address the new requirements can increase their resilience to cyber threats and gain a competitive advantage. In a world where digital security is becoming increasingly crucial, compliance with the NIS2 Directive is a decisive step toward ensuring long-term success and security.