NIS-2 Directive

What is the NIS-2 Directive?

The European Union’s NIS-2 (Network and Information Security) Directive is an extension of the original NIS Directive from 2016. The aim is to strengthen the cyber security of companies and organizations in the EU, in particular through more uniform standards and clear responsibilities. NIS-2 takes into account the growing threats posed by cyberattacks and the increasing dependence on digital services. The directive extends the scope and tightens the requirements to increase the resilience of critical infrastructures.

Which companies are affected by the NIS 2 Directive?

The directive addresses two categories of organizations:

  1. Essential facilities: Companies in sectors such as energy, water, transportation, healthcare, financial services and digital infrastructure that are essential to the functioning of society and the economy.
  2. Important facilities: Companies in sectors such as the manufacture of chemical products, waste management, postal services and food production whose failures could have a significant economic or social impact.

In addition, the directive covers all companies that:

  • Employ more than 50 people,
  • Have an annual turnover or an annual balance sheet total of more than 10 million euros,
  • Or be classified as “critical”.

What obligations arise from the NIS 2 Directive?

Companies must implement comprehensive measures to improve cyber security:

  1. Information security management system (ISMS): Introduction or adaptation of an ISMS in accordance with standards such as ISO 27001 or BSI basic protection.
  2. Risk management: Regular risk analyses to identify and eliminate security gaps.
  3. Reporting obligations: Security incidents that could have a significant impact must be reported immediately to the relevant authorities – usually within 24 hours of becoming aware of them.
  4. Training courses: Raising employee awareness and regular cybersecurity training.
  5. Responsibilities: The management is responsible for compliance with the guideline.

When does the NIS 2 Directive come into force?

The directive has been in force since January 16, 2023 and must be transposed into national law by the EU member states by October 17, 2024. In Germany, this will be done through the NIS2 Implementation Act, which will regulate the exact requirements and penalties.

What are the consequences of non-compliance?

The sanctions are significantly stricter compared to the original NIS Directive:

  • Key facilities: Fines of up to €10 million or 2% of annual worldwide turnover.
  • Important institutions: Fines of up to 7 million euros or 1.4% of annual global turnover.

In addition, sanctions such as exclusion from public tenders or publication of violations may be imposed.

How can companies determine whether they are affected?

Companies should carry out a self-assessment based on the criteria defined in the directive. The German Federal Office for Information Security (BSI) provides tools for this, such as the NIS-2 impact assessment. Cooperation with specialized consultants or lawyers can help to clarify uncertainties.

What measures should companies take now?

  1. Analysis of the current situation: Inventory of existing security measures and identification of gaps with regard to NIS 2 requirements.
  2. Setting up an ISMS: If not already in place, companies should introduce an ISMS or adapt existing systems.
  3. Risk management: Regular assessment of cyber risks and implementation of preventive measures.
  4. Establishment of reporting processes: Establishment of clear processes for reporting security incidents.
  5. Involve top management: Top management should be involved in the cyber security strategy as they are legally responsible.
  6. Documentation: Complete documentation of all measures for compliance with the NIS 2 directive in order to be prepared in the event of an audit.

The NIS 2 directive sets new standards in cyber security and increases the pressure on companies to implement appropriate protective measures. By preparing early and adapting existing security concepts, companies can not only ensure compliance but also improve their resilience to cyber attacks in the long term.

Cookie Consent with Real Cookie Banner