NIS-2-Directive: A milestone for cyber security in Europe
The most important points in brief
- The management is responsible for implementing the measures required by NIS 2, must be trained accordingly and is personally liable for culpably caused damage.
- The European NIS 2 Directive stipulates the implementation of a risk-based information security management system (ISMS).
- In Austria and Germany, no NIS 2 implementation laws have yet been passed, but draft laws are available for review.
- Medium-sized and large companies in many sectors are now affected, such as industry, research, food, chemicals, waste, postal services and many more.
- There are obligations towards the national designated authority, e.g. to register, report incidents or provide data as part of audits.
What is the NIS-2-Directive?
The European Parliament has adopted a new directive to protect critical infrastructures: NIS2 Directive for a high common level of cybersecurity across the Union.
Background and aim of the directive
Failure of production facilities due to targeted manipulation or ransomware, theft of sensitive data and security threats due to deactivation of IT-supported quality assurance systems are just a selection of possible cyber-attacks and their impact on companies. With the new NIS 2 Directive, the cybersecurity of critical infrastructures in the EU is given special relevance by creating uniform cybersecurity requirements for network and information systems in the EU member states.
NIS 2 vs. predecessor NIS-Directive
The predecessor NIS Directive focused primarily on building up resources, capacities and cybersecurity expertise in the member states. NIS 2 now specifies the requirements in order to achieve a uniform level of cybersecurity in the member states. The sectors and institutions affected are also defined.
Key points of the NIS-2-Directive
The NIS-2-Directive increases the requirements and obligations for the implementation of cybersecurity at affected companies. Cybersecurity risk management is required. The risk analysis should be implemented proportionately according to the business activity with suitable technical, operational and organizational measures. The risk management of the supply chain should also be ensured and processes for emergency communication must be developed and established within the company.
One requirement of NIS 2 is the involvement of management. Regular attendance at specific cyber security training courses is mandatory. There will also be an obligation to report significant cyber security incidents. These must be reported to the responsible Cybersecurity Incident Response Team (CSIRT) within 24 hours.
Implementation challenges
Implementation in Austria is to take place in the National Network and Information Security Act 2024 (NISG 2024). Ambiguities due to the new responsibilities of a new government and the bundling of cybersecurity responsibilities in the ministry have led to the rejection of the draft law (as of July 2024). This offers the 5,000 to 6,000 Austrian companies affected more time for implementation. The implementation of the NIS 2 Directive has been postponed until the following year and will be implemented in the National Network and Information Security Act 2025 (NISG 2025).
In Germany, the new directive faces other challenges. The EU’s NIS-2-Directive is also intended to serve as a “regulation of essential principles of information security management in the federal administration”. Critics of the NIS 2 refer to exemptions for state administrations and the need for a better combination with the KRITIS umbrella law. A clarification of the role of the Federal Office for Information Security (BSI) is also called for here.
Why is the NIS 2 directive so important?
Critical infrastructures are particularly exposed to cyberattacks due to their complexity and large number of interfaces. Since cyberattacks affect the entire supply chain – from production facilities, manipulation of logistics or cash register systems to the theft of customer data – a constant evaluation of supply chain security is necessary in order to identify potential vulnerabilities at an early stage.
Who has to implement NIS 2? Which companies are affected?
To achieve Europe-wide cyber resilience, around 160,000 companies across Europe must implement the NIS 2 requirements. Affectedness is defined by belonging to one of the 18 affected sectors, company size and any country-specific thresholds.
Difference: essential vs. important entity
In order to reduce the likelihood of a cyberattack, NIS 2 places corresponding requirements on companies. Companies will have to use the law to determine for themselves whether they fall under “essential entities” or “important entities” under NIS 2 and must then register with the competent authority in the respective country within 3 months of the law coming into force. Whether a company counts as an “essential entity” or “important entity” is specified by the sector to which it belongs.
The EU differentiates between the two types of entity in terms of company size and sanctions. The requirements and need for action do not differ for significant and important institutions.
Essential entities are positioned in sectors with high criticality (Annex I of NIS 2):
Sector | Subsector |
Energy |
|
Transportation |
|
Banking | / |
Financial market infrastructures | / |
Health | / |
Drinking water | / |
Waste water | / |
Digital Infrastructure | / |
ICT service management (B2B) | / |
Public administration | / |
Space | / |
Important entities as part of other critical sectors (Annex II of NIS 2):
Sector | Subsector |
Postal and courier services | / |
Waste management | / |
Manufacture, production and distribution of chemicals | / |
Manufacturing |
|
Digital providers | / |
Research | / |
Large, medium-sized or small companies?
Medium-sized and large companies from a total of 18 sectors are obliged to take IT security measures under the new legislation. NIS 2 affects those companies that are considered “essential entities” and have the following size
- ≥ 250 employees or
- > EUR 50 million annual turnover and > EUR 43 million balance sheet
Companies classified as “important entities” in NIS 2 are affected from the following size:
- ≥ 50 employees or
- > EUR 10 million annual turnover and > EUR 10 million balance sheet
Small companies (≤ 50 employees or ≤ EUR 10 million annual turnover) are not affected, with a few exceptions. Exceptions that must implement the NIS 2 requirements are companies that are providers of DNS services, TLD name registries and public electronic communication networks or services. Small companies may be indirectly affected if they act as a service provider or supplier for directly affected companies.
Possible sanctions and consequences of non-compliance
The avoidance of financial consequences in the event of non-compliance speaks in favor of the implementation of NIS 2 by affected companies. Violations of NIS 2 can include, for example, incomplete transmission of evidence, late notification of customers and authorities in the event of a significant security incident or non-cooperation with national authorities in the event of an initial suspicion.
In the event of breaches of the NIS 2 Directive, management bodies are liable with their own assets. The fines incurred depend on the type of facility. For “significant entities”, these amount to up to EUR 10 million or 2% of annual global turnover. Authorities can also impose measures and appoint a monitoring officer.
Fines of up to EUR 7 million or 1.4% of annual global turnover can be imposed for “significant entities”. Violations of NIS 2 can also result in reputational damage with subsequent loss of revenue. Furthermore, authorities can request information on the processing status of an incident or request the restoration of systems. Access to premises can also be requested in the event of an initial suspicion of a security incident and non-cooperation is additionally sanctioned.
Impact of the NIS-2-Directive
The NIS-2-Directive has far-reaching effects on various areas, including companies, the economy and society.
Businesses
Around 160,000 companies in the member states must meet increased cybersecurity requirements and implement stricter measures. Proactive implementation of cybersecurity standards strengthens the market position and the trust of customers and partners. The increased number of requirements goes hand in hand with risk minimization due to increased demands on employees and company processes as well as an increased compliance risk. Sanctions for non-compliance may follow. Investments in new technologies and employee training must be made by affected companies.
Economy
Increased resilience follows the implementation of cyber security measures. The harmonization of the European single market strengthens the resilience of critical infrastructures against cyber-attacks. In addition, early prevention of cyber-attacks offers increased protection against economic damage.
Society
Society benefits from the protection of critical infrastructures such as producers and distributors of electricity, water and healthcare. Protecting the sensitive data of each individual strengthens trust in digital infrastructures. In the event of a cyberattack, supply can be secured through established processes, e.g. in the supply chain, and restored quickly in the event of a failure.
Recommendation and next steps for affected companies
The implementation of the NIS 2 requirements provides the foundation for sustainably successful corporate cyber security. The first step is to identify the mandatory requirements for the company. Based on this, individual measures tailored to the organization and business activities can be defined, such as the establishment of an ISMS analogous to ISO/IEC 27001.
Conclusion
Investments in cyber security are investments in the future viability of companies. NIS 2 offers the opportunity to prioritize cyber security and integrate it into existing business processes in order to be prepared for the increasing number of cyber-attacks worldwide. The implementation of NIS 2 offers companies from critical infrastructures the opportunity of a secure and trustworthy positioning for suppliers, employees and end customers. EFS Consulting supports with extensive project experience in the further development of best practices and individualized solutions with a sense of proportion for your cyber security.