What is NIS2?

Table of Contents

The NIS2 Directive (Network and Information Security Directive 2) is a revised version of the original NIS Directive, which was adopted by the EU in 2016. The aim of this directive is to optimize cybersecurity in the European Union by introducing stricter requirements and rules for the protection of critical infrastructures (CRITIS) and important facilities. The NIS2 Directive goes far beyond its 2016 predecessor by expanding the circle of affected companies and institutions and prescribing stricter obligations to ensure IT security. It was adopted in response to increasing threats from cyberattacks and IT disruptions and aims to harmonize the cybersecurity level across EU member states. Not least, current geopolitical developments are making NIS2 increasingly important!

How we can help you with NIS2 compliance

Why was the NIS2 Directive introduced?

The NIS2 Directive was introduced due to increasing threats in cyberspace, particularly for operators of critical infrastructure and companies that are important for general security of supply in Europe. Given the global increase in cyberattacks, especially on particularly important facilities such as energy providers or healthcare facilities, the need to revise the existing NIS Directive became clear. NIS2 aims to address these vulnerabilities and create a legal framework that can effectively counter both national and cross-border cybersecurity threats. In addition to improving cybersecurity, NIS2 also serves to create a unified legal framework within the EU that should counteract the varying cybersecurity levels in member states.

Timeline and important deadlines of the NIS2 Directive

The NIS2 Directive was adopted by the European Parliament and the Council of the European Union on December 14, 2022, and came into force on January 16, 2023. From this date, a 21-month implementation period began for EU member states. Member states must transpose the directive into national law by October 17, 2024 and publish the corresponding laws, regulations, and administrative provisions. The new regulations will then be applicable from October 18, 2024. For companies, this means they must comply with the requirements of the NIS2 Directive by this deadline at the latest. However, it is advisable to start preparations early, as implementing comprehensive cybersecurity measures can take time. Additionally, affected companies must register with the competent authorities within 12 months after the national implementation laws come into force. It is therefore recommended that companies immediately conduct an impact analysis and create a detailed implementation plan to meet the deadlines.

Significance of the NIS1 Directive

  1. Unified Legal Framework:
    The NIS1 Directive created the first unified legal framework for cybersecurity in the EU in 2016.
  2. Critical Infrastructure:
    It defined basic security requirements for operators of critical infrastructure and digital services.

Extension of NIS2

  1. More sectors affected:
    The NIS2 Directive now covers more industries and facilities, including the healthcare sector and energy supply.
  2. Stricter requirements:
    Companies and institutions must implement stricter measures for risk management and cybersecurity.
NIS1 NIS2
Scope Limited to certain operators of essential services and digital service providers Extended to 18 sectors, medium-sized enterprises, and digital service providers
Reporting obligations Reporting of significant incidents Stricter reporting obligations with shorter deadlines (24h for early warning)
Risk management General requirements More detailed and stricter requirements, including supply chain security
Sanctions Determined by member states Harmonized minimum penalties in the EU (up to €10 million or 2% of annual turnover)
Supervision Different approaches in member states Harmonized approach with proactive supervision for particularly important facilities
Responsibility Focus on organizational level Stronger emphasis on management responsibility

Which companies and institutions are affected by NIS2?

The NIS2 Directive significantly expands the circle of affected companies. While the NIS1 Directive mainly targeted operators of critical infrastructure such as energy providers, water and transport infrastructure, NIS2 extends its scope to 18 sectors. Companies with 50 or more employees or annual revenue of at least 10 million euros operating in these sectors must now comply with NIS2 requirements. These sectors include energy, healthcare, transport, finance, and food supply. Companies in digital infrastructure, such as cloud service providers and data centers, also fall under NIS2 regulations.

Affected Sectors

The NIS2 Directive affects a total of 18 critical sectors that are considered particularly vulnerable to cyberattacks. Companies and institutions in these sectors must meet the security requirements set out in the directive. The affected sectors include not only traditional critical infrastructure but also digital services and other industries that play an essential role in the social and economic life of the EU. These sectors are clearly defined in Annexes I and II of the NIS2 Directive and include a variety of actors that differ both in their nature and size. The most important ones are listed below:

  1. Energy sector:
    Companies that produce, distribute, or store electricity, natural gas, and oil, including operators of charging points for electric mobility.
  2. Transportation:
    Air traffic, rail transport, shipping, road transport, and operators of intelligent transport systems.
  3. Banking and financial market infrastructures:
    Credit institutions and operators of trading venues as well as central counterparties.
  4. Healthcare:
    Hospitals, healthcare facilities, and facilities that manufacture critical medicines or medical devices.
  5. Drinking water and wastewater management:
    Companies that supply drinking water or treat and dispose of wastewater.
  6. Digital infrastructure:
    Cloud service providers, DNS service providers, data center operators, and internet exchange points.
  7. Public administration:
    Central and regional public administrations that provide critical administrative services.
  8. Postal and courier services:
    Companies providing postal and courier services.
  9. Waste management:
    Facilities responsible for the collection, disposal, or treatment of municipal or industrial wastewater.
  10. Production and trade in chemical substances:
    Companies that manufacture, process, or trade in chemical substances.
  11. Food production and processing:
    Wholesalers and industrial food manufacturers that are crucial for supplying the population.
  12. Manufacturing industry:
    Companies involved in the manufacture of electrical equipment, vehicles, mechanical engineering, and medical devices.

These sectors play a key role in the European economy and society. Attacks on these areas can have serious impacts on daily life, which is why they are particularly in focus of NIS2. Companies from these sectors must ensure that they implement the prescribed cybersecurity measures to protect their networks and information systems.

What obligations arise from the NIS2 Directive?

The NIS2 Directive introduces a series of new and expanded obligations for companies that differ significantly from the previous NIS1. Companies falling within the affected sectors must not only implement technical and organizational security measures but also take a proactive role in reporting and managing security incidents. These obligations affect both internal IT systems and the entire supply chain. Companies must categorize themselves, implement a series of security measures, and work closely with the relevant authorities. Management responsibility is brought more into focus, as executives can be held personally liable for violations.

  1. Self-classification and registration:
    Companies must classify themselves into one of two categories: "Important Entity" or "Essential Entity". Different requirements for supervision and reporting obligations apply depending on the classification. Registration with the national supervisory authority, such as the Federal Office for Information Security (BSI), must take place within three months of self-classification.
  2. Implementation of risk management:
    Companies must establish a comprehensive risk management system focused on the security of network and information systems. Technical, operational, and organizational measures must be taken to detect potential security incidents early and respond appropriately. Risk management must correspond to the "state of the art" and be regularly updated to address new threats in cyberspace.
  3. Supply chain security measures:
    Companies are obligated to ensure security throughout their entire supply chain. This means that IT security precautions of suppliers and business partners are also subject to stricter requirements. Companies must make contractual agreements to ensure their partners maintain the required security standards.
  4. Proof of cybersecurity:
    Companies must be able to provide evidence of their cybersecurity measures to the supervisory authority at any time. This may include regular audits, security checks, and penetration tests. Essential entities are also subject to proactive supervision, where checks can be carried out without specific cause.
  5. Reporting obligations for security incidents:
    Security incidents that have significant impacts on a company's services must be reported to the competent supervisory authority within 24 hours. Furthermore, companies must submit a detailed report within 72 hours after the incident regarding the causes, impacts, and measures taken to mitigate the incident.
  6. Management liability:
    NIS2 places special emphasis on management responsibility. Executives are required to monitor compliance with cybersecurity requirements and ensure proper implementation of measures. In case of violation, managers can be held personally liable, which can result in high financial penalties and legal consequences.

The new obligations are comprehensive and affect virtually every aspect of corporate management regarding cybersecurity. Particularly small and medium-sized enterprises, which previously had less stringent requirements, must now make significant efforts to meet the requirements. It is therefore essential that affected companies start implementing measures early and allocate appropriate budgets and resources for IT security. The proactive approach of NIS2 is intended to ensure that potential threats can be identified and prevented early before they cause significant damage.

How is NIS2 implemented into national law?

The NIS2 Directive is an EU-wide legislation that must be implemented into national law by member states by October 2024. In Germany, NIS2 will come into force through the "NIS2 Implementation and Cybersecurity Strengthening Act" (NIS2UmsuCG). The Bundestag and Federal Cabinet are currently working on the final version of this law, which will transpose the new requirements of the EU directive into national law. In the meantime, companies and institutions affected by NIS2 must already begin implementing the security requirements, as the timeframe until the legal deadline is very tight.

Structure of national implementation

The implementation of NIS2 into national law varies from country to country. In Germany, the responsibility lies with the Federal Government, particularly the Federal Office for Information Security (BSI). This will be the central supervisory authority for NIS2 and will monitor compliance with the new requirements. Companies must demonstrate their security measures according to BSI guidelines and undergo regular audits.

Sanctions for violations

Violations of the NIS2 Directive can be punished with substantial fines. These penalties can amount to up to 10 million euros or 2% of global annual turnover, depending on the severity of the violation. Lower penalties apply to important entities, though fines in the millions are still possible here. Essential entities are subject to proactive supervision by the BSI, while important entities are monitored reactively.

What role does cybersecurity play in NIS2?

Cybersecurity is the central theme of the NIS2 Directive. The goal is to significantly improve network and information security in the EU while increasing resilience against cyberattacks. Companies must not only secure their internal IT systems but also ensure security throughout the supply chain. Due to the cross-border nature of cyber threats, close cooperation between member states and their authorities is necessary to take effective measures against cyberattacks.

Increasing the cybersecurity level

NIS2 requires companies to regularly evaluate and improve their cybersecurity measures. This includes implementing an Information Security Management System (ISMS) and conducting employee training to ensure "cyber hygiene." The goal is to harmonize and increase the cybersecurity level across the EU.

Cross-border cooperation

Since cyber threats don't stop at national borders, NIS2 promotes close cooperation between member states. National authorities are encouraged to share information about threats and develop joint measures to defend against cyberattacks. This cooperation should ensure that the EU as a whole is prepared against threats from cyberspace.

How is NIS2 implemented in practice?

The practical implementation of the NIS2 Directive presents a significant challenge for many companies and requires a holistic approach to cybersecurity. Here are the most important steps and considerations for effective implementation:

Important implementation steps

  1. Impact analysis and gap analysis:
    • Conducting a detailed analysis to determine if the company falls under NIS2
    • Identification of relevant business areas and critical services
    • Assessment of current cybersecurity level compared to NIS2 requirements
    • Identification of gaps and improvement potential
  2. Development of a cybersecurity strategy:
    • Creation of a comprehensive cybersecurity strategy aligned with NIS2 requirements
    • Definition of clear objectives, responsibilities, and timelines
    • Involvement of management to ensure necessary support and resources
  3. Implementation of an Information Security Management System (ISMS):
    • Introduction or adaptation of an ISMS according to recognized standards like ISO 27001
    • Integration of risk management processes
    • Development and implementation of security policies and procedures
  4. Technical measures:
    • Implementation of modern security technologies (e.g., Next-Generation Firewalls, Intrusion Detection Systems)
    • Introduction of multi-factor authentication and encryption
    • Regular security updates and patch management
    • Implementation of backup and disaster recovery solutions
  5. Employee training and awareness:
    • Development and implementation of regular cybersecurity training programs
    • Sensitizing all employees to cybersecurity risks and best practices
    • Special training for IT staff and executives
  6. Supply Chain Security:
    • Review and adjustment of contracts with suppliers and service providers
    • Conducting security audits of critical suppliers
    • Development of security standards for the entire supply chain
  7. Incident Response and Business Continuity:
    • Creation and regular updating of incident response plans
    • Conducting exercises to simulate cybersecurity incidents
    • Development and testing of business continuity plans
  8. Compliance and Reporting:
    • Establishment of processes to fulfill incident reporting obligations
    • Implementation of systems for recording and documenting security incidents
    • Regular internal audits to verify NIS2 compliance
  9. Continuous Improvement:
    • Establishment of a process for regular review and updating of security measures
    • Conducting NIS2 penetration tests and vulnerability analyses
    • Adaptation of security strategy to new threats and technological developments
  10. Cooperation with authorities and experts:
    • Building relationships with relevant authorities and CSIRTs
    • Participation in industry initiatives and information sharing platforms
    • Consulting external cybersecurity experts when needed

The implementation of the NIS2 Directive is a complex and ongoing process that requires substantial resources and commitment. Companies should start early and follow a structured approach to effectively meet the requirements and sustainably improve their cybersecurity.

Evidence and auditing

Affected companies must regularly provide evidence of the implementation of security measures. This evidence is reviewed by national supervisory authorities, such as the BSI. This includes both internal audits and examinations by external bodies. Companies must ensure that their measures are always up to date with the current state of technology and comply with legal requirements.

What does the NIS2 Directive mean for the future of cybersecurity?

The NIS2 Directive marks a decisive step in strengthening cybersecurity in Europe. It sets a new standard for protecting critical infrastructure and important facilities and ensures that companies and institutions are better equipped against cyber threats. Through the introduction of stricter security requirements, supervision by regulatory authorities, and the obligation to report security incidents, the general cybersecurity level in the EU will be significantly improved. In the future, it will be essential for companies to continuously adapt and expand their IT security measures to meet the increasingly complex threats from cyberspace.

Topics on NIS2

More info material

Thank you for your feedback! We will review it and optimize this content.

Do you have feedback on NIS2? Tell us!

Damian Strobel
Do you need support with the implementation of NIS2? We will be happy to help you.

Services

Penetration testing

Penetration testing

Focused search for security vulnerabilities in your software products and servers.

Red Teaming

Simulation of real attacks on your company including people, infrastructure and processes.

Phishing

Phishing exercises increase your employees' awareness of real attacks via email.

Overview of all services