What is NIS2? Everything you need to know about the EU cybersecurity directive
The NIS2 Directive is an EU directive that strengthens the cyber resilience of European member states and companies through stricter rules. It covers the implementation of security measures for improved IT protection, as well as security checks and fast reporting channels for cybersecurity incidents.
What is the NIS2 Directive?
The European Union’s NIS2 Directive aims to improve resilience against cybersecurity threats in essential and important infrastructures of the member states. The abbreviation NIS2 stands for “Network and Information Security 2”. When it came into force on January 16, 2023, it replaced the previous NIS1 directive, which had already prompted a shift in how to approach IT security.
To ensure maximum protection in both the private and public sectors of EU member states, the new NIS2 Directive introduces more comprehensive and stricter rules for a wider target group. In this way, the new rules are intended to ensure greater cyber resilience and more effective action against cybersecurity threats and security breaches. NIS2 also aims to ensure that essential institutions that supply the population with vital goods or services are protected against outages and disruptions in the event of a crisis.
The main objective of NIS2 is to better prepare companies against cyberattacks and to respond efficiently and quickly to IT disruptions. A more consistent security strategy in the EU member states should therefore create the highest possible cybersecurity at both national and international levels in the EU area. All member states must transpose the directive into national law, which affects large companies and small and medium-sized enterprises that fall under the new regulations.
What does the NIS2 Directive change?
The obligation to implement the NIS2 Cybersecurity Strengthening Directive (NIS2UmsuCG) entails far-reaching changes in 18 different sectors. Among other things, more than twice as many sectors are classified as essential and the list of fines for non-compliance has been tightened. In addition, managing directors will also be held accountable.
In Germany, Spain, Italy and France, for example, the NIS2 Directive will impact thousands of companies. In Germany, as many as 40,000 companies will need to comply with the new requirements and in Italy, around 50,000 companies. In Spain, approximately 25,000 companies will be subject to the new directive, while in France, over 10,000 entities will be affected.
Here’s an overview of all the changes brought about by the NIS2 Directive:
- Expansion of the sphere of essential areas: NIS2 classifies even more sectors as essential.
- Stricter penalties: The directive significantly increases fines for violations
- Executive responsibility: Executives now have direct responsibility for cybersecurity compliance.
- Extended areas of application: The NIS2 Directive applies to companies with more than 50 employees or a turnover of more than 10 million euros and to some companies regardless of their size.
- Need for comprehensive risk analyses: Companies have a duty to carry out thorough risk analyses.
- Required risk and safety management: Strict requirements apply to risk management and security measures. Various protective measures such as penetration tests, hardware firewalls, and backup strategies are mandatory.
- Obligatory crisis management: Rapid and effective crisis management strategies, communication channels and reporting systems are required in the event of security incidents.
- Use of existing security protocols: Companies can use existing security standards from regulated industries as a reference.
- Ransomware attack protection
- Regular virus and malware scans
- Automatic backups and simple file recovery
Who is affected by the NIS2 Directive?
NIS2 distinguishes between companies in the expanded “essential” category and the “important” category, which is completely new. Companies with more than 50 employees or an annual turnover of 10 million euros or more are directly affected. In addition, companies can also fall under NIS2 regardless of their size if their failure results in systemic risks. The “essential” category comprises companies from eleven sectors, including, in particular, critical infrastructure companies that are vital for government and society. The “important” category in turn applies to seven sectors that are systemically important.
Essential sectors and companies
- Energy
- Water supply
- Transport
- Banking
- Financial market infrastructures
- Healthcare
- Space
- Sewage
- Public administration
- Digital infrastructure
- ICT service management (B2B)
Important sectors and companies
- Postal and courier services
- Waste
- Chemical industry
- Food supply
- Digital service providers
- Industry (processing / manufacturing)
- Research (optional)
What obligations apply to companies?
As part of NIS2, companies are subject to strict obligations and significant changes. These include:
Obligations | Measures |
---|---|
Risk management and business continuity management (§30, 31) | Encryption, multi-factor authentication, cryptography, cyber hygiene, role assignment and access control, backup management and system recovery, supply chain security and risk analyses are mandatory. The minimum requirements vary depending on the size of the company thanks to the “size cap” rule. |
Reporting and notification obligations (§32, 35) | Significant security incidents must be reported to the authorities within 24 hours. Initial assessments must be available after 72 hours. A detailed final report is required within one month. |
Registration obligations (§33, 34) | Affected organizations and domain name registry service providers must submit information to the responsible authorities no later than three months after NIS2 comes into force. If the registration obligation is not fulfilled, it can also be fulfilled by a CSIRT (Computer Security Incident Response Team). |
Approval, monitoring and training obligations for managing directors (§38) | Delegation of safety measures by management is no longer sufficient. Management must actively approve necessary measures and is partially obliged to provide training. |
Supervisory and enforcement measures (§61, 62) | One of the CSIRTs is expected to act as the supervisory authority for compliance with the required measures. At the earliest, three years after NIS2 comes into force, the supervisory authority has the option to request evidence of compliance with the obligations. Measures can be ordered in the event of imminent danger. |
In order to comply with your obligations as an affected company at an early stage, you should carry out the following measures:
- ACTUAL and TARGET analysis: Check whether you are affected by the NIS2 obligations and determine the status quo of your company’s cyber resilience as well as potential areas for improvement.
- Implementation: Risk analysis and security concepts must be introduced for all information systems.
- Evaluation: The effectiveness of your company’s own risk management methods should be reviewed regularly.
- Creation: Developing a concept for dealing with security incidents is obligatory.
- Backup and crisis management: Measures for data backup and crisis management must be implemented.
- Reporting system: An effective reporting system for security incidents should be established.
- Training: Employees must be trained regularly.
- Security of the supply chain: Security in the supply chain must be ensured.
What happens if NIS2 is not implemented?
Companies that do not implement the prescribed measures can expect to face substantial fines (§65). In accordance with NIS2, the supervisory authorities are given comprehensive supervisory, control and instruction powers including the enforcement of deadlines. In addition, managing directors assume significantly more responsibility for protection and security measures and can be held personally liable in the event of violations or negligence (§38, §61).
When does the NIS2 Directive come into force?
On December 14, 2022, the European Parliament and the Council adopted Directive (EU) 2022/2555, known as the NIS2 Directive. It introduces extensive changes to the eIDAS Regulation (EU) No. 910/2014 and the EECC Directive (EU) 2018/1972. It officially came into force on January 16, 2023, replacing the NIS Directive. It must be transposed into national law by all EU member states by October 17, 2024.
In different countries, different authorities are responsible for leading the implementation of the directive. For example, in France, ANSSI (National Agency for Information System Security) is leading the implementation efforts, and has even launched Mon Espace NIS 2, a digital service aimed at supporting entities in implementing the directive. The BSI (Federal Office for Information Security) is the responsible authority in Germany, and in Spain, the National Cryptologic Centre (CCN-CERT) oversees cybersecurity measures and ensures compliance with the new directive.