NIS 2 Directive: The new EU cyber security requirements

The NIS 2 Directive, which came into force on January 16, 2023, is a comprehensive revision of the original NIS Directive and aims to significantly increase the level of cybersecurity in the European Union. The new directive, which will apply from October 2024, significantly expands the scope of application and sets stricter security requirements for companies and organizations. Check now whether your company is also subject to the requirements and read all the important information in this article to prepare accordingly!

NIS 2 Directive: Relevance and background

As networking and digitalization within the European Union progresses, the risk of cyberattacks is also growing. To counter these threats, the EU has adopted the NIS 2 Directive, which expands and modernizes the original NIS Directive of 2016. This directive, known as the "Network and Information Security (NIS) Directive", was published in the Official Journal of the EU on December 27, 2022 and came into force on January 16, 2023. It sets new standards for the cyber and information security of companies and institutions. EU member states must transpose the directive into national law by October 2024.

In Germany, the Federal Ministry of the Interior has had a draft bill for implementation since July 2023, known as the NIS-2 Implementation and Cyber Security Strengthening Act (NIS-2UmsuCG). This new directive will significantly increase the number of companies affected. In addition, stricter requirements will be placed on these companies and the pressure for enforcement will be increased by the threat of higher sanctions and liability at management level.

Who is affected by the NIS 2 Directive?

The NIS 2 Directive distinguishes between "particularly important institutions" and "important institutions". The main difference is that "important facilities" are subject to lower fines and reactive supervision by the authorities, while "particularly important facilities" are monitored proactively. Different minimum thresholds will no longer apply in the EU; instead, the level of concern will be determined according to uniform criteria. Medium-sized and large companies will be subject to regulation:

1. Medium-sized: 50-249 employees or 10-50 million euros turnover, less than 43 million euros balance sheet total
2. Large: at least 250 employees or at least 50 million euros turnover

This considerably extends the scope of application in Germany.

For operators of critical infrastructure (KRITIS), the classification of a company as an organization covered by the NIS 2 Directive will continue to be determined by certain thresholds, while for companies of special or fundamental importance, the sector, turnover figures and number of employees will be the main determining factors. The NIS 2 Directive affects a wider range of industries and sectors than its predecessor. In addition to essential entities such as energy suppliers and healthcare services, digital service providers and product manufacturers are now also affected.

Legal obligations and penalties under the NIS 2 Directive

The NIS 2 Directive entails far-reaching, mandatory actions for companies and public institutions in the EU. Here is an overview of the most important legal obligations:

1. Extended reporting obligations

Companies must report significant security incidents to the relevant authorities within 24 hours and provide more detailed information within 72 hours. These stricter reporting obligations are intended to enable a faster response to cyber threats.

2. More comprehensive security measures

The directive obliges companies to implement more extensive measures to protect against cyber attacks and to regularly review their effectiveness. This includes:

• The development and implementation of guidelines for risk and information security,
• the implementation of business continuity management (BCM) and
• carrying out regular risk analyses and penetration tests.

3. Self-assessment and registration

Affected companies must classify themselves and register with the competent authority. This requires precise knowledge of their own business activities and the relevant thresholds.

The NIS 2 Directive also provides for significantly stricter sanctions for breaches of obligations:

For particularly important facilities and critical systems

• Fines of up to 10 million euros or
• at least 2 percent of the annual turnover, whichever is higher.

For important facilities

• Fines of up to 7 million euros or
• at least 1.4 percent of annual turnover, whichever is higher.

These penalties are based on the sanctions of the EU General Privacy notice Regulation (GDPR) and underline the importance of cybersecurity for the EU.

Important:According to the draft of the Federal Ministry of the Interior, the management bodies of companies will be liable for compliance with risk management measures with their private assets. The upper limit for this liability corresponds to two percent of the company's global annual turnover.

Practical implementation of the NIS 2 Directive

The implementation of the NIS 2 Directive offers companies the opportunity to comprehensively improve their cyber security and arm themselves against increasing threats. To implement the NIS 2 Directive, companies should:

1. Identify critical services, systems and components,
2. implement comprehensive risk management,
3. carry out regular safety audits and tests,
4. Develop and test incident response plans and
5. Train Employees regularly and sensitize them to the topic.

According to a study by PwC, 30 percent of the companies surveyed have already been victims of data losses in the millions due to cyber attacks. Proactive implementation of the directive can therefore not only avoid legal consequences, but also avert considerable economic damage.

Proactive security strategies: Companies are increasingly moving away from reactive security measures towards proactive approaches that combine prevention, detection and defense. This development is being driven by the growing need for more comprehensive security solutions and the increasing complexity of cyber threats.

Cybersecurity: Future trends and developments

Governments around the world are developing comprehensive cybersecurity strategies to strengthen digital sovereignty and protect infrastructure. These strategies include collaboration between government, industry and academia, as well as the development of regulations to label synthetic content. The future of cybersecurity will be shaped by several significant trends and developments that present both opportunities and challenges for companies and individuals.

Artificial intelligence and machine learning: Artificial intelligence (AI) and machine learning are playing an increasingly important role in cyber security. These technologies enable faster and more precise detection of threats and support the automation of security processes. However, cybercriminals are also using AI to develop more sophisticated attacks, which underlines the need for a balanced and responsible use of AI in cybersecurity.

Zero Trust Architecture (ZTA): Zero Trust Architecture is another important concept that is gaining momentum. This security strategy assumes that threats exist both inside and outside the network and therefore requires continuous verification and authentication of user and devices to control access to resources.

Quantum computing: Quantum computing poses a potential threat to existing encryption methods as it is able to quickly solve complex mathematical problems that underlie traditional cryptography. This requires the development of quantum-resistant cryptography methods to protect future IT infrastructures.

Conclusion and outlook:

Overall, it is clear that cybersecurity is a dynamic field that requires continuous adaptation and innovation in order to effectively counter the constantly evolving threats. It is to be expected that the NIS 2 Directive will continue to evolve over the coming years in order to meet new threats.

Companies should therefore always stay up to date and continuously adapt their security strategies. They should also see the implementation as an opportunity to review and improve their security measures. Early and thorough preparation is crucial in order to meet the requirements and benefit from the long-term advantages of improved cyber security.