Cybersecurity has become much more important in recent years, particularly due to the increasing digitalisation and networking of systems. Against this backdrop, the European Union has introduced the NIS2 Directive to strengthen overall cybersecurity in the EU. This article provides an overview of the impact of the NIS2 Directive and shows how our NIS2 Readiness Assessment identifies vulnerabilities and areas for action.
What is NIS2?
The extended European directive NIS2 (Network and Information Security Directive 2) regulates the cyber and information security of companies and institutions in 18 critical sectors. The NIS2 Directive was published in the EU Official Journal on 27 December 2022 and came into force on 16 January 2023. The EU member states must transpose it into national law by October 2024. In Germany, a draft bill from the Federal Ministry of the Interior on implementation was published in July 2023, known as the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG).
Companies and organisations must address issues such as the resilience of critical infrastructure. The NIS2 Directive also extends the scope of application and introduces stricter liability rules for the management of the organisations concerned. Violations can result in high fines.
NIS2 survey: Where do you stand, where is there a need for action?
The survey is an indicator of the perception and implementation of NIS2. Where do the companies concerned stand and where is there a need for action? Survey participants will receive the analysis on request.
Objectives of the NIS2 Directive
Improving cyber security: Networks and information technology systems are to be protected against cyber attacks by implementing security measures.
Protection of critical infrastructure: Particularly sensitive areas such as energy, transport, health and finance are to be protected against cyber threats in order to ensure the stability and functionality of these systems. Suppliers of these critical infrastructures are also affected.
Companies must therefore take measures to ensure their resilience to cyber attacks. These measures must be chosen in such a way that the risks are controlled and the effects of security incidents are prevented or minimised. The size of the organisation, the extent of risk exposure and the likelihood of security incidents occurring must be taken into account.
The 5 focal points of NIS2
Affected companies
Companies that employ at least 50 people and/or have an annual turnover/balance sheet total of at least €10 million and are active in one of the 18 sectors listed in the NIS2 Directive are affected by the NIS2 Directive.
Annex I and Annex II of the NIS2 Directive specify which “type of organisation” is affected for each sector. The decisive factor is therefore whether you correspond to one of the types of organisation listed therein.
Distinction between essential and important facilities
The NIS Directive2 distinguishes between essential and important facilities. Essential entities are large entities with high criticality, such as operators of critical facilities, telecommunications service providers, etc., while important entities include medium-sized entities regardless of their criticality.
Increased liability
The NIS 2 Directive provides for an extension and tightening of liability. Fines of up to ten million euros or two per cent of annual turnover, whichever is higher, can be imposed on essential facilities. Fines of up to seven million euros or 1.4 per cent of annual turnover, whichever is higher, can be imposed on important facilities.
An important note: According to the draft of the Federal Ministry of the Interior, the management bodies of companies are liable for compliance with risk management measures with their private assets, whereby the upper limit of this liability is 2 per cent of the company’s worldwide annual turnover.
Obligations for affected companies
- Registration: According to the NIS-2 Directive, affected companies are obliged to register. The registration centre is the Federal Office for Information Security (BSI). Companies must identify themselves independently and register within a period of 3 months after the directive comes into force. However, the BSI reserves the right to register companies independently if they do not fulfil their obligation.
- Reporting obligation: Affected companies have a reporting obligation in the event of security incidents. The central reporting centre is also the BSI. An initial report must be submitted within less than 24 hours of a security incident. This report must be updated within 72 hours. The BSI can request interim reports. After 30 days, affected companies must submit a detailed description of the incident, including information on the severity, impact, causes and corrective measures taken.
- Governance: The management of the affected companies is obliged to approve the risk management measures. They are liable for damages in the event of a breach of duty. They are also obliged to carry out mandatory cyber security training.
- Duty to inform: The BSI provides operational advice on early warnings in connection with security incidents. It can also order the notification of customers in the event of security incidents and also demand remedial measures in specific sectors. The BSI also has the right to order the publication of a security incident in order to inform the public appropriately.
These obligations ensure that affected companies respond proactively to security incidents and take the necessary measures to strengthen cyber security and minimise potential damage.
Our offer: The NIS2 Readiness Assessment
If you want to ensure that your organisation meets the requirements of the NIS2 directive, now is the time to act. Our NIS2 Readiness Assessment offers you the opportunity to take a close look at your cyber security measures. Concrete and specific questions lead you to a well-founded self-assessment. The result is presented in the form of a heat map that clearly shows existing deficits and gives you a clear overview of the current status of your cyber security. Following the assessment, we develop recommendations for action to eliminate potential weaknesses. Take the opportunity to proactively improve your company’s security and prepare yourself for the challenges of the digital world.
NIS2 survey: Where do you stand, where is there a need for action?
The survey is an indicator of the perception and implementation of NIS2. Where do the companies concerned stand and where is there a need for action? Survey participants will receive the analysis on request.
Conclusion
The NIS 2 Directive is an important step by the European Union to strengthen cyber security and protect critical infrastructures from cyber threats. Affected companies must familiarise themselves with the requirements of the directive and take appropriate measures to ensure the security of their networks and information technology systems.
Our readiness assessment helps you to identify vulnerabilities in order to fulfil the requirements securely and efficiently.