5.12.2022
Reading time 5 minutes

NIS2 – The EU’s Newest Regulatory Endeavor in Cybersecurity

Cybersecurity has become a prominent topic on the political agenda of the European Union (EU) as well as of its Member States, such as Germany. As a result, the EU is actively publishing and revising lots of legislation, including DORA, CRA, DSA, etc. Its newest addition is the Directive on measures for a high common level of cybersecurity across the Union (NIS2).

What is the NIS-Directive and what is NIS2?

NIS2 is a revised version of the existing Network and Information Security Directive (NIS-Directive), which lays out criteria to identify operators of critical infrastructures and information security requirements. This means that entities, which fulfill certain thresholds, such as supplying many citizens with electricity, are considered systemically relevant and must thereby fulfill certain legal requirements. As digitalization constantly progresses, the NIS-Directive has been reviewed by the EU since its initial publication and a new version – NIS2 – will be published soon.

What are the key changes of NIS?

The key requirements of the NIS-Directive remain intact, such as that the entities subject to NIS2 must comply with extensive information security requirements, i.e., practicably having to maintain an information security management system (ISMS).

Some of the key changes to be introduced by NIS2 include:

  • More and new sectors are covered by the scope of NIS2, which means that more entities will have to comply with the Directive and the subsequent national regulations that will be published in the years to come.
  • NIS2 introduces a size-cap-rule, which means that entities that are at least medium-sized enterprises and that fall within the dedicated sectors, are now subject to NIS2.  
  • Sanctions and penalties are significantly increased, up to max. 10 million EURO or 2% of total annual global turnover.
  • Entities are responsible for their entire information security supply chain.
  • The European cyber crises liaison organization network (EU - CyCLONe) will be created, which will be responsible for the coordination of major cyber security incidents and the exchange of information between Member States and EU institutions.
Previous Article
Next Article
Dummy

Text Here

Popular

NIS2 – The EU’s Newest Regulatory Endeavor in Cybersecurity

Catch me if you can – How to protect yourself from CEO fraud

Compensation for unauthorised publication of an employee photograph on Facebook

Corona-Warn-App and reference to individuals: A critical view

NIS2 – The EU’s Newest Regulatory Endeavor in Cybersecurity

Cybersecurity has become a prominent topic on the political agenda of the European Union (EU) as well as of its Member States, such as Germany. As a result, the EU is actively publishing and revising lots of legislation, including DORA, CRA, DSA, etc. Its newest addition is the Directive on measures for a high common level of cybersecurity across the Union (NIS2).

Content
Text for size

What is the NIS-Directive and what is NIS2?

NIS2 is a revised version of the existing Network and Information Security Directive (NIS-Directive), which lays out criteria to identify operators of critical infrastructures and information security requirements. This means that entities, which fulfill certain thresholds, such as supplying many citizens with electricity, are considered systemically relevant and must thereby fulfill certain legal requirements. As digitalization constantly progresses, the NIS-Directive has been reviewed by the EU since its initial publication and a new version – NIS2 – will be published soon.

What are the key changes of NIS?

The key requirements of the NIS-Directive remain intact, such as that the entities subject to NIS2 must comply with extensive information security requirements, i.e., practicably having to maintain an information security management system (ISMS).

Some of the key changes to be introduced by NIS2 include:

  • More and new sectors are covered by the scope of NIS2, which means that more entities will have to comply with the Directive and the subsequent national regulations that will be published in the years to come.
  • NIS2 introduces a size-cap-rule, which means that entities that are at least medium-sized enterprises and that fall within the dedicated sectors, are now subject to NIS2.  
  • Sanctions and penalties are significantly increased, up to max. 10 million EURO or 2% of total annual global turnover.
  • Entities are responsible for their entire information security supply chain.
  • The European cyber crises liaison organization network (EU - CyCLONe) will be created, which will be responsible for the coordination of major cyber security incidents and the exchange of information between Member States and EU institutions.

Enable Data-Led Decisions

Collect and organise important HR insights such as absences, attrition, and more. Generate detailed reports in seconds so you can strategise with confidence.

Text Here

Which companies are impacted by NIS2?

There are two key criteria in determining the entities that fall within the scope of NIS2, these are:

  1. The entity size: all enterprises that are at least medium-sized enterprises are subject to NIS2. Enterprises that employ fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million are excluded from the scope. Therefore, all enterprises larger than that and active in the sectors mentioned in point 2, will be subject to NIS2.
  1. The sector: all medium-sized or larger enterprises considered as essential or important entities are subject to NIS2:

Essential entities include enterprises in the following sectors:

  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Waste water
  • Digital Infrastructure
  • ICT-service management (B2B)​
  • Public administrations
  • Space

Important entities include enterprises in the following sectors:

  • Postal and courier services
  • waste management
  • Manufacture, production and distribution of chemicals​
  • Food production, processing and distribution​
  • Manufacturing
  • Digital providers
  • Research

Of course, certain exceptions exist, whereby enterprises either fall within the scope of NIS2 regardless of their size or are entirely exempt from the scope.

What does the EU Regulation mean for German companies?

As NIS2 is an EU-Directive it must be transposed into national law within all Member States of the EU. It is not a Regulation, such as the General Data Protection Regulation (GDPR), which is directly applicable in all Member States. This means that Member States will have 21 months to incorporate the provisions into their national law after NIS2 has been officially published by the EU. As a result, Germany will have to adapt existing or publish new regulations in the field of cybersecurity. Currently the IT-Sicherheitsgesetz 2.0 and the KRITIS-Verordnung are among the national laws that govern information security requirements for operators of critical infrastructures. It may therefore be expected that within the next 2 years, either existing laws will be amended, or new laws will be published to incorporate the requirements of NIS2 into national specifications. The exact obligations for entities that will be subject to the coming legislation will become apparent then.

Our Guide To Change Management

Text Here

The rich

© 2022 secjur GmbH. All rights reserved.