NIS2 - The SECJUR Guide to the EU's Cyber Resilience Strategy
June 8, 2023
In this article, we will explain:
- The innovations introduced by the NIS2 Directive compared to its predecessor, NIS1.
- Under what conditions companies can be affected by the NIS2 Directive and which sectors require special protection.
- The information security requirements that may apply to your company as part of the NIS2 Directive.
What is NIS2?
The NIS2 Directive is an updated version of the existing Network and Information Security (NIS) Directive, which establishes criteria for identifying operators of critical infrastructure and sets requirements for information security.
The aim of the NIS Directive is to protect important industries and services from internet threats, such as hacker attacks. In this context, facilities that meet the thresholds defined in the directive must meet certain legal requirements. For example, power and water utilities, as well as banks, are considered essential since they provide services to a large number of citizens. The corresponding companies must take appropriate measures to make their systems and networks more secure in accordance with the new directive.
Due to the advancing digitalization, the EU continuously revises the NIS Directive. The new version, called NIS2, was presented on December 14, 2022, as a draft directive for ensuring high cybersecurity (NIS2 Directive) by the European Commission.
Objective of NIS2 - making the EU more resilient
Cybersecurity has become an increasingly urgent topic on the political agenda of the European Union (EU) and its member states, including Germany. The vulnerability of infrastructures has become evident in recent years due to hacker attacks.
As a result, the EU actively publishes and revises a variety of legislation. The latest addition is the NIS2 Directive, which includes additional measures to ensure a high level of cybersecurity across the Union. However, the goal of creating a unified level of information security for network and information systems is not new and has been an important concern of the EU for some time.
NIS1 - A Big Step for European Cybersecurity
In 2016, the EU introduced its first cybersecurity directive, the currently applicable NIS Directive, also known as NIS1. It was created in response to the increasing threat landscape and the heightened demands for IT security in Europe. The directive includes binding provisions for protecting the systems of Critical Infrastructure Operators, referred to as "operators of critical infrastructure." These institutions are of particular importance to society as they provide services in sectors such as energy supply, healthcare, and transportation.
The NIS Directive is part of the European cybersecurity strategy aimed at strengthening cyber resilience in the EU and is now considered one of the most important European regulations in the field of cybersecurity. Critical infrastructure operators are obliged by the directive to comply with defined minimum standards with the goal of maintaining the protection of their systems and networks. As a result, extensive information security requirements must be met, making an Information Security Management System (ISMS) necessary and beneficial for companies.
NIS2 - Enforcing Cyber Resilience for a Broader Range of Companies
In 2021, the first readings and debates on the draft NIS2 Directive took place. During this phase, representatives from various European countries had the opportunity to analyze the draft and discuss their positions. These debates were crucial as they helped shape the direction and content of the final directive.
In June 2022, a provisional agreement was reached between the European Parliament and the Council of the European Union. This compromise took into account the different viewpoints and interests to arrive at a common solution. This agreement marked a significant milestone in the implementation of the NIS2 Directive. Finally, on December 14, 2022, the NIS2 Directive was officially signed, cementing its binding nature and paving the way for its implementation in the EU member states. Just a few days later, on December 27, 2022, the NIS2 Directive was published, making it accessible to the public.
A Milestone in European Cybersecurity
The publication of the NIS2 Directive represents a significant milestone in the development of cybersecurity in Europe. With its comprehensive provisions and measures, the directive aims to enhance the resilience and protection of critical infrastructures and digital services in the EU. It establishes requirements for companies and authorities to assess risks, implement appropriate security measures, and respond to security incidents.
Since January 16, 2023, Germany and other EU member states have 21 months to transpose the new regulations into national law. This means that existing laws in Germany need to be adjusted to the new legal framework or new laws need to be enacted. The measures are expected to impact the IT Security Act 2.0 and the Critical Infrastructure (KRITIS) Regulation - both laws currently regulate, among other things, IT security for operators of critical infrastructures in Germany. The existing NIS1 Directive will be repealed on October 18, 2024, but it is already necessary for affected companies to take action.
NIS2 - Strict Requirements for Companies in the EU
The "Size-Cap Rule"The NIS2 Directive introduces several innovations compared to the NIS1 Directive, aimed at harmonizing and strengthening cybersecurity in the European Union. One significant change is the introduction of the "Size-Cap Rule," which establishes a new definition of the scope of application. According to this regulation, all EU member states are required to use a consistent logic for classifying critical infrastructures. This ensures a coherent approach to identifying and protecting these important facilities in all EU countries.
Cybersecurity Risk Management
Another important aspect of the NIS2 Directive is cybersecurity risk management. This includes the implementation of risk analysis and security concepts, incident management, and ensuring security in supply chains. Through these measures, companies and authorities are expected to be able to identify risks early, implement appropriate security measures, and effectively respond to security incidents.
State-of-the-Art Technical and Organizational Measures (TOM)
The NIS2 Directive also calls for technical and organizational measures (TOM) in line with the state of the art. This means that companies and authorities must consider current technological developments and implement appropriate security measures to protect their digital infrastructures and services.
Another important aspect is the reporting obligations. According to the NIS2 Directive, incidents must be reported within 24 hours of becoming aware of them. Within 72 hours of the report, an update and initial assessment may be required. Final reports must be submitted no later than one month after the incident becomes known. These reporting obligations are intended to ensure improved transparency and coordination in combating cybersecurity incidents.
Another important aspect is the introduction of higher fines and penalties under the NIS2 Directive. For essential entities, fines of up to €10 million or 2% of the worldwide annual turnover (whichever is higher) can be imposed. For important entities, fines can be up to €7 million or 1.4% of the worldwide annual turnover (whichever is higher). These stricter penalties are intended to encourage companies and authorities to take appropriate measures to ensure cybersecurity and treat potential violations seriously.
The NIS2 Directive brings a range of significant innovations aimed at improving cybersecurity in the European Union. By harmonizing standards, strengthening risk management, introducing reporting obligations, and increasing fines, the NIS2 Directive creates a more comprehensive and effective framework for protecting critical infrastructures and digital services.
The goal of NIS2 is to further enhance cybersecurity for critical infrastructure throughout the EU. It aims to protect all infrastructures within the EU from threats such as hacker attacks. Therefore, NIS2 aims to address the current challenges of cybersecurity, with particular consideration for the increasing digitization of services and the proliferation of Internet of Things (IoT) devices. The objective is to improve resilience and responsiveness in the field of cybersecurity to protect critical infrastructures and digital services in both public and private sectors, as well as the EU as a whole. This is intended to ensure that critical infrastructures continue to function even in times of crisis.
NIS2 - Which companies are directly affected by NIS2?
If your company falls within the scope of the NIS2 Directive, it must comply with the provisions implemented as binding law in the national implementing regulations of the NIS2 Directive.
This entails stricter requirements for companies. Companies must engage with topics such as cyber risk management, monitoring and control, incident response, and business continuity. With the introduction of the NIS2 Directive, the number of industries and sectors affected has expanded. Furthermore, the NIS2 Directive introduces a "size-cap" rule, which states that companies that are at least medium-sized and fall under the specific sectors are now subject to the NIS2 Directive.
As a result, the number of companies required to comply with the directive and subsequent national regulations, which will be published in this and the coming year, has increased.
1. Company Size:
Companies that have a minimum of 50 employees and an annual turnover/balance sheet exceeding 10 million EUR may fall within the scope of the NIS2 Directive.
2. Company Sector:
The second key point is the sector in which a company operates. In the NIS2 Directive, there are now eleven "essential" sectors and seven "important" sectors.
If your company meets the criteria for company size and operates in the following sectors, it is subject to the NIS2 Directive:
- Financial market infrastructure
- Drinking water
- Digital infrastructure
- ICT service management (B2B)
- Public administrations
- Postal and courier services
- Waste management
- Manufacturing, production, and distribution of chemicals
- Food production, processing, and distribution
- Digital service providers
Wastewater management, public administration, and the space sector are new sectors within the "essential facilities" category. The postal sector, waste management, chemical industry, food industry, manufacturing sector, and digital service providers are now classified as "important facilities." Lower financial penalties are provided for "important facilities," and they are subject to reactive supervision by authorities, as opposed to the proactive supervision reserved for "essential facilities."
Regardless of the size and revenue of a company, there are also certain exceptions where companies may be included within the scope of the NIS2 Directive, such as when a company performs critical activities, has an impact on public order, or involves system risks and cross-border effects. Similarly, a company may be completely exempt from the NIS2 Directive under certain exceptions.
NIS2 - The Implications for Companies
If your company meets the mentioned criteria, there will soon be stricter requirements for your information security. This includes rules and procedures for handling security incidents, as well as time-critical reporting and notification obligations.
Additionally, there is a need for:
- Conducting a risk assessment to identify and evaluate potential attacks and information security risks.
- Implementing an Information Security Management System (ISMS) to effectively and regularly monitor and keep security measures up to date.
- Reporting the results of these security assessments to the relevant authorities.
- Informing and educating employees on information security matters.
Furthermore, the operation of effective risk management is also mandatory.
Implementing NIS2 with an ISMS - making Compliance Easier and Faster
The most effective way to meet the requirements is by implementing a comprehensive Information Security Management System (ISMS).
The ISMS gold standard is the ISO 27001. Building an ISMS according to the internationally recognized standard can be quite complex and should not be underestimated. However, SECJUR's automated compliance platform makes this process significantly easier and faster.
With an ISMS using SECJUR, you can achieve ISO 27001 certification in record time and save yourself time-consuming and exhausting manual work that would otherwise be required.
Conclusion: SECJUR Information Security Experts on NIS2
The introduction of the NIS2 Directive is of crucial importance for the European Union as it provides an effective response to the growing challenges of cybersecurity. It is important to remember that cyberattacks can cause not only financial damage but also undermine the trust of citizens in our digital society.
The EU demonstrates its readiness to act unitedly in order to ensure the security of our digital infrastructure.
In a time when our society increasingly relies on digital technologies, the NIS2 Directive is a milestone towards a resilient and secure digital future. By raising the standards for cybersecurity, it protects not only our critical infrastructure but also the stability of our society.
If you want to meet the stringent information security requirements in the NIS2 Directive with an automated ISMS in your company, it is recommended to implement it with the help of SECJUR.
SECJUR stands for a world where companies are always compliant, but never have to think about compliance. With the Digital Compliance Office, companies automate time-consuming work steps and achieve compliance standards such as GDPR, ISO 27001 or TISAX® up to 50% faster.
Automate and streamline your compliance processes with our Digital Compliance Office