New cybersecurity standards: What the NIS 2 Directive means for companies in the EU

NIS-2 is the updated version of the original NIS (Network and Information Systems) Directive from 2016. This new directive aims to improve the security of networks and information systems in the European Union. It sets higher cybersecurity standards for businesses and covers more industries and organizations than before.

The NIS 2 Directive (EU 2022/2555) entered into force in the EU in early 2023. Member States must implement these standards through national laws. In Germany, this will be done through the NIS2 Implementation Act (NIS2UmsuCG), which is expected to apply from October 17, 2024.

Who is affected?

IMPORTANT!

Authorities such as the Federal Office for Information Security (BSI) do not provide information on whether a company is affected by NIS-2. Each company must determine this itself based on certain criteria.
A company is affected if it exceeds certain thresholds in terms of the number of employees or annual turnover/annual balance sheet total and operates in a particular sector.

Thresholds:

Particularly important facilities:

• Operators of critical systems (KRITIS operators)
• Special facilities such as domains, DNS, qualified trust services, major telecommunications providers
• Establishments with more than 250 employees OR more than EUR 50 million annual turnover and EUR 43 million annual balance sheet total, from the sectors listed in Annex 1 to the NIS 2 Directive

Key facilities:

• Special institutions such as trust services, smaller telecommunications providers
• Establishments with more than 50 employees OR more than EUR 10 million annual turnover and EUR 10 million annual balance sheet total, from the sectors listed in Annex 1 and Annex 2 to the NIS 2 Directive

Here are some examples of key facilities affected:

Health sector: Clinics, larger medical practices and laboratories
Financial sector: Banks, insurance companies and payment service providers
Transport and traffic: Airports, railway operators, logistics companies
Utilities: Energy suppliers, water and waste management companies
Digital infrastructure: Data centers, internet exchanges, cloud service providers

Service providers or suppliers of a company affected by NIS-2 may also be required to meet NIS-2 compliant security standards. This is important for risk and supply chain management to ensure the security of digital infrastructure and data.

What measures need to be implemented?

Companies must take various security measures to protect their networks and information, including:

• Risk analysis and security for information systems
• Managing security incidents
• Maintenance and recovery, backup management, crisis management
• Supply chain and facility-to-facility security, service provider security
• Security in development, procurement and maintenance
• Vulnerability management
• Cybersecurity assessment and risk management
• Training in cybersecurity and cyber hygiene
• Cryptography and encryption
• Personnel security, access control and facility management
• Multi-factor authentication and continuous authentication
• Secure communication (voice, video and text)
• Secure emergency communication

Reporting obligations

NIS-2 also tightens the reporting requirements for security incidents. Companies must report incidents to the Federal Office for Information Security (BSI) within 24 hours of becoming aware of them. A detailed report must be submitted within 72 hours of becoming aware of them. A final report is required within one month, containing detailed descriptions of the incident, the nature of the threat and the cross-border impact.

Sanctions

If the requirements are not met, essential entities may be fined up to 10 million euros or 2 percent of their annual worldwide turnover, whichever is higher. In addition, the directors may be held personally liable.
NIS-2 and the NIS2UmsuCG are crucial steps for Germany to improve cybersecurity and meet the requirements of the EU directive. Companies must be aware of this new reality and take appropriate measures to protect their systems and ensure compliance.

National laws implementing NIS-2 are still under development and details may vary. For more details, please see the following links:
NIS 2 Directive
Current draft bill NIS2UmsuCG