What Companies Need to Know
Due to the increasing threats and the growing number of IT security incidents, the European Union published the second EU Directive on Network and Information Security (known as the NIS-2 Directive) in December 2022. This directive came into force on January 16, 2023, and must be implemented into national law by the EU member states by October 17, 2024. The goal of the NIS-2 Directive is to establish a high common level of cybersecurity across the EU, tighten the requirements of the previous NIS-1 Directive, and extend them to new sectors. Previously, in Germany, only Critical Infrastructures (KRITIS) were subject to binding regulations. With the implementation of NIS-2, large areas of the private sector, which were previously not legally required to act, will now be regulated for the first time.
What Does This Mean for Your Company?
The EU NIS-2 Directive includes 18 sectors of the economy that were previously not covered, which have been consolidated into 14 sectors in the German implementation of the directive (NIS2UmsuCG). These sectors are further subdivided, making a detailed evaluation of a company's business activities mandatory.
The annexes to the NIS-2 Directive further divide the sectors into "Essential" (particularly important) and "Important" sectors. The directive also lists factors such as the number of employees, revenue, and balance sheet total to determine the applicability of NIS-2.
Sector |
Classification according to Annex |
Number of Employees |
Revenue & Balance Sheet Total |
---|---|---|---|
Large Companies |
Annex 1 |
>250 |
EUR 50 Mio. & EUR 43 Mio. |
Mid-Sized-Companies |
Annex 1 and Annex2 |
>50 |
EUR 10 Mio. & EUR 10 Mio. |
It is important to note that this involves an "or" criterion between the number of employees and revenue & balance sheet total. Small companies (<50 employees) are not considered under the upcoming law. However, if the thresholds are exceeded, direct implementation will be necessary. Early implementation of cybersecurity measures is generally recommended.
Overview of Sectors and Potential Classifications
If a company is classified as large or at least medium, it must be evaluated against the relevant sectors listed in the annexes. Federal administrations and various digital infrastructures (DNS, TLD, Cloud-DL, TSP) hold a special position as they fall directly under the NIS-2 Directive regardless of their size due to their critical nature.7
NIS-2-Annex |
Sector |
Essential Company |
Important Company |
---|---|---|---|
Annex 1 |
Energy |
L |
M |
Annex 2 |
|
L, M |
Measures and Obligations for Affected Companies
Companies that fall under the NIS-2 Directive must implement various measures and obligations, including:
- Risk Management
Companies must implement comprehensive risk management measures to protect the goals of "availability," "confidentiality," and "integrity" with appropriate, proportionate, and effective technical and organizational measures, including: -
- State-of-the-art risk analysis: Regular assessment of the risks to which IT systems are exposed, considering the current threat landscape.
- Incident management: Implementation of protocols for rapid response and containment of security incidents (e.g., establishing a comprehensive Security Information and Event Management - SIEM connected to a Security Operations Center - SOC, which monitors and responds to incidents 24/7).
- Backup and crisis management: Regular backups of critical data and development of continuity plans in case of a cyber incident (e.g., Disaster Recovery and Business Continuity Management measures to quickly restore operations after an attack).
- Comprehensive vulnerability management that monitors known gaps according to international standards and recommends appropriate countermeasures.
- Supply Chain Management
Companies must ensure that their suppliers and partners also adhere to appropriate security standards, e.g., through: -
- Third-party verification: Regular security checks and audits of third-party IT security practices.
- Contracts with security clauses: Including security requirements in contracts with suppliers and partners.
- Cryptography and Encryption
Companies must use modern encryption techniques to ensure the confidentiality and integrity of sensitive data, including: -
- Encryption of sensitive data: Use encryption for stored data and during data transmission.
- Key management: Secure management and storage of encryption keys.
- Multi-Factor Authentication (MFA)
Implementation of MFA for access to all systems and data, typically using a combination of the four factors "knowledge," "possession," "inherence," and "location," resulting in numerous implementation possibilities. - Reporting Obligations
Companies must ensure that the obligation to report security incidents to the relevant authorities within the reporting deadlines is met, e.g., through: -
- Establishment of reporting procedures: Development of a process for reporting security incidents to ensure that all relevant information is communicated quickly and efficiently.
- Regular training: Raising employee awareness of reporting obligations and training on handling security incidents. The initial report must be made within 24 hours, and additional measures to handle the incident must be adopted within 72 hours.
- Training Obligations for Management
The management of companies must implement the measures or monitor their implementation and compliance. Executives must be regularly trained to stay up to date on cybersecurity, e.g., through: -
- Cybersecurity training: Regular training programs for executives to ensure they understand the latest threats and best practices.
- Awareness campaigns: Conducting awareness campaigns throughout the company to promote a security culture.
Penalties for Non-Compliance
Violations of the NIS-2 Directive can result in substantial fines. These fines start in the low six-figure range (e.g., for failing to register with the Federal Office for Information Security) and can reach up to 10 million euros or 2% of annual turnover for essential facilities, and 7 million euros or 1.4% of annual turnover for important facilities. This represents the first time that penalties comparable to those in data protection have been legally regulated in information security.
Furthermore, it should be noted that senior executives can be held liable for gross negligence, specifically for non-compliance and failure to support the required risk measures under NIS-2, leading to fines and further legal consequences.
Recommendations for Action
- Check if the NIS-2 Directive is relevant for you and your company and if you are required to implement it.
- Verify if your company meets the NIS-2 Directive requirements.
- Implement risk management measures to comply with the required security measures and train your employees accordingly.
- Contact experts and seek assistance from specialized IT consultants to ensure your company meets the regulatory requirements.
With our Cyber Security services, we are your reliable partner to reliably meet regulatory requirements and proactively manage compliance risks. We have developed a NIS-2 Fit-Gap analysis that allows companies to easily obtain the necessary evaluation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.