- Blog , Cyber Security
- Published on: 04.11.2024
- 5:45 mins
NIS 2 Directive: The Most Important Facts About the Cyber Security Regulation
Prepare your company optimally for the new legislation and minimize potential risks
With the adoption of the new Network and Information Security Guidelines (NIS 2), companies and organizations across Europe face significant challenges. In Germany alone, around 40,000 companies are affected. NIS 2 was passed in December 2022 and, according to the EU deadline, was to be implemented into national law by October 17, 2024. However, implementation is delayed in several countries, including Germany. Companies should urgently use the extra time to continue preparing for the new requirements to ensure NIS 2 compliance on time and avoid penalties.
In this article, we delve into the key questions and NIS 2 directive requirements, discussing how companies can effectively prepare for the new guidelines and safeguard themselves against potential risks.
What is NIS 2 and Why Is It Important?
NIS 2 (Network and Information Security Directive 2) is an advancement of the original NIS directive, which has been in effect across Europe since 2016. Its aim is to ensure a high, unified level of cybersecurity across Europe. This is particularly important as cyber threats and attacks on companies and critical infrastructure have surged significantly in recent years. Unified standards like the NIS 2 directive ensure that Europe does not become an easy target for such attacks.
Companies falling under the NIS 2 directive are required to implement numerous measures to protect their digital infrastructures. These include implementing cyber risk management, business continuity management, and introducing multi-factor authentication (MFA). A key concern is that executives and managers could face personal liability if the directive requirements are not implemented correctly.
NIS 2: Who Is Affected?
In Germany, companies with more than 50 employees or an annual turnover or balance sheet total of more than 10 million euros are affected. Additionally, the directive on network and information security applies to specific areas of critical and digital infrastructure, such as transportation, energy supply, and telecommunications, regardless of company size. Overall, this affects an estimated 25,000 to 40,000 organizations and companies in Germany.
What Are the Key Updates of NIS 2?
The new NIS 2 requirements cover multiple aspects of corporate management and IT security, with a primary focus on cyber risk management. The directive stipulates ten specific measures that companies must implement to protect themselves against potential risks and cyber threats. Another crucial point is governance. Company management is now directly responsible for approving and overseeing the necessary security measures. In cases of violations, executives can be held personally liable, which places significant pressure on leadership.
In addition, the reporting obligations have been tightened. Companies must register themselves with the relevant authorities and report security incidents within specified deadlines.
How Can Companies Successfully Implement NIS 2?
Implementing NIS 2 is a complex process that requires thorough preparation. Companies that are already certified under ISO 27001 have a significant advantage. This certification covers many of the measures required by NIS 2, including cyber hygiene, incident management, supply chain security, and cryptography. For these companies, implementing NIS 2 is therefore less labor-intensive and costly.
To achieve compliance with NIS 2, companies must take the following steps:
- Assessment of compliance with ISO 27001: Companies should evaluate the extent to which their existing IT security infrastructure meets the requirements of ISO 27001. This standard covers many of the measures required by NIS 2 and can provide a solid foundation for implementation.
- Identifying gaps: In the next step, gaps between the existing measures and the NIS 2 requirements must be identified.
- Creating an implementation plan: Based on this analysis, companies should develop a plan for how to implement the necessary measures and close any existing gaps.
- Implementing the plan within the company: Once the plan is established, the necessary measures must be implemented within the company. This includes technical adjustments and training for employees.
- Support from service providers in operational implementation: External service providers can assist with implementation – either through full or partial support in operational activities.
Support for Implementing NIS 2: How MHP Can Help You
The new NIS 2 requirements are demanding and can pose significant challenges for companies, especially small and medium-sized enterprises. In many instances, leveraging external expertise is essential for the effective implementation of these complex regulations. Our cybersecurity experts at MHP offer tailored strategic and technical support. We assess the relevance of NIS 2 for your company, identify gaps in your current security infrastructure, and collaboratively develop a customized implementation plan that ensures you meet all requirements on time. Rely on our experience to successfully implement NIS 2 in your organization.
Conclusion: Act Now and Strengthen Cybersecurity in the Long Term
NIS 2 represents a significant expansion of the existing network and information security guidelines and affects tens of thousands of companies in Germany. Companies should begin implementing the new requirements early to avoid potential fines and liability risks, as well as to enhance their overall IT security. Companies with ISO 27001 certification have a clear advantage here, as they have already implemented many of the required measures. A systematic approach and professional consultation can greatly facilitate the implementation process and help companies meet the NIS 2 requirements on time.
FAQ
The essential difference between the original NIS directive (2016) and NIS 2 lies in the expansion of requirements and the increase in compliance obligations. NIS 2 strengthens the cybersecurity level through stricter security requirements, expanded reporting obligations, and a broader definition of affected companies. While NIS primarily focused on large companies in critical sectors, NIS 2 expands its scope to include small and medium-sized enterprises, as well as businesses from the digital economy. Furthermore, NIS 2 stipulates direct liability for management, meaning that executives can be held personally accountable for non-compliance.
NIS 2 targets a significantly larger group of companies than the original NIS directive. It applies to all companies with more than 50 employees or an annual turnover of more than 10 million euros, regardless of their industry. Additionally, the directive applies to companies that operate critical and digital infrastructures, such as energy suppliers, telecommunications companies, healthcare providers, and companies in the transportation and logistics sectors.
The penalties for non-compliance with NIS 2 are significant. Companies that fail to implement the requirements on time or do not report security incidents can face substantial fines. These fines can reach up to 10 million euros or 2 % of the global annual turnover – whichever amount is higher. Additionally, company management can be held personally liable for violations, increasing the pressure on companies to consistently improve their IT security measures.
The EU deadline for implementing NIS 2 into national law was October 17, 2024; however, implementation is currently delayed in several countries, including Germany. Despite this delay, companies should use the time to prepare for the new requirements early on. The directive is complex and requires comprehensive adjustments in IT security, risk management, and compliance. Those who start implementing NIS 2 early on can avoid penalties and liability risks.