NIS 2: Enhancing cybersecurity in the EU

The latest report by Germany’s Federal Office for Information Security (BSI) has made it clear that cybersecurity must remain a major focus in the coming year. The cyber threat level is higher than ever, affecting both businesses and public authorities. A step towards improved security is the revised NIS Directive, originally set to take effect in October 2024.

Why NIS 2?

The NIS 2 Directive (short for Network and Information Security Directive) builds on the existing NIS 1 Directive. It is not an entirely new regulation but a refinement of its predecessor. The revision reflects the need for a higher level of cybersecurity and improved resilience against cyberattacks, as threats have intensified across Europe in recent years.

NIS 1, in place since 2016, aimed to strengthen cybersecurity, establish minimum security requirements for networks and information systems, and promote collaboration among EU member states. It also required member states to develop national cybersecurity strategies and set up Computer Security Incident Response Teams (CSIRTs).

What does NIS 2 entail?

The original deadline for implementation was 17 October 2024, but Germany has missed this target. The directive is now expected to come into force by March 2025.

NIS 2 expands the scope of organisations it applies to, categorising them into three groups:

1. Critical infrastructure sectors (KRITIS): Includes energy, transport, finance/insurance, healthcare, drinking water/wastewater, food, IT and telecoms, space, and waste management.

2. Essential entities: Organisations in sectors such as energy, transport, finance/insurance, healthcare, IT and telecoms, space, and drinking water.

3. Important entities: Encompasses sectors such as food production, manufacturing, digital services, chemicals, and research.

Essential entities include organisations with more than 250 employees, over €50 million in annual revenue, and a balance sheet exceeding €43 million. Certain exceptions, like telecom providers, apply where the employee threshold is lower, at 50 employees.

Important entities are defined as organisations with more than 50 employees or annual revenue and a balance sheet exceeding €10 million.

Key measures required by NIS 2:

• Risk analysis and management

• Incident management and response

• Crisis and business continuity management

• Supply chain security

• Secure IT system development and maintenance

• Cryptography usage policies

• Personnel security

• Access management

• Secure communication

• Incident reporting to authorities

• Notification of customers about significant incidents

What happens if measures are not implemented?

It’s essential to critically assess your organisation’s current cybersecurity practices and use the time before October effectively. Are you encrypting data transmissions? Are sensitive personal data adequately protected, both at rest and in transit? Can you fully track your supply chain, including partners and vendors?

If the answer to any of these is no, immediate action is necessary. The risk of falling victim to a cyberattack has never been greater, making preparation crucial.

Beyond the threat of cyberattacks, non-compliance with the directive could result in fines of up to €10 million or 2% of global annual revenue. Germany’s draft legislation also includes the possibility of personal liability for executives, who could face penalties affecting their private assets.

Conclusion

NIS 2 represents a significant step towards bolstering cybersecurity across the EU. It serves as a reminder that the digital world brings both opportunities and risks and that ensuring security is a shared responsibility affecting us all.