Guest article: NIS2 compliance – Practical steps for implementation

Cybersecurity has become a necessity for every business. Organizations of all sizes are potential targets for cyberattacks, which can have devastating consequences. The European Union has recognized the importance of cybersecurity and significantly tightened the requirements for companies in this area with the NIS2 Directive.

Are you aware of the NIS2 requirements for your business? In this guest article, Dr. Frank Schemmel, Senior Director of Privacy, Compliance & Public Affairs/Policy at DataGuard, provides practical tips for implementing the directive in your organization.

What is the NIS2 Directive?

The EU-wide legislation on network and information security (NIS2) aims to strengthen cybersecurity and resilience across the European Union. The directive sets out requirements and standards for implementing IT security policies and cybersecurity measures to mitigate the impact of cyber threats within EU member states.

By complying with the NIS2 Directive, organizations in the EU can enhance their cyber resilience against evolving threats. Implementing the guidelines outlined in NIS2 ensures a proactive approach to cybersecurity, protecting critical network and information systems.

Given the increasing interconnectivity of digital infrastructure, NIS2 plays a crucial role in fostering a secure cyberspace across various sectors. Companies and organizations in 11 essential (e.g., healthcare) and 7 important sectors (e.g., food supply and digital services) are therefore required to comply with the NIS2 requirements under the EU directive.

What are the key requirements of the NIS2 Directive?

Compliance with the NIS2 Directive involves several key requirements, including:

• Risk assessment and management

• Implementation of security measures

• Timely reporting of security incidents

• Development of business continuity and recovery plans

Adhering to the NIS2 Directive ensures that organizations maintain security standards in an ever-changing cyber landscape. Through comprehensive risk assessments and effective mitigation of potential threats, companies can proactively strengthen their defenses.

Timely reporting of security incidents is critical to minimizing the impact on customers, business partners, and society at large. It protects sensitive data and maintains the trust of customers and stakeholders. Additionally, developing robust business continuity and recovery plans ensures organizations can quickly recover from disruptions, reducing downtime and potential financial losses.

What are the consequences of non-compliance with the NIS2 Directive?

Failure to comply with the NIS2 Directive can result in severe consequences, including fines and sanctions, loss of customers, and missed business opportunities due to security incidents and violations. It is already evident that large international corporations are incorporating NIS2 compliance into their supplier codes of conduct, contractually obligating business partners to meet the directive's measures – even if they are not legally required to do so. Over time, market pressure will compel companies to adopt cybersecurity measures to secure partnerships and contracts.

Non-compliance with NIS2 requirements not only leads to financial and legal risks but also poses significant reputational risks. Companies that fail to prioritize compliance may suffer long-term damage to their public image, leading to a loss of customer trust and loyalty. Such violations can have far-reaching implications, hampering a company’s ability to attract and retain clients.

What steps are required under the NIS2 Directive?

Achieving NIS2 compliance involves several steps, including identifying critical infrastructures, conducting comprehensive risk assessments, implementing robust security measures, providing training and awareness programs for employees, reporting security incidents promptly, and developing business continuity and recovery strategies.

Identification of critical infrastructures and services

Identifying critical infrastructures and services is the first step toward NIS2 compliance, ensuring that key assets and processes are prioritized for cybersecurity measures.

Organizations must locate essential components whose disruption could have significant impacts on society, the economy, and national security. This process includes creating an inventory of interconnected systems and services crucial for daily operations and societal functioning.

Conducting a risk assessment

Conducting a holistic and organization-specific risk assessment involves analyzing various factors that could impact the security of critical infrastructure. By systematically evaluating these risks, organizations can derive tailored, risk-reducing measures and prioritize them to protect against potential cyber threats.

Implementing robust risk management strategies also enables continuous monitoring, mitigation, and rapid response to emerging risks, ensuring a proactive approach to cybersecurity.

Implementation of security measures

Implementing comprehensive security measures derived from the risk assessment is a crucial step in fulfilling NIS2 requirements, enhancing cyber resilience, and mitigating security risks.

Organizations should first address risks that pose the greatest overall threat to their critical assets and processes. Identified mitigation measures should be operationalized through processes and structures, and corresponding policies documented as part of good corporate governance. Proactive monitoring and regular security audits to assess the effectiveness of measures are integral to a comprehensive cybersecurity strategy and are also required by the NIS2 Directive.

Training and raising employee awareness

Training and awareness programs for employees are key steps under the NIS2 Directive to ensure staff understand cybersecurity expectations and best practices. Such training must be targeted and repeated regularly.

This equips the workforce with the knowledge needed to recognize potential threats and enables them to take proactive measures to protect sensitive company information.

Reporting security incidents

A central aspect of the NIS2 Directive is the timely reporting of security incidents, which enables quick responses and containment of cyber threats to minimize potential damage. The deadlines for reporting are strict and tiered:

• An initial report within 24 hours of a major security incident.

• A follow-up report within 72 hours detailing severity and impact.

• A progress or final report within one month, including root cause analysis, mitigation measures, and potential cross-border implications.

• Interim updates may be requested by the supervisory authority.

Germany’s Federal Office for Information Security (BSI) will provide a reporting mechanism and may require companies to inform customers of security incidents.

Compliance with reporting deadlines under NIS2 also ensures transparency and accountability in handling cybersecurity incidents, critical for maintaining stakeholder and regulatory trust.

Development of business continuity and recovery plans

Developing robust business continuity and recovery plans is a necessary requirement of the NIS2 Directive, enabling organizations to respond effectively to cyberattacks and maintain operations.

By implementing comprehensive recovery strategies, businesses can significantly reduce the impact of cyberattacks and recover more quickly, minimizing downtime and ensuring business continuity during crises.

What are the benefits of the NIS2 Directive?

Compliance with NIS2 offers numerous benefits, including protection against cyberattacks and data loss, improved business continuity, adherence to legal requirements, and increased customer trust in a company’s cybersecurity measures.

Protection against cyberattacks and data loss

One of the main advantages of NIS2 implementation is enhanced protection against cyberattacks, data breaches, and potential loss of sensitive information due to security incidents.

By complying with NIS2 regulations, companies can strengthen their defenses against malicious cyber activities and ensure the confidentiality, integrity, and availability of their systems and processes.

Improved business continuity

NIS2 compliance leads to improved business continuity by ensuring organizations can maintain operations and recover quickly from security incidents or disruptions.

Integrating resilience and continuity planning into business operations minimizes the impact of security breaches and protects critical assets. Enhanced response mechanisms ultimately reduce downtime associated with cyber incidents, benefiting society as a whole.

Legal compliance

Implementing the NIS2 Directive ensures businesses meet EU-wide legal requirements, fostering regulatory compliance and alignment with cybersecurity standards across member states.

Failure to comply with NIS2 can result in substantial fines (up to €10 million per violation), reputational damage, and even the loss of operating licenses. Additionally, company executives may face personal liability for damages caused by security incidents under stricter management accountability provisions.

Strengthened customer trust

By implementing the NIS2 Directive, companies demonstrate a commitment to cybersecurity, resilience, and data protection.

Transparency in cybersecurity practices builds credibility and strengthens the trust customers place in a company. Maintaining strong cybersecurity not only protects customer data but also ensures service continuity and fosters long-term customer relationships.

About the author

Dr. Frank Schemmel, CIPP/E, CIPP/US, CIPM, CIPT, has held various management positions at DataGuard since 2018. A certified Data Protection Officer (TÜV) and Compliance Officer (Univ.), he advises on all aspects of data protection, IT security, and general compliance. He is responsible for establishing DataGuard as a thought leader through collaboration with regulatory authorities, legislators, industry associations, and NGOs.

Before joining DataGuard, he worked for several major law firms. He regularly publishes in industry media, contributes to the Beck Online Commentary on Data Protection, and shares his expertise as a lecturer at universities, including the University of Münster.