Skip to main content
Unsere Website gibt es auch auf Deutsch - würden Sie gerne zu dieser Version wechseln?Zur deutschen Version wechseln
MADE & HOSTED IN GERMANY
ISO 27001 CERTIFIED
nis-2-directive

The new NIS2 Directive: What you need to consider now

7 min read

DDOS attacks, ransomware assaults, cyber espionage and data theft – cybercrime in Germany is growing every day and causes damage in the three-digit billion range. Nevertheless, many companies and institutions, especially SMEs, fall short of cyber security requirements.

In order to hold companies, especially those in the critical infrastructure, accountable, the EU Commission has decided to revise and further develop its "Directive on the security of network and information systems". The result is the NIS2 Directive, which will also become mandatory in Germany in the future.

For affected companies, this means preparing for this change in the law and keeping up to date with cyber security. This is because non-compliance could result in high fines and even liability for the managing director or board.

What is the NIS 2 Directive?

The NIS2 Directive is a revised version of the "Directive on the security of network and information systems" (NIS) introduced in 2016. Its aim is to improve cybersecurity standards in the EU so that companies and organizations are better protected against attacks and outages. The original NIS Directive was the first Europe-wide push to ensure a high level of security in essential sectors. NIS2 expands and strengthens this approach to better respond to increasingly complex cyber threats.

In terms of content, the new edition focuses on strengthening the existing national cyber security strategy. The focus here is particularly on companies and organizations that are responsible for critical infrastructures, as their failure or impairment could have significant consequences for society.

The stricter requirements mean that around 30.000 companies in Germany are covered by the NIS2 Directivesignificantly more than before. Especially those companies that have not yet been affected by the mandatory implementation of IT security measures must now take action and implement the required procedures.

"Cyber security is central to our society and affects each and every one of us."
Nancy Faser, Federal Minister of the Interior

Who is affected by the NIS 2 Directive?

The new NIS2 Directive affects significantly more companies and organizations than its predecessor. This means that significantly more companies will have to deal with this regulation in the future. The sectors affected are divided into two areas:

Sectors affected by NIS2
Critical sectors
Energy Transportation
Banking Financial market infrastructure
Drinking water Waste water
Digital infrastructure Public administration
Healthcare Outer space
Management of ICT services (B2B)
Important sectors
Postal & courier services Research & development
Waste management Digital service providers
Chemical industry & trade Food industry & trade
Manufacturing industry / Production of goods

In addition, the size of the company is defined as a criterion for identifying affected facilities. There are two categorie

  • Medium-sized companies with at least 50 to a maximum of 250 employees and a turnover of between ten and 50 million euros or with an annual balance sheet total of a maximum of 43 million euros.
  • Large companies with more than 250 employees and a turnover of more than 50 million euros or an annual balance sheet total of more than 43 million euros.

Regardless of this, companies can still be affected by the NIS2 Directive. These include – regardless of their size – trust service providers (providers that offers electronic services such as digital signatures to enable secure and legally binding electronic transactions), certain providers of public electronic communication networks, critical infrastructure (KRITIS) and public administration.

It should be noted that the NIS2 Directive now also places greater obligations on suppliers. The reason for this is that the new directive requires the entire supply chain to be secured – both in terms of digital systems and the physical environment of these systems. This means that suppliers may have to set up their IT security to a similar extent as the affected organizations themselves.

Note: Would you like to know whether your company is affected by the directive? The Federal Office for Information Security has made an NIS2 impact assessment available online. This impact assessment can give you an initial orientation. Please note that this assessment is only available in German.

How are the new requirements to be implemented?

There are various measures through which the NIS2 Directive can be implemented. These include:

Putting together a project team:
Due to the high requirements, it is advisable to put together a project team to implement the NIS2 Directive and appoint the responsible parties. The information security measures can be coordinated via this team. In addition to IT and security experts, the management should also be involved as well as the data protection officer or a legal advisor.

If there has been little understanding of IT security to date, a joint cyber security training is also recommended.

Introduce an information security management system:
If not already in place, an information security management system (ISMS) should be introduced as soon as possible. An ISMS consists of various policies, procedures and measures that ensure that sensitive information is protected and security risks are controlled and minimized. It can help to identify potential cyber threats at an early stage

The topics that should be considered include:

Note: If your company has achieved ISO 27001 certification, a solid foundation has already been laid for compliance with the NIS2 Directive. This certification covers numerous points that are also relevant for compliance with the NIS2 Directive.

Define reporting processes and comply with reporting obligations:
The obligation to report a cyber security incident will be tightened once again in the NIS2 Directive. In future, serious security incidents must be reported within 24 hours and a detailed analysis must follow within a further 72 hours of the initial report. Finally, a comprehensive report is due after one month.

In view of these tight timeframes, it can be helpful for companies to establish a reporting process or readjust the existing one. After all, it must be ensured that the relevant information is also available within the defined time frame.

Preparation for stricter controls:
Stricter enforcement mechanisms should ensure that the NIS2 Directive are also implemented to the required extent. Once the NIS2 Directive becomes legal, the supervisory authorities will have more power to monitor companies and impose sanctions in the event of non-compliance. The threat of fines is significantly higher than before.

Note: Regardless of whether your company has to comply with the NIS2 Directive or not, it makes sense to address the issue of data protection. Even if your company is not part of the critical infrastructure, it can still be an attractive target for cyber criminals.

By when must the requirements be implemented?

The new directive has been in effect throughout the EU since the beginning of 2023 and should be transposed into national law in the member states by October 2024. In Germany, however, the process has been delayed. Although the NIS2 Implementation Act was passed by the Federal Cabinet in July 2024, the law still has to be finally confirmed by the Bundestag and Bundesrat. The law is now expected to come into effect in the first quarter of 2025 and will be legally binding from the second quarter of 2025.

What are the consequences of non-compliance?

The consequences of non-compliance with the NIS2 Directive should not be underestimated. As a first step, the supervisory authority can initiate supervisory and enforcement measures against the facilities concerned, for example in the form of orders and inspections. The possibility of severe fines cannot be ruled out. Depending on the individual case, the fine can amount to up to ten million euros or two percent of the previous year's global turnover according to the current framework.

It can also be painful for the management, which is explicitly held liable according to the directive. If they do not explicitly take care of the implementation of the necessary legal measures, it is planned to hold them personally accountable. This not only has legal consequences, as company management will also be liable with their private assets in the event of misconduct.

It should be noted that the companies themselves are obliged to find out whether or not they fall under the NIS2 Directive. According to the current status, there will be no authority responsible for the administration and implementation of the directive.

Conclusion: The NIS2 Directive will change IT security in many companies

With the upcoming NIS2 Directive, the previous cybersecurity requirements will be significantly tightened once again and extended to more areas at the same time. This will be particularly noticeable for those companies and institutions that were not affected by the previous legislation. Suppliers and SMEs in particular are now called upon to make adjustments in terms of IT security.

For them in particular – but not exclusively – it is crucial that they get to grips with the NIS2 Directive and quickly introduce appropriate measures. With sensible investments such as employee training, secure software or a more efficient security culture through an ISMS, a lot can already be done to comply with future legal regulations.

Rate this article?
3 Reviews / 4.7 Stars
Ready to try Stackfield?Over 10.000 companies joined Stackfield
Try Stackfield for free
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.
Your Email
Subscribe
Christopher Diesing
About the Author:
Christopher Diesing is the COO of Stackfield. He loves all kinds of marketing, product design as well as photography.
Display Comments (powered by Disqus)