NIS2 Directive: New Standards and Challenges for Cybersecurity in the EU
The NIS2 Directive (Network and Information Security Directive) is an important development in the field of cybersecurity for the European Union. As the successor to the original NIS Directive, it came into force on 16.01.2023 in order to respond to the increasing threats posed by cyber attacks and to strengthen the resilience of critical infrastructures (KRITIS). The NIS2 Directive must be transposed into national law in all EU member states by October 17, 2024. In Germany itself, the NIS2 Implementation and Cybersecurity Strengthening Act (NIS-2UmsuCG), a draft bill by the Federal Ministry of the Interior, has been in force since July 2023.
- 1. Extended scope of the NIS2 Directive
- 2. Definition of essential and important facilities
- 3. What are critical infrastructures?
- 4. Stricter security requirements
- 5. Reporting obligations and reporting system
- 6. Cooperation and information sharing
- 7. Sanctions and enforcement
- 8. Challenges and implementation problems
- 9. Advantages and benefits of the NIS2 directive
- 10. Outlook and future developments
- 11. Conclusion
Extended scope of the NIS2 Directive
The NIS2 Directive significantly expands the scope of the first directive by including additional sectors that are also considered critical to cybersecurity.
Considering how serious the impact of cyberattacks on these companies can be, this step is long overdue. Cyber attacks on hospitals and other medical facilities could result in financial losses, or worse, jeopardize patient care.
By expanding the scope of the NIS2 directive, the aim is to ensure that more organizations than before are required to implement stringent security measures to protect themselves from cyber threats. Put simply, implementing the NIS2 Directive will lead to a more resilient infrastructure across the EU.
Definition of essential and important facilities
The EU's NIS2 Directive distinguishes between two categories of entities subject to the Directive: βessentialβ and βimportantβ organizations.
Essential/important entities are organizations
- in a sector with high criticality and
- more than 250 employees or
- more than 50 million euros turnover.
Important organizations are organizations with
- more than 50 employees or
- an annual turnover of more than 10 million euros.
What are critical infrastructures?
Critical infrastructures are defined by the BSI as follows:
βCritical infrastructures (KRITIS for short) are organizations or facilities with important significance for the state community, the failure or impairment of which would result in sustained supply bottlenecks, significant disruptions to public safety or other dramatic consequences.β
The group of essential organizations mainly includes KRITIS companies that are of great importance to the state community and whose failure would have serious consequences. The NIS2 Directive mentions the following sectors:
- Energy
- food
- Finance and insurance
- Healthcare
- Information technology and telecommunications
- Municipal waste disposal
- Media and culture
- Government and administration
- Transportation and traffic
- Water
Stricter security requirements
The NIS2 Directive imposes stricter security requirements on affected companies and organizations. These include measures for risk assessment, preventing cyber incidents and limiting damage in the event of an attack.
It is particularly important to carry out regular risk assessments so that vulnerabilities and potential threats can be identified quickly. Depending on the results of the assessment, organizations and companies must then implement suitable security measures. In the technical area, this includes firewalls, improved encryption or intrusion detection systems, for example. In the organizational area, this includes training for employees or the introduction of clearer security guidelines.
Another important point in the NIS2 guideline is that companies must develop emergency plans so that they can react quickly and effectively in the event of damage. These plans should include measures to contain the damage, restore the systems affected by the cyber attack and communicate with the affected parties.
Reporting obligations and reporting system
The stricter reporting obligations for cyber incidents are another important aspect of the NIS2 Directive. Companies and organizations in the affected sectors are obliged to report all security incidents to the competent national authorities without delay. This means that not only successful cyberattacks must be reported, but also failed attempts.
The directive sets out clear deadlines and procedures for reporting these incidents. If a cyberattack is detected, the affected sectors have 24 hours to report it. The report itself must contain detailed information about the nature of the incident, the systems and data affected and the measures taken to limit the damage.
The national authorities must analyze the incidents and take appropriate measures to minimize the impact and prevent further attacks. However, because the directive applies at an international level, national authorities are obliged to prepare regular reports on the cybersecurity situation in their area of responsibility and forward them to the European Cybersecurity Agency (ENISA). In this way, a comprehensive picture of the cybersecurity situation in the EU can be obtained, enabling authorities to take appropriate measures to improve security.
Cooperation and information sharing
The NIS2 Directive promotes cooperation and information sharing between Member States and different sectors in order to strengthen cybersecurity. This is particularly important because cyber threats are often cross-border and require a coordinated response.
A key element of cooperation is the establishment of national Computer Security Incident Response Teams (CSIRTs), which are responsible for monitoring and combating cyber incidents. The individual teams work closely together to maintain a continuous exchange on threats and attacks and to jointly develop countermeasures.
The NIS2 directive also promotes the exchange of information between public and private actors. Companies and organizations are obliged to share security-relevant information with the relevant authorities and other affected parties. Complex cooperation between all individual parties enables all EU Member States and individual sectors to respond better to cyber threats and improve the security of IT systems.
Sanctions and enforcement
The NIS2 Directive also provides for strict sanctions for companies and organizations that do not comply with the security requirements or neglect their reporting obligations. Significant financial penalties and other measures are designed to ensure that the directive is taken seriously and not neglected.
The financial penalty for essential facilities is significantly higher than for important facilities. Significantinstitutions can be fined 2% of their annual turnover or a maximum of 10 million euros. The higher amount is decisive. Important institutions pay afine of 1.4% of annual turnover or a maximum of 7 million euros. Here too, the higher amount is decisive.
Important to know: The draft of the Federal Ministry of the Interior has so far stipulated that management bodies of companies are also liable with their private assets. The upper limit here is 2% of the company's global annual turnover.
National authorities monitor compliance with the NIS2 Directive. Regular inspections and audits are carried out for this purpose. The authorities can impose fines depending on the severity of the breach and the associated risks. In particularly serious cases, other measures can also be taken, such as the imposition of operating restrictions or the withdrawal of licenses.
These sanctions and enforcement measures are necessary to ensure that the NIS2 Directive is effective and improves cybersecurity in the EU. The aim is to encourage companies and organizations to take the necessary security measures and recognize their responsibility to protect IT security.
Challenges and implementation problems
The technical and organizational effort involved in implementing the necessary security measures should not be underestimated and poses a number of challenges for many companies and organizations.
Many companies have to make considerable investments in their IT infrastructure in order to meet the new security requirements. Purchasing and implementing new security technologies is not enough, training employees and developing new security policies and processes is also crucial.
Employees must be trained in accordance with the policy or the technologies implemented from it.
Photo by rivage on Unsplash
Another problem that many sectors face is the lack of qualified personnel. Cybersecurity is a very specialized and broad field and many companies struggle to a) find and b) retain the cybersecurity professionals they need. The implementation of the necessary security measures for the NIS2 directive is therefore delayed considerably in some cases and massively impairs the effectiveness of the measures.
Last but not least, regulatory and bureaucratic hurdles can also make the implementation of the NIS2 Directive more difficult. Companies have to work their way through a multitude of regulations and requirements to ensure that they meet all legal requirements.
Despite all these challenges, there are at least strategies in place to help companies and organizations implement the NIS2 Directive. These include working closely with the relevant authorities, utilizing best practices and standards, and continuously reviewing and improving their own security measures.
Advantages and benefits of the NIS2 directive
The main benefit of the NIS2 Directive is to increase cyber security and resilience against cyber attacks. Its implementation will create an overall more secure digital environment that will benefit not only the affected sectors, i.e. companies and organizations, but also their customers.
In addition to the already agreed benefit in the healthcare industry βIf hospitals and medical facilities are better protected against cyberattacks, they can ensure continuity of patient care and avoid potentially life-threatening interruptionsβ and the generally increased security, there are other things that speak in favor of the directive.
Companies that invest in modern security technologies and adhere to strict security standards can position themselves as trustworthy partners and thus gain a competitive advantage. This can also lead to an increase in demand for security solutions and boost the market for cybersecurity products and services.
In addition, the NIS2 Directive contributes to the creation of a uniform level of security throughout the EU. The harmonization of security requirements and procedures will ensure that all Member States and sectors achieve a comparable level of security. This measure facilitates cross-border cooperation and strengthens trust in digital services and infrastructures within the EU.
Raising awareness of cybersecurity risks is also useful. In particular, the increased security incident notification requirements and regular reporting help to raise awareness of the threats and emphasize the need for proactive security measures. This leads to a culture of cyber security in which everyone involved - from companies and public institutions to individuals - understands their role and responsibility and takes it seriously.
Outlook and future developments
The NIS2 Directive is an important step in the right direction for the EU in the further development of cybersecurity. Due to the constant evolution of digital threats and challenges, it is likely that the NIS2 Directive will continue to be adapted and improved in the future in order to respond appropriately to current developments and threats.
Areas that deserve particular attention are technologies such as the Internet of Things (IoT), Artificial Intelligence (AI) and 5G. While all of these technologies offer huge opportunities and are nothing new, they always come with huge security risks. The EU must ensure that its security policies keep pace with technological advances and develop appropriate measures to deal with new threats.
The increasing professionalization of cybercrime is another important trend. The number of organized cybercriminal groups and state-sponsored actors is increasing and the techniques and tactics they use to attack companies and infrastructures are becoming more sophisticated. Here too, the ability to defend against these threats must be continuously improved. It also makes sense to work closely with international partners.
The role of the European Cyber Security Agency (ENISA) is becoming increasingly important in this context. It appears that ENISA will play a central role in coordinating cybersecurity efforts in the EU and serve as a platform for information exchange and the development of common strategies.
Future actions should include promoting research and innovation in cybersecurity, developing training programs to address skills shortages, and supporting small and medium-sized enterprises in the implementation of the NIS2 Directive. All of these measures combined should strengthen cybersecurity in the EU and create a secure digital future.
Conclusion
The NIS2 Directive is a big step forward to improve cybersecurity in the European Union. It extends the rules to more areas such as healthcare and public administration and requires stricter security measures and reporting obligations. The aim is to increase resilience to cyber attacks and create a more secure digital environment.
The implementation of the NIS2 directive comes with challenges, mainly due to high costs for IT infrastructure and staff training and the lack of skilled workers, but there are ways to solve these problems. Strict penalties for non-compliance with the directive should encourage companies to take the new requirements seriously.
Despite all the challenges of implementation, the advantages and benefits for companies, organizations and society as a whole outweigh the disadvantages. Companies that adhere to high security standards can position themselves as trustworthy partners and gain competitive advantages. The harmonization of security requirements within the EU promotes cooperation between member states and increases trust in digital services. Constantly adapting the directive to new technologies and threats ensures that the EU is optimally positioned for the future.
Is your company affected and you haven't done anything yet? Find suitable cybersecurity companies now to implement the necessary IT security measures in our cybersecurity provider directory.
Sources:
https://www.gdata.de/business/nis-2-richtlinie
https://www.pwc.de/de/cyber-security/europaeische-nis-2-richtlinie-implikationen-fuer-unternehmen-und-institutionen.html
https://regina-stoiber.com/2023/10/23/eu-nis-2-richtlinie-zusammenfassung/
https://de.wikipedia.org/wiki/NIS-2-Richtlinie
https://www.bsi.bund.de/DE/Das-BSI/Auftrag/Gesetze-und-Verordnungen/NIS-Richtlinien/nis-richtlinie_node.html
Armin Vakilpour holds a Master of Science in Computer Science from Bonn-Rhein-Sieg University. He has been involved in digitalization projects for over 20 years. After graduating, he worked as a lead consultant at renowned companies like IBM, Accenture, and Avanade, successfully managing numerous projects in technology, IT, and software development. As the founder and CEO of Feedbax, he shares his knowledge and experience in technology, IT, marketing, and design.
