NIS2: Act Now with Planned and Controlled Measures to Avoid Costly Consequences
Category
On July 24th, the German Federal Cabinet approved the government draft for the NIS2 Implementation and Cybersecurity Strengthening Act. This marks a significant step towards implementing the NIS2 Directive into German law. Something similar is expected to be implemented in other European countries as well.
The parliamentary legislative process has begun with the publication of the government draft. While no significant changes are expected, the process is anticipated to last until spring 2025. Although the new obligations will only apply in Germany once the NIS2UmsuCG comes into force, affected organisations should familiarise themselves with the requirements and take steps towards implementation.
This document will provide you with:
- What you need to know about NIS2
- Who is affected
- How you can prepare now
The Importance of NIS2
With the rapid digitisation of daily life, protection against cyber threats has become essential for the smooth functioning of society. The European Parliament has therefore updated EU law with a series of new cybersecurity regulations. Cybersecurity encompasses all activities necessary to protect network and information systems, their users, and others affected by cyber threats.
The most far-reaching regulation in the European Union is the revised Directive on Security of Network and Information Systems (NIS2 Directive), which replaces the 2016 directive. Having been in force since January 16, 2023, the NIS2 Directive must be implemented in all EU member states by October 17, 2024. It applies to an expanded number of organisations across a wide range of sectors.
The directive aims to increase the level of cybersecurity within the EU, strengthening resilience against cyberattacks. The German Federal Minister of the Interior, Nancy Faeser, has summarised the goals of the NIS2UmsuCG in Germany:
"The threat situation in the area of cybersecurity remains high... With our law, we are increasing protection against cyberattacks, regardless of whether they are state-directed or criminally motivated. In the future, more companies in more sectors will have to meet minimum cybersecurity standards and reporting obligations for cyber incidents."
Nancy Faeser
Beyond Compliance?
Compliance with the minimum legal requirements of NIS2 and accompanying standards is an important starting point for many organisations. These requirements and standards provide a broad framework that often brings previously neglected areas outside of IT (so-called ‘blind spots’) into the focus of information security management for the first time. After all, cybersecurity is no longer just a technical IT issue, but an issue that requires the active participation of the entire organisation – from technology to production, and sales to management.
However, those who want to use resources effectively in the long term are well advised to not just meet compliance laws and standards from the outset but exceed them. Compliance does not automatically equate to security against theft, manipulation, and the publication of business-critical information or negative headlines with a wide media reach. For this reason, the legislator has based the NIS2 requirements on a risk-based approach. Accordingly, affected organisations can decide on appropriate and proportionate technical, operational, and organisational measures, taking into account the likelihood of security incidents and their severity (including social and economic impacts).
This approach aims to promote the effective development of resilient systems rather than the efficient compliance with rigid requirements. Rather than slowing down business, effective information security controls enables organisations to move faster into a digital future.
Who is Affected?
The NIS2 Directive expands the scope of its 2016 predecessor to eleven ‘highly critical’ sectors, including energy, transport, banking, public administration, and healthcare. It also affects other ‘critical’ sectors such as postal and courier services, food production, processing, distribution, and digital services.
Even organisations that do not directly fall into these sectors but act as suppliers or partners can be indirectly affected by the NIS2 Directive. They, too, can represent potential gateways for cyberattacks.
Key Requirements and Obligations
Affected organisations must fulfil extensive cybersecurity requirements. These include, in particular, the responsibility of management bodies and regular cybersecurity training for all employees (Article 20), risk management measures including regular risk analyses, the management of security incidents and the maintenance of operations (Article 21), specific reporting (Article 23) and documentation obligations (Recital 122).
Management bodies must approve the risk management measures taken, monitor their implementation and be personally liable in the event of breaches of their obligations. In the event of significant security incidents, companies must issue an early warning within 24 hours, submit an initial assessment within 72 hours and submit a detailed final report no later than one month after the assessment. However, the directive also emphasises the importance of security in the supply chain. Companies should scrutinise their supplier relationships and carry out risk assessments.
Further EU Cybersecurity Regulations
To promote cyber resilience and combat cybercrime, the EU legislator has enacted additional cybersecurity regulations alongside the NIS2 Directive. These include:
- EU Directive on the Resilience of Critical Entities (CER Directive): Member states must identify critical entities and strengthen their physical resilience against threats such as natural hazards, terrorist attacks, or sabotage.
- Digital Operational Resilience Act (DORA): Contains regulations for the financial sector to protect, detect, contain, and recover from risks in the area of information and communication technologies.
- EU Cybersecurity Act: Establishes an EU-wide certification system and a new and stronger mandate for the EU Agency for Cybersecurity.
- Cyber Resilience Act: Introduces binding cybersecurity requirements for products with digital elements.
What Can You Do Today?
The NIS2 Directive presents significant challenges for affected organisations but also offers an opportunity to significantly improve their cybersecurity. A holistic approach that goes beyond IT and provides risk-based decision-making bases enables organisations to not only meet the requirements of the NIS2 Directive but also strengthen their overall resilience.
For Germany:
The resolution of the German Bundestag on the so called NIS2-Umsetzungs-und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) is still pending. However, the BSI has already published initial helpful guidance, which we can support you in implementing. We believe that something similar will appear in the other European countries as well.
A1 Digital Welcomes NIS2
A1 Digital sees the NIS2 Directive as an important step towards increasing the overall level of cybersecurity in the EU. We help organisations understand their risks and actively drive their risk management measures. To this end, we develop solutions tailored to the individual needs of each organisation.
Furthermore, we offer our customers our expertise in operational technology security to support organisations in protecting their industrial systems and critical infrastructures. We consider the risk-based approach to information security and the corresponding assessment to be the most effective in protecting critical infrastructures.