NIS-2-Directive: What the Requirements Mean For Companies

New Requirements For More Cyber Security

The NIS-2 Directive (NIS = Network and Information Security) is intended to improve cyber security in the European Union - for example by increasing the requirements for dealing with risks. Important innovations include:

Extended Scope of Application: The directive covers even more sectors and companies.

Increased Security Requirements: Affected companies are obliged to implement cyber security measures.

Reporting Obligations: If security incidents occur, you are obliged to report these incidents.

Cooperation: EU countries should cooperate more closely and exchange information in a targeted manner.

Sanctions: If you do not comply with the legal requirements, you will face severe penalties.

In this way, the directive aims to help affected companies achieve greater cyber resilience with appropriate measures. In the long term, awareness of the risks within your own company should grow - for example, by regularly analysing threats and their consequences. In the best case scenario, those affected can understand the dependencies between different systems and their consequences and constantly adapt security measures to the current threat situation.

NIS-2 Directive: These Companies Are Affected

The NIS 2 Directive is particularly relevant for the following companies:

• Companies in economic sectors or with tasks within the critical infrastructure such as energy, drinking water or banking
• Companies in other critical sectors such as research, public administration or production and processing

The NIS 2 Directive distinguishes between essential and important facilities.

Smaller companies may be affected by the legislation if they offer a critical service.

Affected by NIS-2: What You Need To Do!

Is your company affected? Then you will be subject to various obligations:

• Risk management and business continuity measures
• Reporting obligations
• Registration obligations
• Information obligations
• Approval, monitoring and training obligations for management

In some member states, further legal regulations are planned:

• Issuance of security certificates
• IT security labelling
• Certification obligations for products, services and processes
• Critical services and systems

These risk and reporting measures are mandatory for both essential and important facilities. The only difference is that compliance with the measures in essential facilities is checked at regular intervals - in important facilities this is only done on suspicion. In addition, all facilities must register with the national responsible authority.

Cyberattack: How To React Correctly

You must make an initial report of an incident within the next 24 hours. The report is sent to the responsible supervisory authority. After three and 30 days, you provide an update on your handling of the situation. This is intended to provide the most accurate overview possible of the current threat situation. In addition, the authorities want to evaluate the effectiveness of the measures taken in the long term.

Violations of NIS-2: These Sanctions Are Imminent

If you do not comply with the legal requirements, you must expect fines. The amount depends on the importance of the facility. For significant facilities, the fine is up to two per cent of the annual turnover or a maximum of ten million euros. If you are part of the management, you can also be held liable personally. Supervisory authorities are authorised to monitor and issue instructions.

With its risk-based approach, the NIS 2 Directive aims to improve cyber security systematically. Affected companies should start implementing it at an early stage in order to arm themselves against the increasing threats posed by cyber risks.