The NIS 2 Directive marks a turning point in the European Union’s cybersecurity strategy. In the face of increasing digital threats, this revised directive aims to significantly strengthen the protection of critical infrastructure and increase resilience to cyberattacks. With an expanded scope of application and stricter security requirements, companies and public organisations are facing new challenges, but also opportunities. In our introduction, we look at the key points of the NIS 2 Directive, its impact on different sectors and the key steps required for compliance.
What does the NIS 2 Directive mean?
Introduced in 2016, the NIS Directive marked the beginning of EU-wide protection of critical infrastructure against cyber threats. With the introduction of NIS2, the European Union is going one step further by expanding the scope and establishing an all-encompassing standard for cyber security. NIS2 aims to arm companies and public organisations against all types of cyber threats and makes cyber security a ‘top priority’.
Who is affected by the NIS 2 Directive?
The NIS 2 Directive now covers 18 sectors and applies to companies and public organisations of significant size (more than 50 employees and a turnover or balance sheet total of at least EUR 10 million). However, smaller companies and organisations can also fall within the scope under certain conditions, although the specific conditions are still to be specified.
Key requirements of the NIS 2 Directive
Companies covered by this directive must fulfil comprehensive security requirements, ranging from cybersecurity governance and incident management to business continuity management. These measures are intended not only to increase resilience to cyber attacks, but also to enable an efficient response to security incidents.
Importance for affected companies
In view of the far-reaching implications of NIS2, it is advisable for companies to address the requirements at an early stage and develop appropriate security strategies. Co-operation with the responsible authorities and compliance with the specified security measures are of central importance.
NIS 2 Directive: the next steps
The EU member states are required to transpose the NIS 2 Directive into national law by 17 October 2024. For Germany, this is likely to mean amending the BSI Act with a new IT Security Act. Companies that are new to the scope of application should use the remaining time to make the necessary preparations and adapt their cybersecurity measures accordingly.
The NIS 2 Directive represents a significant step towards a stronger and more harmonised cybersecurity landscape in Europe. Given the ever-changing threat landscape, it is crucial that all relevant stakeholders – from businesses to public organisations and national competent authorities – work together to ensure the security and resilience of critical infrastructure.
Update: March 2024
The Act on the Implementation and Strengthening of Cybersecurity in accordance with NIS 2 (NIS2UmsuCG) is not expected to be passed by the deadline of 17 October 2024 through a regular legislative procedure with compliance with the usual processes and deadlines. This could result in the EU Commission levying fines against Germany. Exactly when this could happen is still uncertain. However, it is not unusual for EU member states to fail to meet EU deadlines. It is expected that some countries will also experience delays in implementing the NIS 2 Directive.
