NIS-2
In January 2023, the EU adopted the so-called NIS 2 directive. The revised legislative document imposes stricter cybersecurity rules on significantly more companies and institutions from even more extensive sectors than before. Although the directive should be transposed into national law by October 2024, it will probably not take place until early 2025, as the current official draft bill suggests. Nevertheless, it is important for potentially affected institutions to address the requirements at an early stage.
The NIS 2 Directive (short for Network and Information Security Directive 2) replaces the previously valid NIS Directive from 2016 and significantly expands the range of affected companies and institutions. In May 2024, an official draft bill was published with the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). This is the basis for the assessments of the cyber experts at the Ecclesia Group. However, the regulations may of course still be amended before official implementation.
Smaller organizations also affected
The NIS2UmsV CG distinguishes between two categories: the particularly important organizations include, in particular, critical infrastructure organizations, but also, for example, energy supply, transport, information technology and telecommunications companies with at least 250 employees or an annual turnover of 50 million euros or more. The newly defined category of important facilities includes additional sectors such as the chemical and food industries as well as the manufacturing sector, but also companies in the sectors defined in the first category that do not meet the size requirements here. In this category, organizations with at least 50 employees or an annual turnover of more than ten million euros are affected.
Comprehensive security measures required
“We know that significantly more companies and institutions from significantly more sectors will be affected by the new directive than before,” says Robert Drexler, Head of Ecclesia Cyber. “It is extremely important to address the requirements as early as possible and to set up IT security management in line with them.” To meet the requirements of NIS-2, those affected must be able to guarantee that various measures are ready for implementation. These include, for example, risk analysis concepts, management strategies, guaranteed business continuity in an emergency, access control concepts and secure emergency communication systems.
Reversal of the reporting requirement
In the future, relevant security incidents must be reported to the responsible authority within 24 hours. After 72 hours, an initial assessment of the security incident, including its severity and impact, as well as the indicators of compromise if applicable, must be submitted, followed by a progress and final report after one month. However, the biggest change lies in the reversal of the reporting requirement, as Robert Drexler emphasizes: “In the future, those affected will be obliged to actively demonstrate to the BSI that they are meeting the requirements by a certain deadline. The onus here is clearly on the companies and institutions.” This also increases the requirements for documenting the measures, since the proof must be provided in a very detailed manner.
High risk – also in terms of management liability
Non-compliance can result in heavy fines of up to ten million euros or two percent of global revenue for particularly relevant organizations and up to seven million or 1.4 percent of global revenue for important organizations. The higher amount is the deciding factor in each case. Management obligations in connection with cybersecurity are also expected to be tightened, which is particularly relevant for managing directors and board members. Tasks can still be delegated, but the responsibility for monitoring and selecting the persons to whom tasks are delegated remains with the managing directors and board members.
Meeting challenges with the necessary expertise
“We are happy to advise you on all relevant questions concerning NIS-2 and help you prepare for the new requirements,” says Robert Drexler. In the area of management liability, specialists from the entire group are consulted who have the necessary expertise and many years of experience in this area. This way, you receive comprehensive advice from a single source.