Data Protection Academy » Data Protection News » NIS-2 Directive

NIS2: EU directive for cyber security

NIS 2 Directive: EU directive for more cyber security

In an increasingly networked world Cybersecurity and the Protecting our digital infrastructures of crucial importance. The NIS2 Directivethe latest development of the Network and Information Systems Directive (NIS), aims to strengthen the security of the digital landscape in the European Union. But what exactly is behind this directive and how does it affect companies and organisations?

In this blog post, we will take a detailed look at NIS2 and the Goals and Requirements of the directive. We will explain the differences between NIS2 and its predecessor version NIS as well as other relevant Laws and standardssuch as ISO 27001. In addition, we will analyse the potential impact on German companies and the Necessity of implementation discuss.

Key information on the NIS2 Directive

  • NIS2 is the further development of the original NIS Directive (Network and Information Systems Directive), which was first adopted in 2016.
  • The aim of both directives is to Strengthening cyber security and protect the digital infrastructure and critical services from cyber threats.
  • On 16 January 2023 the so-called NIS2 Directive came into force. The EU member states have until 17 October 2024 time to translate the directive into national law.
  • The NIS2 directive affects more organisations and requires stricter security measures. Companies that do not fulfil the requirements of NIS2 risk being penalised. Fines. These are also significantly higher compared to the predecessor of the directive.

Content on the NIS2 Directive:

Full title of the directive

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS2 Directive)

Whitepaper NIS-2 Directive: EU Directive for more cyber security

Whitepaper: Implementing a Directory of Processing Activities in compliance with the GDPR

In the white paper NIS-2 Directive you will find:

  • Information on the background to the Origin the NIS-2 Directive
  • Information on the connection with other Laws and guidelines
  • Requirements which the organisations concerned must implement
  • Information on Penalties and sanctions

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

What is NIS2: This is what the new EU cyber security directive says

The complete designation of the NIS Directive is the Network and Information Systems Directive and can be translated into German as the Network and Information Security Directive. The NIS Directive is a European Union directive that aims to strengthen cybersecurity in the EU. The directive was adopted in 2016 and should subsequently be implemented by the EU member states by May 2018.

In December 2022, the successor, the NIS2 Directive entered into force. This NIS2 Directive builds on the original NIS Directive of 2016. NIS2 was developed to further strengthen cybersecurity across the EU and respond to current developments in the digital sphere by tightening requirements for organisations and promoting cooperation at EU level. This is an important step to better manage the increasing cyber threats in the digital world.

The NIS Directive applies to Operators of critical infrastructures (KRITIS)i.e. for companies and organisations whose systems and services are essential for the maintenance of important social functions. These include companies in the energy, water, transport, finance, healthcare and telecommunications sectors.

Innovations: More cyber security through the NIS 2 directive

The reasons for the legislative changes from NIS to NIS2 are the sharp rise in cyber attacks in recent years, the Increasing digitalisation such as the use of artificial intelligence and the Standardised regulation among all EU member states.

The NIS 2 Directive has the clear aim of strengthening cyber security and making the digital landscape in Europe more secure. When the directive comes into force, the requirements for companies and organisations will be increased, security certification will be promoted and cooperation at European level will be strengthened.

Overview of the new features of the NIS 2 Directive:

  • Sectors: The critical essential sectors have been expanded to eleven sectors and the important sectors to seven. Eighteen sectors are therefore covered by the new NIS2 directive. This means that a wider range of companies and organisations will have to raise their security standards.
  • Facilities: Organisations with 50 or more employees or an annual turnover of 10 million euros or more are affected. Some organisations will fall under the NIS2 Directive regardless of their size.
  • Supply chains: The NIS 2 Directive sets out new requirements for the cyber security of supply chains. These requirements are intended to help companies be better prepared for cyberattacks that occur via their supply chains.
  • Cooperation: Supervision and cooperation between authorities and organisations in the EU will be expanded.
  • Certification of products and services: The introduction of cyber security certifications should make it easier for consumers and companies to opt for more secure solutions.
  • Sanctions: The NIS 2 Directive provides for significantly higher penalties for violations of the Directive, ranging from fines to imprisonment.

Current status of implementation in Germany

At European level, the NIS2 Directive came into force in January 2023. In Germany, the implementation process is currently still in full swing. The Federal Ministry of the Interior has September 2023 a third draft of the NIS2 Implementation Act has been published. All EU member states have until 17 October 2024 to transpose the EU directive into national law.

  • 17 October 2024

    The EU member states must implement the directive by 17 October 2024 into national law.

  • 22 December 2023

    Fourth draft bill December 2023

  • September 2023

    Third draft bill September 2023

  • July 2023

    Second German draft bill July 2023

  • April 2023

    First German draft bill from April 2023

  • 16 January 2023

    The European Directive was adopted on 16 January 2023 entered into force.

Origin of the NIS 2 Directive

The EU Network and Information Security Directive (NIS) was adopted on 6 July 2016 and has been in force since 9 August 2016. The European NIS Directive was implemented in Germany by the Act to Increase the Security of Information Technology Systems (IT Security Act).

The IT Security Act came into force on 25 June 2017 and previously applied in particular to operators of critical infrastructures (KRITIS), i.e. companies and organisations whose systems and services are essential for the maintenance of important social functions. The NIS 2 Directive now applies to all companies and organisations operating in the sectors listed in Annex I of the Directive. These include energy, water, transport, finance, healthcare and telecommunications. The NIS Directive originally only applied to operators of critical infrastructure (KRITIS).

  • 2023

    NIS-2 (EU)

    The NIS 2 Directive was adopted by the European Parliament and the Council of the European Union on 25 November 2022. It came into force on 27 June 2023 and must be transposed into national law in all EU member states by 27 June 2024.

  • 2021

    IT Security Act 2.0 (Germany)

    IT Security Act 2.0 was adopted on 24 May 2021 and is closely linked to the NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council). The IT Security Act 2.0 serves to transpose the NIS Directive into national German law and sets out specific requirements for operators of critical infrastructure and providers of digital services in order to strengthen cybersecurity in Germany in accordance with European standards.

  • 2016

    Amendment to the BSI Act (Germany)

    The BSI Act grants the Federal Office for Information Security (BSI) specific Authorisations and responsibilities to monitor the implementation of the IT Security Act and ensure that companies and organisations take appropriate security measures. The European Union's NIS Directive requires member states to designate national authorities or bodies responsible for implementing and monitoring the directive. In Germany, the BSI is the body responsible for implementing the NIS Directive. The BSI Act regulates the powers of the Federal Office in connection with the implementation of the NIS Directive, including the monitoring of critical infrastructures and the performance of security audits.

  • 2016

    NIS Directive (EU)

    The Network and Information Systems Directive is a European Union directive that aims to strengthen cybersecurity in the EU. The directive was adopted in 2016 and should be implemented by the EU member states by May 2018.

  • 2015

    IT Security Act (Germany)

    It laid the foundations for the regulation of cyber security in Germany by defining the requirements for the security of critical infrastructures.

Requirements of the NIS2 Directive

The NIS2 Directive is intended to help operators of critical infrastructures to better protect their information systems and prevent or at least mitigate cyberattacks.

The most important requirements of the NIS-2 directive are

Companies and organisations affected by the NIS 2 Directive must have a Information Security Management System (ISMS) introduce and operate. The ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.

Companies and organisations must take an active Risk Management including regular risk assessments. The risk assessments should identify the potential threats and risks to the information security of the company's systems and services.

Companies and organisations must report cyber incidents to the competent authorities. Reports must be made within 24 hours if the incident could have a significant impact on the functioning of the organisation's systems and services.

The competent authorities of the EU member states must exchange information on cyber incidents. The exchange of information is intended to improve the response to cyber incidents.

In addition to the requirements of the NIS 2 Directive, the IT Security Act 2.0 will also contain additional requirements that are currently being defined by Germany. These include the obligation to appoint an information security officer and to carry out cyber security exercises.

Which companies must implement NIS2?

According to NIS 2, organisations from a variety of critical sectors must implement the directive. The directive differentiates organisations according to the size and criticality of their systems and services for the maintenance of important social functions. There are special cases that are obliged to implement the directive regardless of the size of the organisation.

Affected organisations

This applies to public and private organisations in the following 18 sectors with at least 50 employees or at least EUR 10 million in annual turnover and annual balance sheet total.

Special cases that are affected regardless of size

  • Providers of public electronic communications networks or publicly available electronic communications services
  • Trust service provider
  • TLD name registries and DNS service providers (except operators of root name servers)
  • Sole providers that are essential for society and the economy
  • Facilities whose failure would have a major impact on public order, safety or health
  • Facilities whose failure could lead to a systemic risk with cross-border consequences
  • Facilities that are critical due to special national or regional importance
  • Central government public administration organisation defined by the EU Member State or critical public administration organisation at regional level
  • Critical infrastructures according to Directive (EU) 2022/2557
  • Entities providing domain name registration services

Major and important organisations

The NIS2 directive distinguishes between and important organisations. The main difference lies in the criticality of their systems and services for the maintenance of important societal functions.

Essential facilities are essential to the maintenance of these functions, while important facilities are not essential to the maintenance of these functions, but their disruption could still have a significant impact.

It is worth noting that under NIS2 in future significantly more facilities obliged to implement the requirements are. This is because the classification of the new directive into critical and highly critical sectors means that the EU member states no longer have the freedom to decide which organisations are addressed. This means that the size of organisations is no longer decisive.

The previous classification criteria of the "Ordinance on the Determination of Critical Infrastructures under the BSI Act - BSI-KritisV" and the catalogue of facilities covered by the IT Security Act 2.0 will no longer apply once it comes into force.

Major organisations

  • Criticality: Essential for the maintenance of important social functions
  • Requirements: All requirements of the NIS 2 Directive must be implemented.
  • Sectors of the main organisations:
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Healthcare
    • Drinking water
    • Waste water
    • Digital infrastructure
    • Management of ICT services
    • Public administration
    • Space

Important organisations

  • Criticality: Disruption could nevertheless have a significant impact on important social functions
  • Requirements: Some requirements of the NIS 2 Directive must be implemented, but not all.
  • Sectors of the important organisations:
    • Postal and courier services
    • Waste management
    • Production, manufacture and trade in chemical substances
    • Production, processing and distribution of food
    • Manufacturing/production of goods
    • Provider of digital services
    • Research

Implementation of the NIS 2 Directive

Responsible for the implementation of the NIS 2 Directive

The implementation of the NIS 2 Directive is a joint task of the EU member states and the EU Commission. The EU Commission is responsible for developing the Directive and monitoring its implementation in the Member States.

The Member states are responsible for transposing the directive into national law and monitoring compliance with the requirements by the organisations concerned.

In Germany this is Federal Office for Information Security (BSI) is responsible for the implementation of the NIS-2 Directive. The BSI is a higher federal authority responsible for the security of information technology in Germany.

The BSI has the following tasks as part of the implementation of the NIS 2 Directive:

  • Development of guidelines and recommendations for the implementation of the directive
  • Advice and support for the organisations concerned in implementing the directive
  • Monitoring the implementation of the directive by the organisations concerned

The organisations concerned must implement the defined minimum requirements for cyber security. For implementation and monitoring, the Management of the organisations concerned responsible. The management can be held liable for inadequate implementation.

Advice on the implementation of the NIS2 Directive

The new EU directive on cyber security becomes law in Germany. Increase the cyber security of your organisation, we support you in the comprehensive implementation of security measures and legal obligations.

Further Information Schedule a meeting

Minimum requirements for cyber security

The EU NIS2 Directive specifies for essential and important organisations Minimum requirements for cyber security fixed.

The measures must include at least the following:

  • Concepts relating to risk analysis and security for information systems
  • Management of security incidents
  • Business continuity, such as backup management and disaster recovery, and crisis management
  • Security of the supply chain, including security-related aspects of relationships between individual organisations and their direct suppliers or service providers
  • Security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities
  • Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security
  • Basic cyber hygiene procedures and cyber security training
  • Concepts and procedures for the use of cryptography and, where applicable, encryption
  • Personnel security, concepts for access control and management of systems
  • Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the organisation.

Risk management in accordance with NIS-2

The NIS 2 Directive places stricter requirements on the information security of companies and organisations in the EU. This also includes Risk management measures. The organisations concerned are obliged to meet the risk management requirements of the NIS 2 Directive.

Risk management is a systematic process for identifying, assessing and dealing with risks. In the area of cyber security, risk management aims to reduce the probability and extent of a cyber attack.

The NIS 2 Directive provides for at least the following risk management measures:

  • Introduction of an information security management system (ISMS)An ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.
  • Regular performance of risk assessments: Risk assessments should identify the potential threats and risks to the information security of the company's systems and services.
  • The implementation of technical and organisational risk mitigation measures: The identified risks must be minimised through suitable technical and organisational measures.

Robin Data ComplianceOS® Compliance field Risk management

Digitally implement the requirements of NIS2 for your organisation's risk management. With ComplianceOS, you can systematically identify, assess and treat risks and thus reduce the probability and extent of a cyberattack on your organisation.

Schedule a meeting

Reporting obligations in accordance with NIS2

The NIS2 Directive provides for extensive reporting obligations for the organisations concerned. The reports are intended to provide the competent authorities with an overview of the organisations' information security measures and help them respond to cyber incidents. The reporting obligations apply to all affected organisations, regardless of whether they are classified as significant or important.

The following reports are required according to NIS2:

  • Annual Report: The annual report should provide an overview of the organisation's information security measures. These include the introduction of an ISMS, the performance of risk assessments and the implementation of risk minimisation measures.
  • Reporting of cyber incidents: The affected organisation must report cyber incidents to the competent authorities. The report must be made within 24 hours if the incident may have a significant impact on the functioning of the organisation's systems and services.
  • Exchange of information on cyber incidents: The affected organisation must share information about cyber incidents with other organisations. The exchange of information is intended to improve the response to cyber incidents.

Implementation of an ISMS in preparation for NIS2

There is some overlap between ISO 27001 and NIS2, particularly with regard to the basic principles and security aspects. We therefore recommend the implementation of the ISO 27001 requirements or the implementation of a Information security management system in preparation for the German NIS2 Directive.

Risk assessment:
Both standards require a comprehensive risk assessment. ISO 27001 requires organisations to identify and assess information security risks in order to implement appropriate security measures. NIS2 also requires risk assessments to ensure the security of critical services.

Security measures:
Both ISO 27001 and NIS2 emphasise the implementation of security measures. ISO 27001 defines general security controls and procedures that organisations can apply to ensure their information security. NIS2 sets out specific requirements for critical service providers to ensure that appropriate safeguards are in place.

Protection of confidentiality, integrity and availability:
Both standards aim to ensure the confidentiality, integrity and availability of information. ISO 27001 aims to ensure these objectives for all types of information in an organisation, while NIS2 aims to ensure the availability of critical services in important sectors.

Emergency planning:
Both ISO 27001 and NIS2 emphasise contingency planning. ISO 27001 requires the development of contingency plans to restore information security following security incidents. NIS2 requires critical service providers to develop contingency plans to minimise the impact of cyber-attacks and restore service availability.

Monitoring and improvement:
Both standards emphasise the importance of continuous monitoring and improvement of security measures. ISO 27001 requires regular review and adaptation of the information security management system. NIS2 requires service providers of significant importance to constantly review and update their security measures and processes.

Implement ISMS with Robin Data ComplianceOS®

Implement the requirements of NIS2 for an information security management system and achieve NIS2 compliance in good time. Robin Data GmbH's external information security officers will help you to develop and monitor an ISMS in close coordination with your management and other responsible parties.

Schedule a meeting

Penalties and sanctions for violation of NIS2

The NIS2 Directive provides for strict sanctions for violations of the Directive's requirements. The sanctions are intended to motivate companies and organisations to comply with the requirements of the directive and improve cyber security. The competent authorities of the EU member states are responsible for imposing sanctions. The sanctions apply to all affected organisations, regardless of whether they are classified as essential or important.

The following sanctions are possible under NIS2:

  • FinesFines can be imposed in the amount of up to 10 million euros or 2 % of global turnover, whichever is higher.
  • Imposing administrative fines: Administrative fines of up to 10 million euros can be imposed.
  • Arrangement of measures to improve information security: The competent authorities can order companies and organisations to take measures to improve information security.
  • Closure of facilities: In particularly serious cases, facilities may be closed.

Here are some Examples of violations of the NIS2 Directivewhich can lead to sanctions:

  • Failure to introduce an information security management system (ISMS)
  • The failure to carry out risk assessments
  • Failure to report cyber incidents to the competent authorities
  • Non-compliance with the requirements for reporting deadlines
  • The provision of insufficient information when reporting cyber incidents

Video on the NIS 2 Directive

Robin Data Hack NIS2 Policy Video

Watch the video NIS-2 Directive for more cyber security:

In an increasingly interconnected world, cybersecurity and the protection of our digital infrastructures are crucial. The NIS2 Directive, the latest evolution of the Network and Information Systems Directive (NIS), aims to strengthen the security of the digital landscape in the European Union. But what exactly is behind this directive and how does it affect companies and organisations?

In the recording of the one-hour Robin Data Hack from 12 December 2023, we will inform you in detail about the objectives and requirements of the NIS2 directive. They explain the differences between NIS2 and the previous version NIS as well as other relevant laws and standards. We also discuss the potential impact on German organisations and show you practical solutions for implementation. The Robin Data Hacks take place online and participation is free of charge. Further information, dates and the opportunity to register.

Unfortunately this content is currently only available in German. Please feel free to contact us for more information.

Conclusion

The German directive in accordance with NIS2 is expected in October 2024. For affected German companies, it is nevertheless important to ensure the implementation of the NIS2 requirements on time to be tackled. This is proving to be challenging, as the wording of the directive leaves a lot of room for manoeuvre in some cases and the German draft law has not yet been finalised. However, in order to prepare in good time before the German law comes into force, we advise companies to prepare a Information Security Management System (ISMS) and to follow the specifications of the corresponding ISO 27001 standard orientation.

Achieve NIS2 compliance for your organisation with Robin Data

The new EU directive on cyber security becomes law in Germany. Our consultants implement solutions specifically for the needs of your organisation. From risk and asset management to business continuity concepts and employee training. Together, we implement the requirements of the NIS2 directive step-by-step. Achieve NIS2 compliance for your organisation - book a no-obligation introductory meeting.

Further Information Schedule a meeting
Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Audit management: Implementing audits more efficiently

Understanding and implementing audit management: Step-by-step explanation, background information, examples and definitions. Read now!
Read more

NIS2: EU directive for more cyber security

What does the NIS-2 Directive mean for organisations in Germany? Implementation obligations, sanctions, tips for implementation.
Read more

Asset management: Practical implementation

Efficient asset management: structure, implementation, example for classes and categories, protection needs assessment. Read now!
Read more