In the fall of 2024, the EU's NIS-2 Directive is set to be transposed into national law. Affected companies should have implemented the necessary measures by then. This blog post covers everything you need to know about NIS2, how organizations can determine if they are affected, and what changes the new law will bring.
What is NIS2 and When Does It Come Into Effect?
NIS-2 (Network Information Security 2) is an EU directive aimed at enhancing the protection of critical European infrastructure from cyberattacks through standardized security measures. The first version of the NIS-2 Directive was released in December 2022, and member states are expected to transpose it into national law by fall 2024.
In Germany, this is being implemented through the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which is currently in the legislative process and expected to come into force soon. Affected organizations have been advised to familiarize themselves with the directive to implement the necessary measures in time.
NIS2 aims to ensure an adequate level of cybersecurity for entities classified as "important" or "particularly important." This includes minimum security requirements for risk management and mandatory reporting of cybersecurity incidents.
Who is Affected by NIS2?
NIS2 primarily targets operators of critical infrastructure (KRITIS), as well as economic enterprises that, depending on their size and annual turnover, are classified as "important" or "particularly important" entities. These organizations are crucial for the survival and functionality of our society.
According to BSI President Claudia Plattner, approximately 29,500 companies will be legally required to implement the new cybersecurity standards. This includes hospitals, water and energy suppliers, and transport and telecommunications companies, where cyberattacks can cause significant damage, necessitating legally mandated protection concepts.
Important to note: Affected organizations must register with the BSI proactively.
How Do Organizations Know If They Are Affected by NIS2?
The BSI assists organizations in determining if and how they are affected by the new NIS-2 legislation. Through an online impact assessment, companies can answer yes/no questions to find out which of the four relevant categories they fall into:
Operators of Critical Infrastructures
Particularly Important Entities
Important Entities
Non-affected Companies
Additionally, there is an FAQ catalog covering key topics related to NIS2, where companies can find information about potential impact and related contact points and legal obligations.
Key Changes Introduced by NIS2
The legislation resulting from the NIS2 Directive brings several significant changes compared to the original 2016 directive. Notably, the number of companies and entities required to register, provide proof, and report to the BSI will increase significantly.
More Organizations Affected
Compared to the previous NIS Directive of 2016, the scope of affected organizations under NIS2 has expanded significantly. Categories such as "important entities" and "particularly important entities" have been introduced, each with specific security standards, including risk analysis concepts, operational continuity measures, backup management, and encryption concepts.
Multi-level Reporting System
Previously, companies had to report cybersecurity incidents to the BSI through a single-level reporting system. This will be replaced by a three-level system. The first report must be submitted within 24 hours, followed by an update within 72 hours, and a final report one month after the incident.
Increased Oversight by the BSI
The Federal Office for Information Security (BSI) will have expanded tools to verify and enforce the new security measures. This includes a new penalty framework for organizations that fail to meet their legal obligations to implement cybersecurity measures.
Requirements from the NIS2 Directive
Affected organizations must meet varying levels of cybersecurity requirements depending on their category. These can be broadly defined as technical, operational, and organizational measures aimed at minimizing risks to the security of network and information systems and preventing or at least mitigating cybersecurity incidents.
The NIS2 Directive does not specify concrete measures but provides guidelines that form the basis for the security concepts of affected entities. The consistent implementation of suitable measures is the responsibility of the management, which can be personally liable in case of a breach of cybersecurity regulations.
How Can Affected Entities Comply with NIS2 Requirements?
KRITIS operators and other entities affected by NIS2 must align their existing cybersecurity concepts with the new legal requirements and make necessary adjustments. If the appropriate personnel resources are available, this can be done internally. Otherwise, it is advisable to engage external service providers specializing in cybersecurity. These providers can help conduct comprehensive risk analyses of networks and IT systems and implement appropriate security measures.
A positive note for companies certified according to the BSI standard ISO27001: They can assume that they already meet most NIS2 requirements. However, they should still conduct a corresponding review once the NIS2 Implementation Act comes into force.
Consequences of Non-compliance with NIS2
All EU member states are required to draft national laws based on the NIS-2 Directive by fall 2024, obliging affected entities to implement the prescribed cybersecurity measures. Failure to adequately implement the necessary protection measures could result in substantial fines of up to 10 million euros or 2% of annual turnover.
Current Situation and Expected Development
It is currently unclear whether the NIS2 Implementation Act in Germany will indeed come into force in the fall. Although the law was approved by the federal cabinet in late July 2024, the OpenKRITIS platform considers it unlikely that it will come into effect before early 2025.
Conclusion – The Sooner Organizations Respond to NIS2, the Better
The NIS-2 Implementation and Cybersecurity Strengthening Act is expected to come into force in Germany in early 2025. Organizations should proactively check now whether and to what extent they are affected by the law, ensuring enough time for evaluating and implementing the necessary measures. The IT security experts at COViS are available to answer any questions regarding NIS2.