NIS‑2 for more cyber resilience

NIS‑2 “Network and Information Security” Directive

With the NIS 2 Directive, mandatory security measures and reporting obligations will apply to many companies and organizations in 18 critical sectors from October 2024. This includes many SMEs that were not previously affected. This NIS2 replaces the NIS Directive from 2016 with the aim of achieving a better common level of cybersecurity in the EU. 

Compared to the previous NIS Directive, NIS‑2 greatly expands the group of affected companies, the obligations and the official supervision. Violations of the NIS2 Directive can even result in heavy fines.

Who is affected? 

Public and private institutions in 18 sectors with at least 50 employees or at least EUR 10 million in annual turnover and annual balance sheet total. All of these entities carry out their activities in the EU. In addition, the following entities, regardless of their size, are also covered by the NIS2 Directive:

• Providers of public electronic communications networks or publicly available electronic communications services
• Trust service provider
• TLD name registries and DNS service providers (except operators of root name servers)
• Sole providers that are essential for society and the economy
• Facilities whose failure would have a major impact on public order, safety or health
• Facilities whose failure could lead to a systemic risk with cross-border consequences
• Facilities that are critical due to special national or regional importance
• Central government public administration body defined by the EU Member State or critical public administration body at regional level
• Critical infrastructures according to Directive (EU) ²⁰²²⁄₂₅₅₇
• Entities providing domain name registration services
  
  

The new directive also applies indirectly to service providers and suppliers of affected facilities.

Cybersecurity measures a MUST

The following cybersecurity measures must be implemented by companies:

• PoliciesConcepts for risk analysis and security for information systems
• Incident managementDetection, analysis, containment and response to incidents
• Business ContinuityBackup management and recovery, crisis management
• Supply ChainSecurity in the supply chain
• PurchasingSecurity in the acquisition, development and maintenance of IT systems, including management and disclosure of vulnerabilities
• EffectivenessEvaluation of the effectiveness of risk management measures
• Cyber hygiene, trainingCyber hygiene (e.g. updates) and training in cyber security
• CryptographyUse of cryptography and encryption where appropriate
• Personnel, access, assetsPersonnel security, access control and asset management
• AuthenticationMulti-factor authentication or continuous authentication
• CommunicationSecure voice, video and text communication, also in an emergency if necessary
  
  

CRITIS

NIS‑2 is a further development of existing security measures that are already anchored in many companies through ISO standards legislation such as the KRITIS Regulation or the Security Act 2.0. With the introduction of NIS2, a Europe-wide harmonization of these standards will now be achieved, building on the efforts and investments already made by companies.

Even if you as an SME are not affected, cybersecurity is an issue that should be prioritized by management: Because as a managing director you are liable and as a small and medium-sized company, you are also faced with the tricky task of making the right level of investment in the corresponding infrastructure.

What is the state of cyber security in your company?