NIS 2 directive: new standards in cybersecurity
The NIS-2 Directive (“Network and Information Security Directive”) is a key initiative aimed at enhancing the security and integrity of networks and information systems across the European Union. NIS-2 was published in the Official Journal of the EU (L333) on December 27, 2022, and came into force on January 16, 2023. EU member states are required to transpose the directive into national law by October 2024. In Germany, a draft bill for implementation – NIS-2 Implementation and Cybersecurity Enhancement Act (NIS-2UmsuCG) – has been available since July 2023.
Scope and requirements
Building on the 2016 NIS Directive, NIS-2 sets new cybersecurity requirements for critical infrastructures (KRITIS) in the EU. The directive is a crucial component of the EU’s cybersecurity strategy, aiming to better protect critical infrastructures from cyber threats and ensure a high, EU-wide level of security. Numerous measures have been defined, including the establishment of national Computer Emergency Response Teams (CERTs), development of coordinated incident response plans, and improved cooperation between public and private entities.
The directive imposes stricter requirements on public and private organizations in 18 critical sectors with more than 50 employees or annual revenues of at least €10 million. Among the 11 highly critical sectors are energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. The 7 other critical sectors include postal and courier services, waste management, chemical production and trade, food production and distribution, manufacturing, digital service providers, and research.
Reporting and compliance obligations
Affected organizations must address cybersecurity risk management, monitoring, incident handling, and business continuity. Significant security incidents must be reported to the Federal Office for Information Security (BSI) within defined deadlines:
- Immediate reporting: Severe incidents with a significant impact on essential or digital services must be reported within 24 hours, especially if network or information system security is directly threatened.
- Short-term reporting: Early warnings must be submitted within 24 hours of detecting a security incident if there are signs of malicious or unlawful causes or if the incident may have cross-border effects.
- Medium-term reporting: A detailed report must be submitted within 72 hours of becoming aware of a significant incident, updating initial information, assessing severity and impact, and providing potential compromise indicators.
- Progress/final report: Within one month of reporting, a final report must describe the incident in detail, including severity, impact, threat type, causes, remedial actions, and any cross-border effects.
Compliance with NIS-2 is monitored through strict liability rules for management. Failure to comply may result in severe penalties. Management must oversee implementation, participate in training, and ensure employees are trained. Non-compliance can result in fines of up to €10 million or 2% of global annual turnover from the previous fiscal year, whichever is higher. NIS-2 also creates the potential for personal liability for executives, adding legal and financial implications for corporate leadership.
Conclusion
The NIS-2 Directive marks a pivotal moment in European cybersecurity policy. While the challenges are significant, they can be managed through thorough preparation and a solid understanding of the requirements. The German Security and Defense Industry Association is available to assist organizations in navigating the adaptation process and ensuring compliance with the new standards.
