The clock is ticking… Are you ready?
There are many reasons why businesses today have concerns, and at the top of the list are worries about the proper implementation of the European NIS2 Directive. Among the most common concerns are high implementation costs, a shortage of skilled professionals, stricter reporting requirements, severe penalties, and the overall complexity of ensuring compliance.
Companies therefore need thorough preparation and support to successfully meet the new NIS2 requirements.
What is NIS2 and why is it important?
It almost feels like déjà vu: suddenly the deadline arrives, and many businesses, just like with the General Data Protection Regulation (GDPR), are poorly or not at all prepared. However, the revised Network and Information Security Directive (NIS2) already came into force on January 16, 2023. EU member states have until October 17, 2024, to transpose the NIS2 Directive into national law. From this date on, companies must meet the stricter requirements.
The urgency of implementing the NIS2 Directive
As the deadline approaches, the topic is gaining priority for businesses of all sizes. However, it’s not just another regulation. The NIS2 Directive brings benefits for all of us: companies, government institutions, and private individuals are increasingly affected by cyber threats such as hacker attacks, data breaches, and targeted cyberattacks. The consequences of such attacks are severe, ranging from financial losses and stolen identities to disruptions of critical infrastructures.
Growing threats demand new security standards
The amount of sensitive data processed digitally continues to grow, increasing the risk of data breaches. To strengthen cybersecurity in critical infrastructures and improve protection against emerging threats, the European Union has developed the NIS2 Directive as a revised version of the 2016 NIS Directive. NIS2 tightens the requirements for businesses and defines which sectors must implement stricter security measures.
Which companies are affected?
The directive primarily affects sectors considered critical to the economy and society. These include energy providers, banks, healthcare services, transportation companies, and digital service providers that operate online marketplaces, search engines, or social network platforms. These companies must adhere to higher security standards and conduct regular security assessments.
Important measures for critical infrastructures
The German Federal Office for Information Security (BSI) plays a key role in implementing the NIS2 Directive, particularly for operators of so-called Critical Infrastructures (KRITIS), which include energy suppliers, water utilities, transport systems, and hospitals. For these entities, it is especially crucial to implement cybersecurity measures to protect their systems and data from attacks. A key aspect of these security measures includes strong authentication procedures and effective access controls. These ensure that only authorized individuals have access to sensitive data and systems, safeguarding the facilities’ security and the integrity of operational processes.
Consequences of non-compliance
Time is running out for companies that have not yet implemented the NIS2 Directive. Inaction risks heavy fines, which can amount to up to 10 million euros or 2% of global annual revenue—whichever amount is higher. Implementing the directive is, therefore, more cost-efficient than risking penalties.
Additional risks and legal consequences
In addition to financial penalties, companies also face legal consequences. These include the revocation of operating licenses or exclusion from public contracts. The greatest risk, however, remains the threat of cybercrime: failing to meet cybersecurity requirements opens the door to cybercriminals. Security incidents can lead to significant business disruptions, reputational damage, and long-term financial losses that, in the worst case, may lead to insolvency.
NIS2 harmonizes cybersecurity across Europe
Moreover, the NIS2 Directive plays a key role in harmonizing cybersecurity across Europe, as the digital world knows no borders. By establishing mandatory standards for IT security and requiring the reporting of security incidents, the directive aims to build trust in digital systems and uniformly raise cybersecurity standards.
Companies that meet the NIS2 requirements will be much better equipped to respond to cyber threats and secure their IT systems against attacks. Additionally, cooperation between EU member states will improve, enabling faster and more effective responses to future threats.
NIS2 made easy: Immutable storage contributes to compliance
The new NIS2 Directive presents companies with the challenge of enhancing their cybersecurity measures and ensuring data integrity. With immutable storage, businesses can ensure that critical data is permanently protected and cannot be altered. This technology not only provides increased security but also meets the stringent requirements of NIS2.
Discover how immutable storage can help your company comply with the directive while safeguarding your sensitive information.
Key Requirements and Objectives of NIS2
With its expanded scope, NIS2 covers a much larger portion of the digital economy. Companies that previously did not have to implement extensive security measures now face the challenge of fundamentally rethinking and rapidly adapting their cybersecurity strategies.
Enhanced Obligations for Businesses
Under the NIS2 Directive, companies must implement strengthened security measures. This includes improved risk management, measures to prevent cyberattacks, and the establishment of protocols for responding to security incidents. In particular, reporting obligations have been expanded: companies are now required to report cyberattacks and security-related incidents to the relevant authorities within 24 hours of discovery. This ensures quicker responsiveness and minimizes the risk of damage. Additionally, NIS2 mandates that companies conduct regular audits and penetration tests to identify and address vulnerabilities in their systems early on.
Affected companies must therefore develop a clear cybersecurity strategy aimed at protecting their networks, data, and systems. Furthermore, these companies are required to establish effective crisis management, which includes the ability to respond quickly and systematically to security incidents, as well as having a plan for damage control and recovery of affected systems. New requirements also include appropriate employee training to raise awareness of cybersecurity risks.
Expanded Scope
A significant difference between the original NIS Directive and NIS2 is the expanded scope. While NIS1 primarily focused on critical infrastructures such as energy, health, and transportation, NIS2 encompasses a broader range of companies and sectors. Newly included in the scope are providers of cloud services, data centers, digital communication services, and the supply chains of these companies. The public sector, including government agencies managing sensitive data, is now also subject to the requirements of NIS2. Companies classified as “essential” or “important” must meet the heightened security requirements. Stricter obligations also apply to smaller organizations that play a key role in digital infrastructure.
Which New Companies Are Affected?
Under NIS2, many companies that were previously not bound by cybersecurity regulations are now included. This particularly affects operators of digital platforms, such as e-commerce businesses and social networks, as well as providers of cloud infrastructures that have become essential for many other companies. The directive now also covers internet and telecommunications service providers, IT security vendors, and hardware manufacturers whose products are part of critical infrastructures. Additionally, the financial services sector, including banks, insurance companies, and financial institutions—which already had stricter regulations—will now also be further governed by NIS2. This ensures that not only critical infrastructures but also the companies that enable digital services are significantly more in focus concerning cybersecurity requirements.
The original NIS Directive was adopted by the European Union in 2016 to strengthen the protection of critical infrastructures and IT systems in Europe in light of the increasing threat posed by cyberattacks. Its goal was to serve as the first Europe-wide approach to harmonize cybersecurity measures across member states and to provide greater transparency regarding cyberattacks and IT security incidents in key sectors such as energy, transportation, and health.
Although the original NIS Directive laid an important foundation, various weaknesses and gaps became apparent over time. The advancing digitalization and the exponential growth of connected devices and digital services made it necessary to adapt the directive. In particular, the increasing complexity of cyberattacks and the uneven implementation of the NIS requirements across EU member states necessitated a revision.
NIS2 addresses several gaps that were left open in the original NIS Directive and tightens the requirements for more effective cybersecurity. A key difference is that NIS2 covers a broader range of sectors and companies. While NIS1 primarily focused on critical infrastructures such as energy and transportation, NIS2 now also includes sectors like public administration, digital services, and their supply chains. Additionally, NIS2 imposes stricter reporting obligations for security incidents and sets higher standards for responding to threats. Another change is the introduction of sanctions for companies that fail to meet the requirements, making NIS2 a much more enforceable directive.
The NIS2 Directive also improves cooperation among EU member states. One of the significant weaknesses of the original NIS Directive was the inconsistent implementation across different countries, leading to varying levels of security. NIS2 now emphasizes a harmonized approach, thereby enhancing cooperation and information exchange between member states and companies. Additionally, NIS2 brings substantial improvements in enforcement. The introduction of strict sanctions for violations ensures that companies take cybersecurity measures more seriously and must implement NIS2. Without loopholes, the NIS2 Directive can ensure that companies are better equipped to defend against cyberattacks, not just at the national level but also across Europe.
What must companies do to comply with the NIS2 Directive?
To comply with the NIS2 Directive, companies should adopt a clear, structured approach. The first step involves conducting a comprehensive risk assessment to identify vulnerabilities in their IT infrastructure and analyze potential threats to company data. Based on these findings, targeted security measures must be implemented.
Key security controls and network protection
Key measures include implementing access controls, utilizing encryption technologies, and protecting networks. Companies should also develop a detailed incident response plan that outlines how to proceed in the event of a security incident. This plan should define clear responsibilities, establish communication channels, and include measures for restoring affected systems and data. Regular testing of the plan is essential to ensure the effectiveness of the measures.
Technical and organisational security measures
From a technical standpoint, companies should update their IT systems. This includes using advanced security solutions such as firewalls, Intrusion Detection Systems (IDS), and Security Information and Event Management (SIEM) systems. Regular software updates and effective patch management are necessary to close known vulnerabilities.
Organizationally, companies must adapt their internal processes to meet the new compliance requirements. This involves implementing security policies, training employees on cybersecurity issues, and establishing a continuous monitoring process. Regular training ensures that all employees are kept informed about current threats and security practices.
Documentation and evidence of compliance with NIS2
Companies should also keep all relevant documents and evidence that demonstrate compliance with the NIS2 Directive up to date. These documents must be made available to supervisory authorities upon request. Through these measures, companies create a robust security structure and are better equipped to face future cyber threats.
Potential developments of NIS2
The development of the Network and Information Security Directive is far from over with NIS2. To meet the continuously changing requirements in the field of cybersecurity, the NIS2 Directive will also need to be continuously adapted in the future. Future versions may impose stricter requirements on the security architectures and practices of companies to better address rising cyber risks.
Incorporating new technologies
The integration of new technologies such as Artificial Intelligence (AI) and quantum computing will also play a crucial role in keeping the directive current and relevant. These technologies could contribute both to enhancing security measures and increasing threats, making their consideration in the directive’s development necessary.
Collaboration and cross-border reporting
Another potential area for expanding the NIS2 Directive is intensifying collaboration between EU member states. Creating a unified framework for cross-border reporting and handling of security incidents would be a significant advancement in cybersecurity.
Sector-specific requirements
Moreover, future versions of the directive could establish additional regulatory requirements for specific sectors or technological developments. This would be necessary to ensure security in emerging and innovation-driven areas as well.
Cybersecurity: European and global Trends
The NIS2 Directive is part of a larger European and global trend toward enhanced cybersecurity measures. At the European level, NIS2 is complemented by other key regulations such as the General Data Protection Regulation (GDPR) and the Cybersecurity Act, which create a comprehensive legal framework for protecting data and networks. Internationally, NIS2 reflects the growing importance of cybersecurity as a global concern, supported by national legislation and international agreements in many countries.
Global trends include increasing collaboration among states and organizations to combat cybercrime and improve cyber resilience. Initiatives by the International Organization for Standardization (ISO) and the Forum of Incident Response and Security Teams (FIRST) set global standards that influence and support the approach of NIS2.
In an increasingly interconnected and digitized environment, it becomes evident that harmonized and coordinated security strategies are necessary at both the European and global levels to ensure effective protection and resilience against cyber threats.
Recommendations for companies
To comply with the NIS2 Directive, affected companies must take proactive steps to strengthen their cybersecurity strategies. The starting point for all measures is a thorough risk assessment; without knowledge of the vulnerabilities in the existing IT infrastructure, targeted elimination is not possible. Implementing security controls, continuously updating results, conducting regular employee training, and developing a comprehensive incident response plan are further essential measures. Only those who continuously monitor, review, and properly document all security measures can meet the NIS2 requirements. The digital world is highly dynamic, and there are constant developments in cybersecurity. Companies that take NIS2 seriously stay informed and even participate in industry-specific initiatives to adopt best practices and remain up to date.
Conclusion
Companies that have ignored new technologies and security standards for an extended period now face a challenge. It is often not enough to simply allocate a budget; internal processes, responsibilities, and accountabilities are also under scrutiny.
However, look at the positive side: new systems and processes can improve workflows and make operations more efficient. And if you seize the opportunity to strengthen your resilience against cyber threats, don’t forget to communicate this to your existing and future customers! Regardless of whether your company falls under the NIS2 Directive, customers increasingly value the protection and security of their data and are actively seeking trustworthy partners.
Marco Matthias Marcone
Head of Marketing, RNT Rausch GmbH
Other users have also read the following articles
Modern Work 2: No signal, now what?
What does a film crew do if they have no or only a poor network signal at the…
Right-to-Repair – Extended longevity, less e-waste
Society is (finally) standing up against the throwaway economy. Smartphones are…
Making IT safe
This October is European Cybersecurity Awareness Month which draws particular…
High performance computing in automotive engineering
In the world of automotive engineering, simulations are a central building…
Autonomous driving: Why is it taking so long?
Self-driving vehicles are equipped with complex IT and require a reliable, fast…