The NIS 2 Directive - Everything you need to know

The NIS-2 Directive (“Network and Information Security Directive”) regulates the cyber and information security of institutions and companies. It came into force on January 16, 2023 and was published in the Official Journal of the EU on December 27, 2022. EU countries must transpose it into national law by October 17, 2024. In July 2023, the Federal Ministry of the Interior presented a draft law known as the NIS-2 Implementation and Cyber Security Strengthening Act (NIS-2UmsuCG).

In order to harmonize and improve the level of security in the member states, the NIS-2 Directive expands the requirements and sanctions in the area of cybersecurity and contains stricter requirements for certain sectors. Cyber risk management, control and monitoring, incident management and business continuity are some of the tasks that companies and organizations will have to deal with. The directive also increases the number of sectors within its scope. The management of these organizations is subject to stricter accountability rules.

The NIS 2 Directive applies to companies with more than 50 employees or an annual turnover of more than 10 million euros and a balance sheet of less than 43 million euros. According to the latest NIS-2UmsuCG, it is sufficient if one of the two conditions is met. Large companies with more than 250 employees and an annual turnover of more than 50 million euros are particularly affected.

Important for group companies: If you share the IT infrastructure within your group, your employees and turnover are added together!

The NIS 2 Directive applies to companies and public institutions that meet the abovementioned thresholds and are active in one of the affected sectors.
The sectors concerned include

• Energy (electricity, district heating and cooling, oil, natural gas, hydrogen)
• Transport (air transport, rail transport, shipping, road transport)
• Banking (credit institutions)
• Financial market infrastructures (trading venues, central counterparties)
• Healthcare (healthcare providers, EU reference laboratories, pharmaceutical research, pharmaceutical companies, manufacturers of critical medical devices)
• Drinking water (water supply)
• Wastewater (municipal, domestic, industrial wastewater)
• Digital infrastructure (internet nodes, DNS services, TLD name registries, cloud computing, data centers, content delivery networks, electronic communication services)
• Management of ICT services (business-to-business services, security services)
• Public administration (central and regional administrative facilities)
• Space (ground infrastructures for space-based services)
• Postal and courier services (postal services, courier services)
• Waste management (waste management companies)
• Production, manufacture, and trade of chemical substances (chemical production and trade)
• Production, processing, and distribution of food (food production and processing)
• Manufacturing/production of goods (medical devices, electronic devices, electrical equipment, mechanical engineering, motor vehicle and vehicle construction)
• Providers of digital services (online marketplaces, search engines, social network platforms)
• Research (research institutions)

Companies in the supply chain of the above-mentioned sectors are also indirectly affected as service providers.

To ensure the security of their network and information systems, the NIS-2 Directive obliges the companies concerned to take technical, organizational and operational measures. These tasks are to be managed at the highest management level, which means that the EU NIS-2 Directive is a matter for the boss.
The most important requirements include

1. Risk management: Companies must carry out risk analyses and develop security measures to minimize threats to their information systems.
2. Dealing with security incidents: Companies must develop response plans to limit the impact of security incidents and ensure continuity of services.
3. Business continuity: Companies need to implement measures such as backup management, disaster recovery, and crisis management to maintain business operations.
4. Supply chain security: Companies must ensure that their suppliers and service providers also comply with security standards in order to protect the entire supply chain.
5. Vulnerability management: Security gaps must be systematically monitored, reported, and remedied.
6. Training and cyber hygiene: Regular employee and management training is mandatory to ensure that everyone is aware of current threats and security measures. This also includes basic security practices such as software updates and password management.
7. Encryption and authentication: The use of encryption technologies and multi-factor authentication is mandatory to protect sensitive data.

An essential component of the NIS 2 directive is the obligation to report significant security incidents quickly. Companies must ensure that they are able to report and respond to incidents in a timely manner. The reporting obligations include:

• Early warning within 24 hours: Security incidents must be reported as soon as they are known.
• Initial assessment within 72 hours: An initial assessment of the incident and its impact must be made.
• Final report after one month: A detailed report must be prepared describing the incident, the causes and the measures taken.

A distinction is made between “particularly important institutions” (i.e. companies with at least 250 employees or a turnover of over EUR 50 million or a balance sheet of EUR 43 million) and “important institutions” (companies with at least 50 employees or a turnover or balance sheet of EUR 10 million):

• Particularly important institutions: They are subject to proactive regulatory oversight and can be fined up to EUR 10 million or 2% of annual worldwide turnover, whichever is higher.
• Material entities: They are monitored reactively, i.e. inspections usually take place following indications of violations. Fines can be up to 7 million euros or 1.4% of annual turnover, whichever is higher.

If the requirements of the NIS 2 Directive are not complied with, companies can face significant penalties. In addition, on-site inspections can be carried out by the supervisory authorities and evidence can be requested. While particularly important facilities are inspected proactively and regularly, important facilities are monitored reactively, usually following indications of non-compliance.

A key aspect of the NIS 2 Directive is the personal liability of company management. Managers are responsible for compliance with the safety measures. If they breach their duties, they can be held personally liable for the damage caused. The upper limit for this liability is 2% of the company's global annual turnover.

heyData offers comprehensive support in the implementation of the NIS 2 directive, from risk analysis and training to documentation and reporting. With customized solutions, heyData helps your company to meet the requirements of the NIS 2 Directive and strengthen cyber security.

• Audit: Annual compliance analysis for risk assessment
• Documentation: Creation of documentation such as risk assessments and guidelines
• Training courses: IT security training for all employees and management
• Expert support: Expert advice on all compliance issues

Rely on heyData to ensure your organization is NIS-2 compliant and optimally protected against cyber threats.

Get in touch with us today!