NIS2 Directive - overview and status quo
What is the NIS2 Directive?
The NIS2 Directive (NIS = Network and Information Security) is a further development of the European Union's original NIS Directive, which came into force in 2016. The aim of NIS2 is to further strengthen cybersecurity in the EU, improve resilience against cyberattacks and increase the resilience of critical infrastructure. The NIS2 Directive was published on December 27, 2022 and came into force on January 16, 2023.
The digital transformation brings numerous benefits, but at the same time increases vulnerability to cyber threats. Attacks on critical infrastructure, such as energy supply, healthcare and transportation, can have serious consequences for society and the economy. Therefore, the NIS2 Directive was developed to ensure a more robust and coherent approach to cybersecurity within the EU.
Who does NIS2 apply to?
By October 2024, all countries in the European Union must incorporate the regulations into national legislation. In addition, from October 2024, all companies from 18 defined sectors with at least 50 employees and a turnover of €10 million will be obliged to implement NIS2.
The sectors affected in Germany are so-called critical infrastructure operators (also known as “KRITIS”), which are already legally obliged by the IT Security Act 2.0 to take information security measures above certain thresholds. However, many municipal utilities are below the thresholds, which is why NIS2 is now expanding existing sectors and adding others:
Sectors with high criticality
- Energy
- Transportation
- Banking
- Financial markets
- Healthcare
- Drinking Water
- Wastewater
- Digital infrastructure
- IT/ICT services (B2B)
- Public administration
- Space
Other critical sectors
- Postal and courier services
- Waste management
- Chemicals
- Food industry
- Industry (e.g. mechanical engineering)
- Digital services
- Research
Key innovations of NIS2
- Expanded scope: The directive covers more sectors than its predecessor and the threshold for classification as an “essential service” has been lowered so that more companies and organizations are covered by the directive.
- Increased cooperation and coordination: Closer cooperation between Member States and the EU Agency for Cybersecurity (ENISA) is called for. Joint cybersecurity exercises and the exchange of best practices should be promoted.
- Obligations for companies: Companies will be required to meet enhanced security requirements, including the introduction of risk management measures and specific cyber incident reporting deadlines to enable faster responses.
- Sanctions: The Directive provides for tougher penalties for breaches, including hefty fines to ensure compliance. In addition, national authorities will be given enhanced powers to enforce the directive.
What is the status quo in Germany?
Work is currently underway to integrate the directive into national legislation. The law that is being drafted for this purpose is called the “NIS-2 Implementation and Cyber Security Strengthening Act” (NIS2UmsuCG). Despite the draft bill and the consultation, the country does not expect the final law to be passed on time by October 2024. Other EU countries have also announced that they will not be able to meet the deadline.
What can affected companies already do today?
Despite the lack of legislation, affected companies can already derive important measures from the directive. As the implementation process is complex, it is advisable to start planning and implementing as soon as possible in order to be well positioned once the law has been passed and to avoid sanctions.
We can help you with the review or implementation of the NIS2 directive in your company with expert consultants. Simply get in touch with us:
Crowe BPG Beratungs- und Prüfungsgesellschaft mbH
Christian Maruhn
Phone: 02151 508 400
E-mail: maruhn@crowe-bpg.de