Data Protection Academy » Data Protection News » NIS-2 Directive
NIS 2 Directive: EU directive for more cyber security
In an increasingly networked world Cybersecurity and the Protecting our digital infrastructures of crucial importance. The NIS2 Directivethe latest development of the Network and Information Systems Directive (NIS), aims to strengthen the security of the digital landscape in the European Union. But what exactly is behind this directive and how does it affect companies and organisations?
In this blog post, we will take a detailed look at NIS2 and the Goals and Requirements of the directive. We will explain the differences between NIS2 and its predecessor version NIS as well as other relevant Laws and standardssuch as ISO 27001. In addition, we will analyse the potential impact on German companies and the Necessity of implementation discuss.
Key information on the NIS2 Directive
- NIS2 is the further development of the original NIS Directive (Network and Information Systems Directive), which was first adopted in 2016.
- The aim of both directives is to Strengthening cyber security and protect the digital infrastructure and critical services from cyber threats.
- On 16 January 2023 the so-called NIS2 Directive came into force. The EU member states have until 17 October 2024 time to translate the directive into national law.
- The NIS2 directive affects more organisations and requires stricter security measures. Companies that do not fulfil the requirements of NIS2 risk being penalised. Fines. These are also significantly higher compared to the predecessor of the directive.
Content on the NIS2 Directive:
Full title of the directive
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS2 Directive)
Whitepaper NIS-2 Directive: EU Directive for more cyber security
In the white paper NIS-2 Directive you will find:
- Information on the background to the Origin the NIS-2 Directive
- Information on the connection with other Laws and guidelines
- Requirements which the organisations concerned must implement
- Information on Penalties and sanctions
What is NIS2: This is what the new EU cyber security directive says
The complete designation of the NIS Directive ist “Network and Information Systems Directive” und kann ins Deutsche als Richtlinie über die Netz- und Informationssicherheit übersetzt werden. Die NIS-Richtlinie ist eine Richtlinie der Europäischen Union, die darauf abzielt, die Cybersicherheit in der EU zu stärken. Die Richtlinie wurde im Jahr 2016 verabschiedet und sollte anschließend bis Mai 2018 von den EU-Mitgliedstaaten umgesetzt werden.
In December 2022, the successor, the NIS2 Directive entered into force. This NIS2 Directive builds on the original NIS Directive of 2016. NIS2 was developed to further strengthen cybersecurity across the EU and respond to current developments in the digital sphere by tightening requirements for organisations and promoting cooperation at EU level. This is an important step to better manage the increasing cyber threats in the digital world.
The NIS Directive applies to Operators of critical infrastructures (KRITIS)i.e. for companies and organisations whose systems and services are essential for the maintenance of important social functions. These include companies in the energy, water, transport, finance, healthcare and telecommunications sectors.
Innovations: More cyber security through the NIS 2 directive
The reasons for the legislative changes from NIS to NIS2 are the sharp rise in cyber attacks in recent years, the Increasing digitalisation such as the use of artificial intelligence and the Standardised regulation among all EU member states.
The NIS 2 Directive has the clear aim of strengthening cyber security and making the digital landscape in Europe more secure. When the directive comes into force, the requirements for companies and organisations will be increased, security certification will be promoted and cooperation at European level will be strengthened.
Overview of the new features of the NIS 2 Directive:
- Sectors: The critical essential sectors have been expanded to eleven sectors and the important sectors to seven. Eighteen sectors are therefore covered by the new NIS2 directive. This means that a wider range of companies and organisations will have to raise their security standards.
- Facilities: Organisations with 50 or more employees or an annual turnover of 10 million euros or more are affected. Some organisations will fall under the NIS2 Directive regardless of their size.
- Supply chains: The NIS 2 Directive sets out new requirements for the cyber security of supply chains. These requirements are intended to help companies be better prepared for cyberattacks that occur via their supply chains.
- Cooperation: Supervision and cooperation between authorities and organisations in the EU will be expanded.
- Certification of products and services: The introduction of cyber security certifications should make it easier for consumers and companies to opt for more secure solutions.
- Sanctions: The NIS 2 Directive provides for significantly higher penalties for violations of the Directive, ranging from fines to imprisonment.
Current status of implementation in Germany
At European level, the NIS2 Directive came into force in January 2023. In Germany, the implementation process is currently still in full swing. The Federal Ministry of the Interior has September 2023 a third draft of the NIS2 Implementation Act has been published. All EU member states have until 17 October 2024 to transpose the EU directive into national law.
Origin of the NIS 2 Directive
Am 6. Juli 2016 wurde die EU-Richtlinie “NIS” (Network and Information Security Directive) verabschiedet und ist seit dem 9. August 2016 in Kraft. Die europäische NIS-Richtlinie wurde in Deutschland durch das Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz) umgesetzt.
The IT Security Act came into force on 25 June 2017 and previously applied in particular to operators of critical infrastructures (KRITIS), i.e. companies and organisations whose systems and services are essential for the maintenance of important social functions. The NIS 2 Directive now applies to all companies and organisations operating in the sectors listed in Annex I of the Directive. These include energy, water, transport, finance, healthcare and telecommunications. The NIS Directive originally only applied to operators of critical infrastructure (KRITIS).
Requirements of the NIS2 Directive
The NIS2 Directive is intended to help operators of critical infrastructures to better protect their information systems and prevent or at least mitigate cyberattacks.
The most important requirements of the NIS-2 directive are
Obligation to introduce an information security management system (ISMS)
Companies and organisations affected by the NIS 2 Directive must have a Information Security Management System (ISMS) introduce and operate. The ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.
Regular performance of risk assessments
Companies and organisations must take an active Risk Management including regular risk assessments. The risk assessments should identify the potential threats and risks to the information security of the company's systems and services.
Reporting cyber incidents to the competent authorities
Companies and organisations must report cyber incidents to the competent authorities. Reports must be made within 24 hours if the incident could have a significant impact on the functioning of the organisation's systems and services.
Exchange of information on cyber incidents between EU member states
The competent authorities of the EU member states must exchange information on cyber incidents. The exchange of information is intended to improve the response to cyber incidents.
Additional requirements for Germany
In addition to the requirements of the NIS 2 Directive, the IT Security Act 2.0 will also contain additional requirements that are currently being defined by Germany. These include the obligation to appoint an information security officer and to carry out cyber security exercises.
Which companies must implement NIS2?
According to NIS 2, organisations from a variety of critical sectors must implement the directive. The directive differentiates organisations according to the size and criticality of their systems and services for the maintenance of important social functions. There are special cases that are obliged to implement the directive regardless of the size of the organisation.
Affected organisations
This applies to public and private organisations in the following 18 sectors with at least 50 employees or at least EUR 10 million in annual turnover and annual balance sheet total.
Special cases that are affected regardless of size
- Providers of public electronic communications networks or publicly available electronic communications services
- Trust service provider
- TLD name registries and DNS service providers (except operators of root name servers)
- Sole providers that are essential for society and the economy
- Facilities whose failure would have a major impact on public order, safety or health
- Facilities whose failure could lead to a systemic risk with cross-border consequences
- Facilities that are critical due to special national or regional importance
- Central government public administration organisation defined by the EU Member State or critical public administration organisation at regional level
- Critical infrastructures according to Directive (EU) 2022/2557
- Entities providing domain name registration services
Major and important organisations
The NIS2 directive distinguishes between and important organisations. The main difference lies in the criticality of their systems and services for the maintenance of important societal functions.
Essential facilities are essential to the maintenance of these functions, while important facilities are not essential to the maintenance of these functions, but their disruption could still have a significant impact.
It is worth noting that under NIS2 in future significantly more facilities obliged to implement the requirements are. This is because the classification of the new directive into critical and highly critical sectors means that the EU member states no longer have the freedom to decide which organisations are addressed. This means that the size of organisations is no longer decisive.
Die bisherigen Einstufungskriterien der “Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz – BSI-KritisV” und des Katalogs erfasster Einrichtungen des IT-Sicherheitsgesetzes 2.0 werden nach in Kraft treten nicht mehr gelten.
Major organisations
- Criticality: Essential for the maintenance of important social functions
- Requirements: All requirements of the NIS 2 Directive must be implemented.
- Sectors of the main organisations:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Healthcare
- Drinking water
- Waste water
- Digital infrastructure
- Management of ICT services
- Public administration
- Space
Important organisations
- Criticality: Disruption could nevertheless have a significant impact on important social functions
- Requirements: Some requirements of the NIS 2 Directive must be implemented, but not all.
- Sectors of the important organisations:
- Postal and courier services
- Waste management
- Production, manufacture and trade in chemical substances
- Production, processing and distribution of food
- Manufacturing/production of goods
- Provider of digital services
- Research
Implementation of the NIS 2 Directive
Responsible for the implementation of the NIS 2 Directive
The implementation of the NIS 2 Directive is a joint task of the EU member states and the EU Commission. The EU Commission is responsible for developing the Directive and monitoring its implementation in the Member States.
The Member states are responsible for transposing the directive into national law and monitoring compliance with the requirements by the organisations concerned.
In Germany this is Federal Office for Information Security (BSI) is responsible for the implementation of the NIS-2 Directive. The BSI is a higher federal authority responsible for the security of information technology in Germany.
The BSI has the following tasks as part of the implementation of the NIS 2 Directive:
- Development of guidelines and recommendations for the implementation of the directive
- Advice and support for the organisations concerned in implementing the directive
- Monitoring the implementation of the directive by the organisations concerned
The organisations concerned must implement the defined minimum requirements for cyber security. For implementation and monitoring, the Management of the organisations concerned responsible. The management can be held liable for inadequate implementation.
Advice on the implementation of the NIS2 Directive
The new EU directive on cyber security becomes law in Germany. Increase the cyber security of your organisation, we support you in the comprehensive implementation of security measures and legal obligations.
Minimum requirements for cyber security
The EU NIS2 Directive specifies for essential and important organisations Minimum requirements for cyber security fixed.
The measures must include at least the following:
- Concepts relating to risk analysis and security for information systems
- Management of security incidents
- Business continuity, such as backup management and disaster recovery, and crisis management
- Security of the supply chain, including security-related aspects of relationships between individual organisations and their direct suppliers or service providers
- Security measures in the acquisition, development and maintenance of network and information systems, including management and disclosure of vulnerabilities
- Concepts and procedures for assessing the effectiveness of risk management measures in the area of cyber security
- Basic cyber hygiene procedures and cyber security training
- Concepts and procedures for the use of cryptography and, where applicable, encryption
- Personnel security, concepts for access control and management of systems
- Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the organisation.
Risk management in accordance with NIS-2
The NIS 2 Directive places stricter requirements on the information security of companies and organisations in the EU. This also includes Risk management measures. The organisations concerned are obliged to meet the risk management requirements of the NIS 2 Directive.
Risk management is a systematic process for identifying, assessing and dealing with risks. In the area of cyber security, risk management aims to reduce the probability and extent of a cyber attack.
The NIS 2 Directive provides for at least the following risk management measures:
- Introduction of an information security management system (ISMS)An ISMS is a holistic approach to ensuring information security. It comprises the planning, implementation, monitoring, evaluation and improvement of information security measures.
- Regular performance of risk assessments: Risk assessments should identify the potential threats and risks to the information security of the company's systems and services.
- The implementation of technical and organisational risk mitigation measures: The identified risks must be minimised through suitable technical and organisational measures.
Robin Data ComplianceOS® Compliance field Risk management
Digitally implement the requirements of NIS2 for your organisation's risk management. With ComplianceOS, you can systematically identify, assess and treat risks and thus reduce the probability and extent of a cyberattack on your organisation.
Reporting obligations in accordance with NIS2
The NIS2 Directive provides for extensive reporting obligations for the organisations concerned. The reports are intended to provide the competent authorities with an overview of the organisations' information security measures and help them respond to cyber incidents. The reporting obligations apply to all affected organisations, regardless of whether they are classified as significant or important.
The following reports are required according to NIS2:
- Annual Report: The annual report should provide an overview of the organisation's information security measures. These include the introduction of an ISMS, the performance of risk assessments and the implementation of risk minimisation measures.
- Reporting of cyber incidents: The affected organisation must report cyber incidents to the competent authorities. The report must be made within 24 hours if the incident may have a significant impact on the functioning of the organisation's systems and services.
- Exchange of information on cyber incidents: The affected organisation must share information about cyber incidents with other organisations. The exchange of information is intended to improve the response to cyber incidents.
Implementation of an ISMS in preparation for NIS2
There is some overlap between ISO 27001 and NIS2, particularly with regard to the basic principles and security aspects. We therefore recommend the implementation of the ISO 27001 requirements or the implementation of a Information security management system in preparation for the German NIS2 Directive.
Risk assessment:
Both standards require a comprehensive risk assessment. ISO 27001 requires organisations to identify and assess information security risks in order to implement appropriate security measures. NIS2 also requires risk assessments to ensure the security of critical services.
Security measures:
Both ISO 27001 and NIS2 emphasise the implementation of security measures. ISO 27001 defines general security controls and procedures that organisations can apply to ensure their information security. NIS2 sets out specific requirements for critical service providers to ensure that appropriate safeguards are in place.
Protection of confidentiality, integrity and availability:
Both standards aim to ensure the confidentiality, integrity and availability of information. ISO 27001 aims to ensure these objectives for all types of information in an organisation, while NIS2 aims to ensure the availability of critical services in important sectors.
Emergency planning:
Both ISO 27001 and NIS2 emphasise contingency planning. ISO 27001 requires the development of contingency plans to restore information security following security incidents. NIS2 requires critical service providers to develop contingency plans to minimise the impact of cyber-attacks and restore service availability.
Monitoring and improvement:
Both standards emphasise the importance of continuous monitoring and improvement of security measures. ISO 27001 requires regular review and adaptation of the information security management system. NIS2 requires service providers of significant importance to constantly review and update their security measures and processes.
Implement ISMS with Robin Data ComplianceOS®
Implement the requirements of NIS2 for an information security management system and achieve NIS2 compliance in good time. Robin Data GmbH's external information security officers will help you to develop and monitor an ISMS in close coordination with your management and other responsible parties.
Penalties and sanctions for violation of NIS2
The NIS2 Directive provides for strict sanctions for violations of the Directive's requirements. The sanctions are intended to motivate companies and organisations to comply with the requirements of the directive and improve cyber security. The competent authorities of the EU member states are responsible for imposing sanctions. The sanctions apply to all affected organisations, regardless of whether they are classified as essential or important.
The following sanctions are possible under NIS2:
- FinesFines can be imposed in the amount of up to 10 million euros or 2 % of global turnover, whichever is higher.
- Imposing administrative fines: Administrative fines of up to 10 million euros can be imposed.
- Arrangement of measures to improve information security: The competent authorities can order companies and organisations to take measures to improve information security.
- Closure of facilities: In particularly serious cases, facilities may be closed.
Here are some Examples of violations of the NIS2 Directivewhich can lead to sanctions:
- Failure to introduce an information security management system (ISMS)
- The failure to carry out risk assessments
- Failure to report cyber incidents to the competent authorities
- Non-compliance with the requirements for reporting deadlines
- The provision of insufficient information when reporting cyber incidents
Video on the NIS 2 Directive
Watch the video NIS-2 Directive for more cyber security:
In an increasingly interconnected world, cybersecurity and the protection of our digital infrastructures are crucial. The NIS2 Directive, the latest evolution of the Network and Information Systems Directive (NIS), aims to strengthen the security of the digital landscape in the European Union. But what exactly is behind this directive and how does it affect companies and organisations?
In the recording of the one-hour Robin Data Hack from 12 December 2023, we will inform you in detail about the objectives and requirements of the NIS2 directive. They explain the differences between NIS2 and the previous version NIS as well as other relevant laws and standards. We also discuss the potential impact on German organisations and show you practical solutions for implementation. The Robin Data Hacks take place online and participation is free of charge. Further information, dates and the opportunity to register.
Conclusion
The German directive in accordance with NIS2 is expected in October 2024. For affected German companies, it is nevertheless important to ensure the implementation of the NIS2 requirements on time to be tackled. This is proving to be challenging, as the wording of the directive leaves a lot of room for manoeuvre in some cases and the German draft law has not yet been finalised. However, in order to prepare in good time before the German law comes into force, we advise companies to prepare a Information Security Management System (ISMS) and to follow the specifications of the corresponding ISO 27001 standard orientation.
Achieve NIS2 compliance for your organisation with Robin Data
The new EU directive on cyber security becomes law in Germany. Our consultants implement solutions specifically for the needs of your organisation. From risk and asset management to business continuity concepts and employee training. Together, we implement the requirements of the NIS2 directive step-by-step. Achieve NIS2 compliance for your organisation - book a no-obligation introductory meeting.
- Internal control system - 10 September 2024
- TISAX requirements: Prepare certification step by step - 8 January 2024
- Audit management: Implementing audits more efficiently - 26 October 2023