In July 2016, the Directive on the security of Network and Information Systems (NIS) was issued. The aim of this directive was to increase cyber resilience throughout the European Union through regulatory measures. It focused on strengthening cybersecurity capabilities at national level, improving cooperation between member states and embedding cybersecurity in the DNA of organizations.
In 2023, the European Union adopted a new version of the Network and Information Security Directive. This “NIS-2” aims to bring the EU up to date and create a higher level of cybersecurity and resilience in European Union organizations.
EU member states must transpose NIS2 into national law by October 18, 2024. Companies should start preparing for compliance now.
What is new about the NIS2 directive?
Extension of the scope of application
The new directive extends the scope to other sectors and focuses on providing guidance to ensure consistent implementation across EU member states. NIS2 defines two categories of facilities: important and essential facilities.
Important facilities:
Digital provider
Manufacturer
Postal and courier services
Waste management
Chemical products
Food
Research facilities
Significant companies:
Energy
Road, rail, air and water transportation
Water
Health
Public administration
IT services
Banking and finance
Companies in both categories must meet the same requirements, but follow different monitoring and sanctioning rules. Significant companies must comply with supervisory requirements from the introduction of the NIS2 Directive, the important companies are subject to ex-post supervision, i.e. if the authorities receive evidence of non-compliance, action will be taken.
Companies affected by NIS2:
Large companies: over 250 employees or a turnover of more than 50 million euros
Medium-sized companies: over 50 employees or a turnover of more than 10 million euros
EU member states can extend these requirements if a company meets certain criteria that indicate a key role for society, the economy or for certain sectors or types of services.
Registration of essential and important facilities
By April 2025, Member States must identify the essential and important facilities that fall within the scope of the NIS2 Directive. Member States may allow entities to register themselves. Therefore, contracting entities must determine whether their services fall within the scope of the NIS2 Directive, identify the list of Member States in which they provide “in scope” services and register in each Member State before the deadline. To register, contracting entities must provide at least the following information:
their name, address and registration number
the sector or sub-sector under which they fall within the scope of NIS2
your updated contact details
Member States in which they operate
the list of IP addresses assigned to them
The final registration procedure and the list of required information will be determined as part of the transposition of the Directive into national law.
Improved collaboration (CSIRT platform)
Another important element of the new directive is the intention to improve cooperation between EU member states on cyber incidents and threats. The European Union Agency for Cybersecurity (ENISA) will be tasked with setting up a European vulnerability disclosure database to facilitate knowledge sharing between Member States.
Obligation to report incidents
As already established for the NIS-1 Directive, each EU Member State will have a central contact point for compliance with the Directive and a coordinating CSIRT (Computer Security Incident Response Teams) for incident reporting or a competent authority. The Federal Office for Information Security (BSI) is responsible for checking the affected companies in Germany. Incidents with a significant impact must be reported by the essential and important bodies without unnecessary delay:
A preliminary report must be submitted within 24 hours of becoming aware of an incident.
A full incident report must be submitted within 72 hours, including an assessment of the incident and its impact.
A detailed final report describing the incident in detail, including cross-border effects, must be submitted within one month.
In this respect, the Directive encourages Member States to simplify the incident reporting process by establishing a single point of contact for incidents in order to reduce the administrative burden, including for incidents affecting several Member States.
The CSIRT or, where applicable, the competent authority must report to ENISA every three months on the incidents, using anonymized information. With all this information, ENISA will then in turn report on EU incidents every six months. This reporting will help organizations and Member States to learn from other incidents and is a key change in the new NIS2 Directive.
Focus on important supply chains
Recent incidents around the world have highlighted the importance of continuity within critical supply chains, which is why the NIS2 Directive introduces this as one of the key areas of focus. Individual companies will be responsible for considering cyber security risks in their own supply chains as well as in their relationships with their suppliers.
This requirement could have an indirect impact on many suppliers who do not fall within the scope of the new NIS2 Directive, but who may supply services or products to an entity falling within the scope of NIS2. Therefore, their customer could impose a minimum cybersecurity maturity on the supplier. The supplier is not supervised by the national authorities in relation to NIS2, but by their customer. So even if your company does not fall within the scope, it may have an impact depending on the service and industry.
Management accountability
Another important addition to NIS-1 is the accountability that the new directive assigns to the management of the organizations affected by the scope of application. Management will be required to take responsibility for the maturity of cybersecurity. This includes, among other things, conducting risk assessments and approving risk treatment plans to be implemented. In order to implement these measures, management must participate in cybersecurity training. The directive even suggests that not only management but also employees should be trained to deepen their knowledge of cybersecurity.
Complexity of case law
Under the NIS2 Directive, essential and significant institutions are considered to be under the jurisdiction of the Member State in which they provide their services.
Where the entity provides services in more than one Member State, it should be subject to the jurisdiction of each of those Member States. Entities providing services outside the EU or dependent on the EU should ensure the continuity of their EU services in case of interruption of their activities outside the EU.
Sanctions
The NIS 1 Directive provided for sanctions for non-compliance by OESs and DSPs, while the NIS 2 Directive provides for more severe sanctions for non-compliance, including fines of up to 10% of a company’s annual turnover.
For material entities: Administrative pecuniary penalties of up to €10,000,000 or at least 2% of the total worldwide annual turnover of the company to which the material entity belongs in the previous financial year, whichever is higher.
For important companies: Fines of up to €7,000,000 or at least 1.4% of the total worldwide annual turnover of the company to which the important company belongs in the previous financial year, whichever is higher.
How do you prepare your organization for NIS2?
Based on our experience with NIS, you will learn the key aspects your organization should consider to be on the right path to NIS2 compliance.
1. anticipate and start preparing
Timely preparation is a key element in an organization’s journey to compliance. The support of top management, the approval of stakeholders and the provision of the necessary budget and resources will take time.
Be prepared for delays and commit to strict planning with fixed deadlines. In addition, the implementation of some of the new requirements can be seen as quick wins and defined in advance, e.g. escalation of incidents and reporting to the relevant authorities.
2. identify the critical processes in your company
The starting point on the road to compliance is to identify the organization’s critical services, processes and assets that provide the essential service defined in NIS2.
One method to achieve this is to conduct an organization-wide business impact assessment to identify the organization’s critical processes and their dependency on network and information systems. A critical element for scoping is defining the business impact criteria that cause a process, site or facility to fall within the scope.
3. implementation of a risk and information security management system
Companies that fall within the scope of the NIS2 directive must manage their information security risks. In order to meet this requirement, a risk and information security management system must be introduced.
Such an information security management system aims to identify, address and monitor the company’s information security risks and ensure that responsibilities are defined and key processes are functional, such as
Risk management and security guidelines for information systems
Treatment and management of incidents
Business continuity and crisis management (backups, disaster recovery)
Security of the supply chain
Security in the procurement, development and maintenance of networks and information systems, including the handling and disclosure of vulnerabilities
Strategies and procedures for assessing the effectiveness of cybersecurity risk management measures
Cryptography and encryption, multi-level authentication
People, awareness and training
4. initiate your IT supply chain security management process
Take a close look at your IT suppliers (partners), especially those that are critical to the continuity of your operations. Knowing the weaknesses in your IT supply chain and the security gaps at your suppliers will help you tackle the lengthy process of fixing your contractual, operational or technical vulnerabilities.
5. establishment of a cyber-oriented culture
One of the most frequently mentioned elements, but one that is difficult to implement in many companies, is a cyber-oriented culture and a mature awareness of information security among employees. Employees should be aware of their roles and responsibilities in relation to the information security ecosystem.
IT staff should have the necessary knowledge to carry out the required checks. And last but not least, management should see cyber security as a key element for the company’s survival in this digital age.
6. appropriate guidance and support
Our team of experts have mastered NIS1 and are here to help you with NIS2 too. Savecall can help you assess your readiness, define your compliance roadmap, determine your scope, set up and implement your risk and security management frameworks, secure your IT supply chain and optimize your cybersecurity awareness program.
I look forward to your questions!
Daniel Feichtinger
Key Account Mobile Solutions
