Implementation of the NIS-2 Directive: How Companies Prepare for the New Cybersecurity Requirements

A Quick Overview: What Companies Need to Know

• The NIS 2 Directive, a comprehensive cybersecurity measure of the European Union, aims to raise security standards for critical infrastructures and important companies. Since coming into effect on January 16, 2023, the NIS-2 Directive sets new benchmarks in cybersecurity within the EU. With a deadline of October 17, 2024, for implementation into national law, affected organizations face a significant challenge.
• This revision deals in detail with the requirements of the NIS-2 Directive and offers companies a clear roadmap to implement the necessary security precautions in a timely manner. Companies must now actively engage with the requirements to avoid potential penalties for non-compliance with the directive.
• Learn all about the affected companies, recommended actions, and deadlines, as well as the consequences of non-compliance. Our comprehensive analysis provides you with the crucial information to prepare your company for the requirements of the NIS-2 Directive and strengthen cyber resilience in an increasingly digitalized world.

For companies, it is essential to follow stricter security guidelines, as a security breach could have severe consequences, up to the paralysis of entire nation-states. The NIS-2 Directive aims to standardize and specify these security regulations to improve the resilience and responsiveness of both public and private entities within the EU. The overarching goal is to raise the general level of cybersecurity throughout the European Union. This initiative builds on the Network and Information Security Directive (NIS-1) implemented in 2016 and strives to continue and deepen its objectives.

Is the Revision of the NIS-1 Directive Necessary?

The original EU Directive on Network and Information Security (NIS) showed significant weaknesses in practice:

• Inconsistent regulations across borders
• Lack of monitoring of implementation
• Vague requirements for disclosing cyber risks
• Insufficient level of security
• The absence of a common strategy for crisis situations

The introduction of the NIS-2 Directive aims to address these issues. It precisely defines which organizations are considered critical infrastructures and to which sector they belong. Furthermore, NIS-2 expands the circle of affected companies, introduces new obligations, foresees stricter penalties, and strengthens the approach in risk management.

Key innovations include clear guidelines on procedures, content, and deadlines for reporting security incidents, as well as their implementation, monitoring, and enforcement in national law. Moreover, NIS-2 promotes cooperation between private and public entities in case of crisis through the formation of national emergency response teams (CSIRTs, Computer Security Incident Response Team) and the establishment of coordinated incident response plans.

The full text of the NIS-2 Directive and its implementations can be found in the Official Journal of the European Union dated 12/14/2022.

Which Companies Must Comply with the NIS-2 Directive?

The NIS-2 Directive affects a wide range of companies that are essential for maintaining important societal and economic activities. Here is a simplified overview of the main groups subject to the new regulations:

Operators of essential services: This group must determine to what extent individual facilities are subject to the directive’s regulations. They do this based on specific criteria for identifying the relevance of their facilities.

Centrally important and important facilities: These are mainly identified through the size of the company, with both medium-sized and large companies being affected:

Medium-sized companies, have two qualification paths:

• 50 to 249 employees and a turnover of less than 50 million EUR or a balance sheet total of less than 43 million EUR.
• Less than 50 employees, but a turnover of between 10 and 50 million EUR and a balance sheet total between 10 and 43 million EUR.

Large companies, meet one of the following criteria:

• At least 250 employees or
• A turnover of at least 50 million EUR and a balance sheet total of at least 43 million EUR.

Note: Even smaller companies that meet certain criteria can fall under the directive. The European Commission distinguishes between companies in “sectors of high criticality” and “other critical sectors”. The exact criteria for these classifications are defined in the NIS-2 Directive and can be found in the following summary:

Particularly critical facilities (“sectors of high criticality” Annex I):

• Energy: Electricity, district heating and cooling, oil, natural gas, hydrogen
• Transport: Air transport, rail transport, maritime transport, road transport
• Banking
• Financial market infrastructures
• Healthcare
• Drinking water
• Wastewater
• Digital infrastructure
• Management of ICT services (Information and Communication Technology services, B2B)
• Public administration
• Space

Other critical facilities (“Other critical sectors” Annex II):

• Postal and courier services
• Waste management
• Production, manufacturing, and trade of chemical substances
• Production, processing, and distribution of food
• Manufacturing sector/Manufacture of goods: Manufacture of medical devices and in vitro diagnostics / Manufacture of computer, electronic and optical products / Manufacture of electrical equipment / Mechanical engineering / Manufacture of motor vehicles and motor vehicle parts / Other vehicle construction
• Providers of digital services
• Research

NIS-2 Implementation Act and the Associated Corporate Obligations

Since September 2023, the third draft of the Act for the Implementation of the EU Directive NIS2 and the Promotion of Cyber Security, known as NIS2 Implementation Act (NIS2UmsuCG), has been under discussion. This act obligates companies to proactively deal with security incidents in the field of information technology. Affected organizations must provide the Federal Office for Information Security (BSI) with comprehensive reports in the event of a security incident. Security incidents are defined as events that either compromise the integrity of stored, transmitted, or processed data or affect the availability or functionality of corresponding services provided or made accessible through IT systems, components, and processes.

This overview highlights the importance of complying with the NIS2 Implementation Act and the associated obligations for companies to strengthen their cybersecurity infrastructure and respond effectively to security incidents.

Specifically, it addresses the impairment of

• Availability
• Authenticity
• Integrity or
• Confidentiality of the affected data or services

Requirements for Companies: Ensuring IT Security and Compliance with Reporting Obligations

Effective Strategies for IT Security and Risk Management

Companies operating relevant systems must implement effective technical and organizational measures (TOM) to ensure their IT security. The following basic measures are expected to be taken:

• Risk analysis and security for IT systems
• Handling of security incidents
• Maintenance and restoration as well as backup management
• Supply chain security as well as between facilities and service providers
• Security in development, procurement, and maintenance as well as vulnerability management
• Evaluation of the effectiveness of IT security and corresponding risk management
• Training on IT security and cyber hygiene
• Encryption and cryptography
• Personnel security, access control, and facility management
• Multi-factor authentication
• Secure communication
• Crisis management and secure emergency communication

Note: Details may change until the law is passed.

Reporting Obligation for Companies

If a security incident occurs in an affected company, this results in an intensified reporting obligation for companies.

1. Within 24 hours of becoming aware of a security incident, a preliminary report must be submitted to the BSI.

2. Within 72 hours, a complete report with an initial assessment of the incident must follow.

3. Within one month, a final report must follow, detailing the incident and the nature of the threat and including cross-border effects.

Sanctions & Fines for Companies: Understanding the Risks of Non-Compliance

To ensure compliance with strict regulations by affected organizations, increased reporting obligations and stricter sanctions are applied in case of non-compliance. Summary of the sanction rules:

• Penalties are punished with a tiered concept up to 20 million euros
• Sanctions are imposed for both negligent and intentional fault
• For important facilities, a maximum fine of 7 million euros or 1.4 percent of the global annual turnover can be imposed
• For particularly critical facilities, fines can go up to 10 million euros or 2 percent of the global annual turnover, whichever is higher
• No distinction is made between particularly important facilities and critical infrastructures

Important: Managing directors are liable with their personal assets.

The draft bill from the Federal Ministry of the Interior proposes that managing directors and other executive bodies of companies are liable with their private assets for complying with risk management measures. The fine can be up to 2 percent of the global annual turnover.

NIS-2 Directive: When Does It Become Effective?

The new Directive 2022/2555 (NIS-2) has been effective at the EU level since 2023, but the individual states must implement the directive into national law by October 17, 2024 – by then, companies must also have taken appropriate measures.

The NIS-2 Implementation Act is expected to be announced by March 2024.

Important: NIS-2 Guidelines Also Apply to Small Companies

Even if your company has fewer than 50 employees and less than 10 million euros in annual turnover, don’t be lulled into a false sense of security too early. Small companies can still be affected if they fall into the criteria for (particularly) critical facilities mentioned above.

If you are unsure whether your company belongs to the critical facilities under NIS-2, don’t wait for mail – each affected company must determine this on its own initiative.

If your company, for example, is a service provider or supplier for a particularly critical company, your company is automatically also classified as critical and must also comply with strict security precautions.

NIS-2 Directive: Ultimate Checklist for Compliance Implementation

• Check if your company is affected by NIS-2 and is considered a critical entity
• If your company is affected, inform the management and determine who is responsible for implementing the corresponding measures
• Plan and implement the necessary measures to ensure cybersecurity and risk management
• Create an emergency plan for security incidents including business continuity, backup management, system recovery, and crisis management
• Establish a reporting procedure and determine the responsible parties

With Kiteworks for Secure Compliance with NIS 2 Requirements

Complying with the NIS 2 Directive is crucial for organizations to ensure cybersecurity and build trust. A checklist helps IT departments ensure compliance by defining the scope of the directive, assessing risks, creating an Incident Response Plan, ensuring continuous monitoring and maintenance, training employees, and maintaining documentation and reporting. NIS 2 compliance is a legal necessity and an opportunity to increase resilience against cyber threats. Kiteworks supports companies with a platform that facilitates compliance with NIS 2 guidelines by providing a Zero-Trust approach to protecting and managing sensitive information.

To learn more about secure compliance with NIS 2 requirements with Kiteworks, schedule a personalized demo today.