New EU Law on NIS2
The second EU directive on network and information security ( Network and Information Security 2.0 , or NIS2 for short) was published in December 2022. Since October 2024, the new version of the directive, which was first established in 2016, has been binding for all EU member states. National legislation implementing the NIS2 directive is expected soon in Germany. This article explains the new requirements and sanctions introduced by the directive, their objectives, and who is affected by these changes.
What the new NIS2 directive entails
The second version of the Network and Information Security Directive, or NIS2 for short, aims to strengthen the cyber resilience of critical infrastructure in both public and private sectors within the EU. Specifically, the updated directive includes stricter measures and reporting obligations for numerous companies in the event of IT security incidents.
Significantly more industries and companies are affected by the new regulation than was the case with the first EU directive on network and information security. The majority are medium-sized and large companies; however, smaller companies may also be affected depending on their connection to supply chains or their ties as subsidiaries.
Who is affected by NIS2 directive
Since October 17, 2024, EU-wide member states have been obligated to transpose the new NIS2 directive into national law. By this date, companies should have clarified whether they are affected by the updated directive, planned their resources, and implemented appropriate measures.
Companies are responsible for independently assessing whether they are affected by NIS2. No official request has been issued to affected companies to implement the new requirements.
NIS2 directive divides affected companies into two categories: essential entities and important entities. Which category a company belongs to has no bearing on the security requirements, but solely on the severity of the penalties threatened for non-compliance.
Essential entities
- Essential entities include energy and water supply companies, transportation providers, banks and financial institutions, as well as healthcare service providers, manufacturers, and researchers. This category also encompasses digital infrastructure and IT services, public administration, and the aerospace industry.
Important entities
- The category of important entities includes postal and courier services, waste management companies, businesses in food and chemical industries, the industrial and manufacturing sectors (e.g., for computers, medical and diagnostic equipment, electronics, motor vehicles), and digital providers (e.g., search engines, social media platforms, online marketplaces). Research institutions can also be included in this category.
Severe penalties for violations
Under the new NIS2 directive, non-compliance with the requirements can result in substantial penalties in the form of fines. The specific amount of these fines depends on the type of company committing the violations.
Companies in the category of "important entities" face a fine of up to EUR 7 million, or 1.4% of the total worldwide turnover of the previous year of the entire company, whichever is higher.
Companies in the category of "essential entities" even face a fine of up to EUR 10 million or, if higher, 2% of the previous year's turnover.
Liability risk for management
Another relevant change in the updated network and information security directive is that managing directors and board members are now personally liable for omissions and violations.
Stricter reporting requirements
Also new are the stricter deadlines and requirements for reporting IT security incidents. Three timeframes have been established, within which there are specific documentation requirements to be met:
- A preliminary report must be compiled within 24 hours immediately after the discovery of an incident.
- A detailed report with a preliminary assessment of the incident must be prepared within 72 hours.
- A comprehensive final report must be prepared within one month, including detailed information on the nature and impact of the threat.
The role of BSI
The Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik) plays a key role in implementing the NIS2 directive in Germany. As part of this process, its powers and responsibilities have been expanded. The BSI is now authorized to conduct security audits and to define and enforce minimum requirements. Furthermore, it is responsible for imposing sanctions and fines.
How to proceed
If not already done before October 2024, every company should now urgently check whether it is affected by the NIS2 directive. The deadline for registration with the BSI (Federal Office for Information Security) is January 17, 2025.
The scope of the network and information security directive has expanded significantly with the EU-wide update, affecting more sectors and companies.
Above all, the security requirements have become stricter with the new version of the directive, necessitating an advanced security policy and new measures.
Furthermore, stricter guidelines now apply to the reporting of security incidents. Failure to comply with the new requirements will result in significantly harsher sanctions, for which managing directors and board members can now also be held liable.
Conclusion
Implementing the new NIS2 directive requires technical and organizational measures, such as risk assessment, the development of security policies, monitoring, and regular audits. It also necessitates updated employee training, the creation of emergency and response plans, and the maintenance of reliable security documentation.
The NIS2 directive presents a challenge for many companies. However, the actions required to comply with it can also offer an opportunity to optimize data and information protection measures, thereby strengthening the trust of customers and partners.
