EU Directive NIS2

The NIS2 Directive (Network and Information Security Directive) aims to improve and harmonise the cyber and information security of institutions that provide essential services in key sectors across the EU. It must be transposed into national law in each member state. In Germany, this is to take place as part of the NIS2 Implementation and Cyber Security Strengthening Act.

The NIS2 Directive expands the scope of application by adding further sectors on the one hand and setting different thresholds on the other, which increases the number of organisations affected. In addition, further cybersecurity measures are defined (including supply chain security) and penalties for breaches are specified.

This means that all affected companies need to act quickly, especially those that have not yet fallen within the scope of the NIS Directive.

In view of this, we recommend that companies that are affected quickly familiarise themselves with the requirements of cyber and information security. We would be happy to provide you with detailed information on how our services can support you both with initial analyses of the implementation status and with the implementation of possible gaps with regard to the requirements. Together, we will adjust the orientation of your company so that it fulfils the requirements of the new directive.

The scope of application of NIS2 includes organisations that provide their services in the Union or carry out their activities there.

In addition to the expansion of the affected sectors, another significant change to the scope of application is that the affectedness of the organisations will no longer be determined by whether the threshold values of the investment categories are reached or exceeded, but rather by the size of the organisations.

Accordingly, large and medium-sized companies are to be covered by the NIS2 Directive:

(medium-sized) facilities

• 50 - 249 employees and
• < EUR 50 million annual turnover or
• < EUR 43 million annual balance sheet total

or

• < 50 employees and
• (10 - 50) million EUR annual turnover and
• (10 - 43) million EUR annual balance sheet total

(large) facilities

• ≥ 250 employees

or

• ≥ EUR 50 million annual turnover and
• ≥ EUR 43 million annual balance sheet total

NIS2 adds further sectors that must implement the defined requirements. The directive distinguishes between essential institutions and important institutions. The former are subject to higher sanctions for breaches of the requirements as well as an ex-ante and ex-post supervisory system, while important institutions are subject to lower sanctions and an exclusively reactive ex-post supervisory system.

Material entities:

• Large companies in Essential Sectors

Important institutions:

• Medium-sized companies in Essential Sectors
• Large companies and medium-sized companies in important sectors

In total, the following 18 sectors are affected by NIS2:

Institutions must take technical, operational and organisational measures, taking into account the state of the art, to manage and control the risks to the security of the network and information systems used to provide their services. The NIS2 Directive thus also emphasises the risk approach for implementing an appropriate level of security. A further focus is on the reporting of security incidents that have a significant impact on the provision of services and thus on the establishment of a standardised reporting procedure for security incidents.

• Cyber security management: guidelines and risk management
• Incident management
• Business Continuity Management (BCM)

Violations of the requirements will result in the following fines for essential and important facilities:

• Particularly important facilities: Up to €10 million or 2% of annual worldwide turnover
• Important facilities: Up to €7 million or 1.4% of annual global turnover

Once the NIS2 Directive comes into force on 16 January 2023, EU member states will have 21 months to transpose the directive into national law. This gives institutions time to deal with the requirements of the NIS2 Directive and to analyse and assess the potential impact.

The fulfilment of all cyber security measures is complex and requires the interaction of various corporate functions. adesso supports you in the successful implementation of the NIS2 requirements:

It is therefore important for affected companies to take the following steps at an early stage: