Binding starting October 2024

NIS2 Directive requires more cybersecurity – many companies affected

Time is now of the essence for many companies in Germany and Europe. The NIS2 European Directive for Cybersecurity requires that, as part of international supply chains, they improve their protection against IT attacks verifiably and bindingly by October 2024. In case of non-compliance or non-implementation of the required extensive measures, significant penalties and sanctions may be imposed. LHIND advises and supports affected companies in implementing all necessary measures to conform to NIS2.

Definition: What is the NIS2 Directive?

The NIS2 European Security Directive (Network and Information Security) replaces the original NIS Directive from 2016 and expands it with stricter security requirements, additional industries or sectors and a greater number of affected companies.

According to NIS2, as part of international supply chains, they must improve their protection against IT attacks by the end of 2024: The NIS2 Directive must be implemented by the individual EU member states in their national laws already by October 17, 2024. Starting October 18, 2024, affected companies are required to immediately register with the competent national authority, report incidents and guarantee compliance with security requirements.

However, the NIS2 Implementation Act in Germany (NIS2UmsuCG) is still in progress, and there are discussions about whether the EU deadlines can be met.

The German transposition act for the NIS2 Directive – known by the abbreviation NIS2UmsuCG – is currently being drawn up and is expected to enter into force on October 1, 2024.

Compliance must be documented regularly. Otherwise, significant penalties of up to ten million Euros or two percent of global revenue – depending on the companies’ classification and criticality – may be imposed.

Don’t let it come to this – LHIND helps you establish a risk management system that conforms to NIS2 for more cybersecurity.

 

Request a consultation now

How does LHIND support companies in their preparations for NIS2?

Our IT security experts advise you on all NIS2-related questions and help you to optimally prepare for the new requirements. We have years of experience in supporting companies in the KRITIS sector and are happy to help you as an experienced and reliable partner.

NIS2 assessment to determine readiness and identify areas in need of optimization

Determine your readiness and necessary improvements

Are you still lacking a precise overview of how well positioned your company is for the NIS2 Directive? Would you benefit from insights into outstanding tasks?

Our assessment is the ideal way to get started. It provides transparency and an overview of areas in need of optimization.

 

Request a non-binding assessment

 

In the context of the NIS2 requirements, we examine:

  • Your IT risk management processes
  • Your information security management system (ISMS)
  • How you deal with security incidents
  • Your backup, emergency and crisis management processes
  • The security of your supply chain
  • How you acquire, develop and maintain your IT systems and applications
  • The comprehensiveness and efficacy of your training and awareness measures
  • The adequacy of your virtual and physical access control systems
  • Proper use of authentication technologies in your company

We also offer:

  • Implementation and review of necessary measures, such as set-up and optimization of risk management, reporting and notification channels, incident management, business continuity management, supplier and customer management, and other measures
  • Checking the implementation of measures in accordance with the law’s requirements
  • Performing penetration tests to detect acute technical vulnerabilities (optional)

  • Standards-compliant consulting on setting up IT risk management and ISMS structures, and implementing these
  • Independent auditing of IT risk management and ISMS

  • Setting up effective detection and reaction processes
  • Supporting incident handling

  • Setting up rules and technical structures
  • Simulation and exercises for emergencies

  • Identification of information flows and data classification
  • Coordination of comprehensive security requirements
  • Securing of professional and technical interfaces

  • Setting up and controlling provider management
  • Transfer of systems to effective platforms

  • Management trainings
  • Employee sensitization and training
  • Measuring and optimizing the awareness level

  • Professional and technical counseling on potential solutions
  • Implementation of potential logical and physical solutions

  • Securing of audio, video and text communications
  • Setting up emergency communications systems
Why LHIND as partner for NIS2?

We are helping you as a competent and reliable partner. What makes us different:

  • Many years of experience in the IT security and information security sectors, and in consulting for (KRITIS) companies
  • Expert knowledge of data protection, compliance, information security and in the technical IT sector
  • In-depth industry knowledge from different customer situations for the best solutions
  • Tailored solutions for your individual requirements
  • Rapid and individualized adaptation to your needs as well as comprehensive flexibility
  • Qualified all-around support from analysis to implementation and quality control
  • Comprehensive package of services independent of company size

 

For which companies is the NIS2 Directive binding?
Is your company affected, as well?

The EU NIS2 Directive revises and replaces the former NIS Directive from 2016. It defines significantly more affected companies, duties and monitoring in the EU. The EU’s NIS2 Directive lists eleven "essential" and seven "important" sectors or industries that are affected by the new regulations.

Essential entities Important entities
  • Energy (electricity, district heating/cooling, oil, natural gas, hydrogen)
  • Transportation (air traffic, rail traffic, shipping, road traffic)
  • Banking (financial institutions)
  • Financial market infrastructures (stock exchanges, central counterparties)
  • Health (health care providers, EU laboratories, R&D, pharmaceutical companies, medical devices)
  • Drinking water (water supply)
  • Waste water (waste water disposal)
  • Digital infrastructure (Internet nodes (IXP), DNS, TLD registries, cloud providers, data centers, content provision networks, trust service providers, public and publicly accessible electronic communications networks)
  • ICT services (managed service providers, security services)
  • Public administration (central governments, regional administrations)
  • Space (ground infrastructures)
  • Postal and courier services
  • Waste (waste management)
  • Chemistry (production, manufacturing and trade)
  • Food/diet (production, processing and sales)
  • Industry/production (medical devices and in vitro, data processing, electronics, optical devices, electrical equipment, mechanical engineering, automobile industry and parts)
  • Digital services (marketplaces, search engines, social media networks)
  • Research (research institutions)
Financial fines for violations: Maximum amount of at least 10 million EUR or 2 % of global revenue Financial fines for violations: Maximum amount of at least 7 million EUR or 1.4 % of global revenue

 

Company size and financial indicators are also relevant for whether you are affected by NIS2

Whether a company is affected depends not only on its affiliation with a sector, but also on its size. The EU NIS2 Directive introduces, among other things, the “size-cap” rule. Companies that are at least mid-sized and fall into the special sectors are subject to NIS2.

Company Employees   Revenue   Balance sheet
Medium 50-249 and < EUR 50 million and/or < EUR 43 million
Large ≥ 250 and ≥ EUR 50 million and/or ≥ EUR 43 million


Certain exceptions apply independent of a company’s size and revenue, if it

  • performs a critical activity
  • affects public order
  • or there are systemic risks as well as cross-border effects

Similarly, in case of certain exceptions, a company can also be entirely excluded from the NIS2 Directive.

 

Road map for implementation of the NIS2 Directive in Germany

A final decision on the precise design of the regulations for the German implementation of NIS2 has not yet been made. The current draft includes minor differences regarding the sectors and also in the company sizes and revenue/balance sheet limits. Some small companies with fewer than 50 employees may also be affected in Germany. It remains uncertain when exactly German policymakers will provide clarity regarding the new regulations. Officially, the German NIS2 Implementation Act is set to come into effect on October 1, 2024, replacing the previous BSIG. However, the process is still ongoing. Given that a new draft was published only in June 2024, there are discussions about whether the deadlines can be met given the advanced timeline.

Start your NIS2 preparations now, time is already tight.

Road map: NIS2 from European to German law
  • December 27, 2022: Publication of the European NIS2 Directive in the EU Gazette
  • January 16, 2023: European NIS2 Directive takes effect
  • April + July 2023: first + second German draft bills for NIS2
  • September 29, 2023: Third German draft (discussion paper for dialog with industry/reconciliation with associations) for NIS2
  • June 24, 2024: New draft for the German transposition act published by the Federal Ministry of the Interior and Community (BMI)
  • Date tbd: Announcement of NIS2UmsuCG (IT Security Act 3.0); the German NIS2 Implementation Act
  • October 1, 2024 (planned date): Entry into force of the German NIS2UmsuCG
  • October 17, 2024 (EU deadline): Transposition of the European NIS2 Directive into German law should be completed
  • October 18, 2024 (EU requirement): NIS2UmsuCG (German NIS2 Implementation Act) should be in force and companies must comply with the regulations

Which requirements does the NIS2 Directive pose for affected companies?

If your company meets the criteria listed, a number of duties arise from NIS2, including registration with the competent authority in your own member state, notification of significant security incidents – that is, incidents that could entail a severe disruption to operations. Furthermore, the NIS2 Directive requires technical and organizational measures (TOM) according to the state of the art: Accordingly, companies and authorities must consider current technological developments and take security precautions that are appropriate for the individual threat landscape. What’s more, there is regular documentation of compliance. The greatest adjustment in companies, however, may come from the additional security requirements in NIS2.

Measures for compliance with the NIS2 Directive and implementation

The measures to be implemented by operators and institutions must be based on a multi-threat approach that protects these systems’ IT, components, processes and environment against security incidents. Thus, only considering cyberattacks is not enough. Rather, precautions must be taken for all kinds of incidents that could impair one’s own IT environment and thus the provision of the essential service. Essential and important institutions must take suitable, proportionate and effective measures to protect their services’ IT and processes, avoid disruptions and minimize the impacts of security incidents. The extended scope of NIS2 means that many organizations must implement more extensive network monitoring and security measures than they have used so far.

Risk management that conforms to NIS2

The minimum requirements for risk management that are defined by the NIS2 Directive are

  • Risk analyses and policies
    Guidelines for risks and information security
  • Incident management
    Prevention, detection and coping with cyber incidents
  • Business continuity
    Business continuity management (BCM) with backup management, disaster recovery and crisis management
  • Supply chain
    Supply chain security — handling of business partners and service providers up to secure development at suppliers
  • Purchasing & maintenance
    Security in procurement, development and maintenance of IT and network systems incl. vulnerability management and disclosure
  • Assessing the effectiveness of security measures
    Concepts and processes
  • Basic cyber hygiene and employee trainings
  • Cryptography and data encryption
  • Personnel security
    Concepts for access control, management of plants
  • Secure authentication and communication
    Multi-factor or continuous authentication, secure audio, video and text communications, if necessary, secure emergency communications systems

IT Security in the supply chain in accordance with NIS2

A significant component of the cybersecurity specifications relates to security in the supply chain, that is, handling business partners and service providers, and the security measures during procurement and development of information systems.

In addition to their own information systems, the companies covered by the NIS2 Directive and thus regulated are obliged to appropriately secure cooperation with partner companies and service providers, and to include security requirements in contractual agreements.

With the stricter specifications for supply chain cybersecurity, the EU reacted to the acute threat from supply chain attacks during which malicious actors gain access to the customer and partner network by compromising a supplier.

Compliance with the notification requirement and deadlines

The NIS2 Directive defines notification requirements for security incidents that the affected companies must meet. In most cases, new processes and procedures will need to be developed and established for this purpose to guarantee compliance with the regulations.

  • Within 24 hours: Incident notification
  • Within 72 hours: Assessment/report on indicators of compromise
  • Within 1 month: Final report

For many companies and businesses, the stricter security requirements in NIS2, as well as the need for notifying national authorities about incidents will likely mean an additional administrative effort that should not be underestimated.

FAQ: Important questions about the NIS2 Directive

The NIS2 Directive (EU NIS2 Directive) is a revised version of the existing Directive on Network and Information Security (NIS1). In 2016, the EU introduced this initial Cybersecurity Directive – as a reaction to the rising threat level and increased requirements for IT security in Europe.

NIS1 also includes binding specifications for protecting the systems of “KRITIS” companies, that is, companies that act as “operators of critical infrastructures.” NIS2 defines additional criteria for identifying operators of critical infrastructures and specifies more comprehensive cybersecurity minimum standards and duties in the EU.

In general, the EU's NIS Directive is intended to protect important industries and services against dangers on the Internet, such as hacker attacks. The new directive’s regulatory goal is the consolidation and content expansion of requirements for the cybersecurity of companies and supply chains.

NIS2 is intended to improve resiliency and reaction to security incidents in the public and private sector within the EU. NIS2 will also require smaller companies and those in more industries to implement additional information security measures. In this context, institutions that meet the thresholds defined in the directive must comply with certain legal requirements.

The NIS2 Directive officially entered into force on January 16, 2023.

However, before the directive becomes active, it must be transposed into national law by the EU’s member states. A new draft of the German NIS2 transposition act was published on June 24, 2024. However, it remains unclear when exactly the final version will be formulated and passed. According to EU requirements, the individual countries have until October 17, 2024, to enact a corresponding NIS2 law.

Since no grace period is planned, affected companies are thus required to comply with the new regulations starting on October 18, 2024 – that is, registering with the competent national authority, notifying them about incidents and guaranteeing compliance with the security requirements. Thereafter, companies must regularly document compliance with a corresponding certification or a security audit. However, as the process for the NIS2UmsuCG in Germany is still ongoing, there are discussions about whether the EU deadlines can be met.

Whether they are affected depends on 2 criteria: affiliation with a sector and company size as well as financial indicators.

Affected are companies from these sectors: Energy, transportation, banking system, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT services, public administration, space, postal and courier services, waste, chemistry, food/diet, industry/production, digital services and research.

Company Employees   Revenue   Balance sheet
Medium 50-249 and < EUR 50 million snd/or < EUR 43 million
Large ≥ 250 and ≥ EUR 50 million and/or ≥ EUR 43 million

Certain exceptions may apply independent of a company’s size and revenue, if it

  • performs a critical activity
  • affects public order
  • or there are systemic risks as well as cross-border effects

Similarly, in case of certain exceptions, a company can also be entirely excluded from the NIS2 Directive.

If your company meets the criteria listed, a number of duties and specifications arise from NIS2:

  • Registration with the competent authority in one’s own member state
  • Forwarding of contact data and notification of significant security incidents
  • Technical and organizational measures (TOM) according to the state of the art
  • Measures based on a multi-threat approach that protects these systems’ IT, components, processes and environment against security incidents
  • Guaranteeing supply chain security
  • Risk analyses and policies
    Guidelines for risks and information security
  • Incident management
    Prevention, detection and coping with cyber incidents
  • Business continuity
    Business continuity management (BCM) with backup management, disaster recovery and crisis management
  • Supply chain
    Supply chain security — handling of business partners and service providers up to secure development at suppliers
  • Purchasing & maintenance
    Security in procurement, development and maintenance of IT and network systems incl. vulnerability management and disclosure
  • Assessing the effectiveness of security measures
    Concepts and processes
  • Basic cyber hygiene and employee trainings
  • Cryptography and data encryption
  • Personnel security
    Concepts for access control, management of plants
  • Secure authentication and communication
    Multi-factor or continuous authentication, secure audio, video and text communications, if necessary, secure emergency communications systems

For non-compliance with the specifications and duties defined in the NIS2 Directive, penalties of up to ten million Euros or two percent of global revenue may be imposed.

Free download: Whitepaper “NIS2 and IT resilience”

An exhaustive explanation of all findings, contexts, measures, and recommendations can be found in the whitepaper “From NIS2 obligation to IT resilience thanks to artificial intelligence.” With valuable expert tips and an interesting interview on the topic of AI in cybersecurity.

Rely on LHIND’s skills and experience when implementing the NIS2 Directive

As a specialist in IT consulting, system integration and innovative technologies, we have years of experience and in-depth expert knowledge in the IT security, information security, data protection and compliance areas. Our customer base includes various companies from critical infrastructure sectors (KRITIS) that have special requirements for their IT security.
We are happy to advise you, too, and implement solutions in complex environments and at the latest state of the art and security for you.

Our highly qualified IT experts have in-depth understanding of and experience in many industries. Thus, they also have the necessary expertise for required process analyses and tailored solutions. On this basis, we are happy to advise and support you in applying the NIS2 Directive’s requirements precisely to your company, to put in place corresponding measures for you, to implement processes and solutions. Everything you need to be positioned securely and sustainably.

Ask us your questions about the NIS2 Directive and start today to position your company in conformity with NIS!
We look forward to hearing from you.

captcha