Time is now of the essence for many companies in Germany and Europe: The NIS2 European Directive for Cybersecurity requires that, as part of international supply chains, they improve their protection against IT attacks verifiably and bindingly by the end of 2024. In case of non-compliance or non-implementation of the required extensive measures, significant penalties and sanctions may be imposed. LHIND advises and supports affected companies in implementing all necessary measures to conform to NIS2.
Binding starting October 2024
NIS2 Directive requires more cybersecurity – many companies affected
Definition: What is the NIS2 Directive?
The NIS2 European Security Directive (Network and Information Security) replaces the original NIS Directive from 2016 and expands it with stricter security requirements, additional industries or sectors and a greater number of affected companies.
According to NIS2, as part of international supply chains, they must improve their protection against IT attacks by the end of 2024: The NIS2 Directive must be implemented by the individual EU member states in their national laws already by October 17, 2024. Starting October 18, 2024, affected companies are required to immediately register with the competent national authority, report incidents and guarantee compliance with security requirements.
Compliance must be documented regularly. Otherwise, significant penalties of up to ten million Euros or two percent of global revenue – depending on the companies’ classification and criticality – may be imposed.
Don’t let it come to this – LHIND helps you establish a risk management system that conforms to NIS2 for more cybersecurity.
How does LHIND support companies in their preparations for NIS2?
Our IT security experts advise you on all NIS2-related questions and help you to optimally prepare for the new requirements. We have years of experience in supporting companies in the KRITIS sector and are happy to help you as an experienced and reliable partner.
Determine your readiness and necessary improvements
Are you still lacking a precise overview of how well positioned your company is for the NIS2 Directive? Would you benefit from insights into outstanding tasks?
Our assessment is the ideal way to get started. It provides transparency and an overview of areas in need of optimization.
In the context of the NIS2 requirements, we examine:
- Your IT risk management processes
- Your information security management system (ISMS)
- How you deal with security incidents
- Your backup, emergency and crisis management processes
- The security of your supply chain
- How you acquire, develop and maintain your IT systems and applications
- The comprehensiveness and efficacy of your training and awareness measures
- The adequacy of your virtual and physical access control systems
- Proper use of authentication technologies in your company
We also offer:
- Implementation and review of necessary measures, such as set-up and optimization of risk management, reporting and notification channels, incident management, business continuity management, supplier and customer management, and other measures
- Checking the implementation of measures in accordance with the law’s requirements
- Performing penetration tests to detect acute technical vulnerabilities (optional)
- Standards-compliant consulting on setting up IT risk management and ISMS structures, and implementing these
- Independent auditing of IT risk management and ISMS
- Setting up effective detection and reaction processes
- Supporting incident handling
- Setting up rules and technical structures
- Simulation and exercises for emergencies
- Identification of information flows and data classification
- Coordination of comprehensive security requirements
- Securing of professional and technical interfaces
- Setting up and controlling provider management
- Transfer of systems to effective platforms
- Management trainings
- Employee sensitization and training
- Measuring and optimizing the awareness level
- Professional and technical counseling on potential solutions
- Implementation of potential logical and physical solutions
- Securing of audio, video and text communications
- Setting up emergency communications systems
We are helping you as a competent and reliable partner. What makes us different:
- Many years of experience in the IT security and information security sectors, and in consulting for (KRITIS) companies
- Expert knowledge of data protection, compliance, information security and in the technical IT sector
- In-depth industry knowledge from different customer situations for the best solutions
- Tailored solutions for your individual requirements
- Rapid and individualized adaptation to your needs as well as comprehensive flexibility
- Qualified all-around support from analysis to implementation and quality control
- Comprehensive package of services independent of company size
For which companies is the NIS2 Directive binding?
Is your company affected, as well?
The EU NIS2 Directive revises and replaces the former NIS Directive from 2016. It defines significantly more affected companies, duties and monitoring in the EU. The EU’s NIS2 Directive lists eleven "essential" and seven "important" sectors or industries that are affected by the new regulations.
| Essential entities | Important entities |
|
|
| Financial fines for violations: Maximum amount of at least 10 million EUR or 2 % of global revenue | Financial fines for violations: Maximum amount of at least 7 million EUR or 1.4 % of global revenue |
Company size and financial indicators are also relevant for whether you are affected by NIS2
Whether a company is affected depends not only on its affiliation with a sector, but also on its size. The EU NIS2 Directive introduces, among other things, the “size-cap” rule. Companies that are at least mid-sized and fall into the special sectors are subject to NIS2.
| Company | Employees | Revenue | Balance sheet | ||
| Medium | 50-249 | and | < EUR 50 million | and/or | < EUR 43 million |
| Large | ≥ 250 | and | ≥ EUR 50 million | and/or | ≥ EUR 43 million |
Certain exceptions apply independent of a company’s size and revenue, if it
- performs a critical activity
- affects public order
- or there are systemic risks as well as cross-border effects
Similarly, in case of certain exceptions, a company can also be entirely excluded from the NIS2 Directive.
Road map for implementation of the NIS2 Directive in Germany
A final decision on the precise design of the regulations for the German implementation of NIS2 has not yet been made. The current draft includes minor differences regarding the sectors and also in the company sizes and revenue/balance sheet limits. Some small companies with fewer than 50 employees may also be affected in Germany. There will likely be clarity by March 2024; as of October 18, 2024, all measures must be defined and the regulations must be observed.
Start your NIS2 preparations now, time is already tight.
- December 27, 2022: Publication of the European NIS2 Directive in the EU Gazette
- January 16, 2023: European NIS2 Directive takes effect
- April + July 2023: first + second German draft bills for NIS2
- September 29, 2023: third German draft (discussion paper for dialog with industry/reconciliation with associations) for NIS2
- Approx. March 2024: Announcement of NIS2UmsuCG (IT Security Act 3.0); the German NIS2 Implementation Act
- By October 17, 2024 at the latest: Implementation of the European NIS2 Directive in German law completed
- October 18, 2024: NIS2UmsuCG (German NIS2 Implementation Act) effective, companies must comply with the regulations
Which requirements does the NIS2 Directive pose for affected companies?
If your company meets the criteria listed, a number of duties arise from NIS2, including registration with the competent authority in your own member state, notification of significant security incidents – that is, incidents that could entail a severe disruption to operations. Furthermore, the NIS2 Directive requires technical and organizational measures (TOM) according to the state of the art: Accordingly, companies and authorities must consider current technological developments and take security precautions that are appropriate for the individual threat landscape. What’s more, there is regular documentation of compliance. The greatest adjustment in companies, however, may come from the additional security requirements in NIS2.
Measures for compliance with the NIS2 Directive and implementation
The measures to be implemented by operators and institutions must be based on a multi-threat approach that protects these systems’ IT, components, processes and environment against security incidents. Thus, only considering cyberattacks is not enough. Rather, precautions must be taken for all kinds of incidents that could impair one’s own IT environment and thus the provision of the essential service. Essential and important institutions must take suitable, proportionate and effective measures to protect their services’ IT and processes, avoid disruptions and minimize the impacts of security incidents. The extended scope of NIS2 means that many organizations must implement more extensive network monitoring and security measures than they have used so far.
Risk management that conforms to NIS2
The minimum requirements for risk management that are defined by the NIS2 Directive are
- Risk analyses and policies
Guidelines for risks and information security - Incident management
Prevention, detection and coping with cyber incidents - Business continuity
Business continuity management (BCM) with backup management, disaster recovery and crisis management - Supply chain
Supply chain security — handling of business partners and service providers up to secure development at suppliers - Purchasing & maintenance
Security in procurement, development and maintenance of IT and network systems incl. vulnerability management and disclosure - Assessing the effectiveness of security measures
Concepts and processes - Basic cyber hygiene and employee trainings
- Cryptography and data encryption
- Personnel security
Concepts for access control, management of plants - Secure authentication and communication
Multi-factor or continuous authentication, secure audio, video and text communications, if necessary, secure emergency communications systems
IT Security in the supply chain in accordance with NIS2
A significant component of the cybersecurity specifications relates to security in the supply chain, that is, handling business partners and service providers, and the security measures during procurement and development of information systems.
In addition to their own information systems, the companies covered by the NIS2 Directive and thus regulated are obliged to appropriately secure cooperation with partner companies and service providers, and to include security requirements in contractual agreements.
With the stricter specifications for supply chain cybersecurity, the EU reacted to the acute threat from supply chain attacks during which malicious actors gain access to the customer and partner network by compromising a supplier.
Compliance with the notification requirement and deadlines
The NIS2 Directive defines notification requirements for security incidents that the affected companies must meet. In most cases, new processes and procedures will need to be developed and established for this purpose to guarantee compliance with the regulations.
- Within 24 hours: Incident notification
- Within 72 hours: Assessment/report on indicators of compromise
- Within 1 month: Final report
For many companies and businesses, the stricter security requirements in NIS2, as well as the need for notifying national authorities about incidents will likely mean an additional administrative effort that should not be underestimated.
FAQ: Important questions about the NIS2 Directive
The NIS2 Directive (EU NIS2 Directive) is a revised version of the existing Directive on Network and Information Security (NIS1). In 2016, the EU introduced this initial Cybersecurity Directive – as a reaction to the rising threat level and increased requirements for IT security in Europe.
NIS1 also includes binding specifications for protecting the systems of “KRITIS” companies, that is, companies that act as “operators of critical infrastructures.” NIS2 defines additional criteria for identifying operators of critical infrastructures and specifies more comprehensive cybersecurity minimum standards and duties in the EU.
In general, the EU's NIS Directive is intended to protect important industries and services against dangers on the Internet, such as hacker attacks. The new directive’s regulatory goal is the consolidation and content expansion of requirements for the cybersecurity of companies and supply chains.
NIS2 is intended to improve resiliency and reaction to security incidents in the public and private sector within the EU. NIS2 will also require smaller companies and those in more industries to implement additional information security measures. In this context, institutions that meet the thresholds defined in the directive must comply with certain legal requirements.
NIS2 officially became effective on January 16, 2023.
However, before the directive becomes active, it must be transferred into national law by the EU’s member states. The plan is that the German NIS Implementation Act will be announced sometime in March 2024. The individual countries have until October 17, 2024, to pass a corresponding NIS2 law.
Since no grace period is planned, affected companies are thus required to comply with the new regulations starting on October 18, 2024 – that is, registering with the competent national authority, notifying them about incidents and guaranteeing compliance with the security requirements. Thereafter, companies must regularly document compliance with a corresponding certification or a security audit.
Whether they are affected depends on 2 criteria: affiliation with a sector and company size as well as financial indicators.
Affected are companies from these sectors: Energy, transportation, banking system, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT services, public administration, space, postal and courier services, waste, chemistry, food/diet, industry/production, digital services and research.
| Company | Employees | Revenue | Balance sheet | ||
| Medium | 50-249 | and | < EUR 50 million | snd/or | < EUR 43 million |
| Large | ≥ 250 | and | ≥ EUR 50 million | and/or | ≥ EUR 43 million |
Certain exceptions may apply independent of a company’s size and revenue, if it
- performs a critical activity
- affects public order
- or there are systemic risks as well as cross-border effects
Similarly, in case of certain exceptions, a company can also be entirely excluded from the NIS2 Directive.
If your company meets the criteria listed, a number of duties and specifications arise from NIS2:
- Registration with the competent authority in one’s own member state
- Forwarding of contact data and notification of significant security incidents
- Technical and organizational measures (TOM) according to the state of the art
- Measures based on a multi-threat approach that protects these systems’ IT, components, processes and environment against security incidents
- Guaranteeing supply chain security
- Risk analyses and policies
Guidelines for risks and information security - Incident management
Prevention, detection and coping with cyber incidents - Business continuity
Business continuity management (BCM) with backup management, disaster recovery and crisis management - Supply chain
Supply chain security — handling of business partners and service providers up to secure development at suppliers - Purchasing & maintenance
Security in procurement, development and maintenance of IT and network systems incl. vulnerability management and disclosure - Assessing the effectiveness of security measures
Concepts and processes - Basic cyber hygiene and employee trainings
- Cryptography and data encryption
- Personnel security
Concepts for access control, management of plants - Secure authentication and communication
Multi-factor or continuous authentication, secure audio, video and text communications, if necessary, secure emergency communications systems
For non-compliance with the specifications and duties defined in the NIS2 Directive, penalties of up to ten million Euros or two percent of global revenue may be imposed.
Rely on LHIND’s skills and experience when implementing the NIS2 Directive
As a specialist in IT consulting, system integration and innovative technologies, we have years of experience and in-depth expert knowledge in the IT security, information security, data protection and compliance areas. Our customer base includes various companies from critical infrastructure sectors (KRITIS) that have special requirements for their IT security.
We are happy to advise you, too, and implement solutions in complex environments and at the latest state of the art and security for you.
Our highly qualified IT experts have in-depth understanding of and experience in many industries. Thus, they also have the necessary expertise for required process analyses and tailored solutions. On this basis, we are happy to advise and support you in applying the NIS2 Directive’s requirements precisely to your company, to put in place corresponding measures for you, to implement processes and solutions. Everything you need to be positioned securely and sustainably.
Ask us your questions about the NIS2 Directive and start today to position your company in conformity with NIS!
We look forward to hearing from you.