The NIS2 Directive 2024 heralds a new era of Cybersecurity in Europe. It extends the protection of critical infrastructures and presents companies with new challenges in the area of IT Security. With stricter regulations and higher fines, the EU aims to strengthen digital resilience.
This directive is a response to the growing threat of cyberattacks and obliges EU member states to implement it by October 2024. It promotes cooperation between countries and companies to jointly combat digital risks.
Important findings
- Extended protective measures for Critical infrastructures
- New obligations for companies in the area of IT Security
- Implementation deadline of the NIS2 Directive until October 2024
- Increased cooperation between EU states and companies
- Increased fines for breaches of cyber security regulations
Introduction to the NIS2 Directive
The NIS2 Directive represents an important step towards strengthening the Cybersecurity in the European Union. It aims to improve the security of network and information systems and Cyber incidents more effectively.
Background and objectives of the directive
The directive came into force on January 16, 2023 and aims to increase the resilience of critical infrastructures against cyberattacks. It defines minimum security requirements for operators of essential services and providers of digital services.
Differences to the original NIS Directive
Compared to the previous version, NIS2 considerably expands the scope of application. Experts assume that around 30,000 additional companies and public institutions in Germany will be affected. The directive also tightens the security requirements for Network and information systems.
Timetable for transposition into national law
EU member states have until October 2024 to transpose the NIS2 Directive into national law. This means that companies and organizations should familiarize themselves with the new requirements at an early stage and adapt their cybersecurity measures in order to Cyber incidents and to ensure compliance.
| Aspect | NIS1 | NIS2 |
|---|---|---|
| Entry into force | 2016 | 2023 |
| Area of application | Limited | Extended |
| Safety requirements | Basic | Tightened |
| Implementation deadline | May 2018 | October 2024 |
Scope of application of the NIS2 Directive 2024
The NIS2 directive significantly expands the protection of network and information systems. It covers 18 defined sectors that are crucial for the functioning of critical infrastructures.
The directive distinguishes between "important" and "essential" sectors. Essential sectors are considered to be particularly vulnerable and are subject to stricter requirements. These include, for example, energy, transport and healthcare.
It is not only directly affected companies that must comply with the NIS2 requirements. Service providers and suppliers are also indirectly covered by the directive if they are responsible for Critical infrastructures are active. This is intended to ensure the security of the entire supply chain.
"The NIS2 Directive creates a comprehensive framework to protect our digital infrastructure. It strengthens the Cybersecurity throughout Europe."
The classification as an "important" or "essential" facility has far-reaching consequences. It determines the intensity of official inspections and the level of possible penalties for violations. Companies must carefully check their affiliation in order to meet the respective requirements.
The broad scope of the NIS2 Directive aims to achieve comprehensive protection of network and information systems in all critical areas. This presents companies with new challenges, but makes a decisive contribution to strengthening digital resilience.
Sectors and companies affected
The NIS2 Directive aims to improve cyber security in critical infrastructures. It distinguishes between essential and important facilities in order to strengthen protection against cyber attacks.
Essential facilities
The essential facilities include sectors that are indispensable for the functioning of our society:
- Public administration
- Energy
- Transportation
- Banking sector
- Healthcare
- Digital infrastructure
Important facilities
Important facilities include areas that are also of great importance to the economy:
- Postal and courier services
- Waste management
- Digital services
Size criteria for affected companies
The NIS2 Directive sets out clear size criteria for affected companies:
| Furnishing type | Number of employees | Annual turnover |
|---|---|---|
| Essential facilities | From 250 | From 50 million euros |
| Important facilities | From 50 | From 10 million euros |
Some organizations, regardless of their size, are covered by the directive if a cyberattack could cause particularly serious damage. This underlines the importance of cyber security for all organizations that Critical infrastructures or provide important services.
New security requirements due to NIS2
The NIS2 Directive introduces stricter measures for the IT Security with it. Companies must now develop comprehensive concepts for Risk analysis develop and implement. This includes the creation of a detailed asset list and the analysis of weak points in the system.
A key aspect of the new requirements is the derivation of suitable protective measures. Companies are obliged to develop strategies for dealing with cyber incidents. These are intended to ensure that operations are maintained and crisis management is effective.
The directive also calls for increased security measures in the acquisition, development and maintenance of IT systems. The focus is shifting to basic cyber hygiene practices in order to identify and minimize potential risks at an early stage.
| Range | New requirements |
|---|---|
| Risk analysis | Creation of an asset list, weak point analysis |
| Protective measures | Derivation of suitable measures based on Risk analysis |
| Incident management | Strategies for dealing with cyber incidents, crisis management |
| IT systems | Increased security during acquisition, development and maintenance |
| Cyber hygiene | Implementation of basic risk minimization practices |
Through these comprehensive measures, NIS2 aims to significantly increase the resilience of companies to cyber threats and create a robust IT security structure.
Reporting obligations in the event of security incidents
The NIS2 directive tightens the Reporting obligations for Cyber incidents. Companies must now react quickly and comprehensively if their IT security is compromised.
Deadlines for reporting incidents
In the event of significant security incidents, a short reporting period of 24 hours applies. Companies must adapt their internal processes in order to meet this deadline. Prompt reporting enables the authorities to react quickly and warn other companies.
Content of the messages
The reports must contain detailed information:
- Nature and extent of the incident
- Affected systems and data
- Possible effects
- Countermeasures taken
Companies should prepare templates for such reports to save time in an emergency.
Responsible authorities
The reports are sent to the responsible national authorities. In Germany, this is the Federal Office for Information Security (BSI). Companies must know the contact details of these authorities and include them in their emergency plans.
The new Reporting obligations require clear internal processes. All employees should know what to do in the event of a cyber incident. Regular training and exercises help them to act correctly in an emergency.
Risk management and IT security concepts
The NIS2 directive requires companies to implement comprehensive risk management and IT security concepts. A thorough risk analysis forms the foundation for effective IT security. Companies must regularly identify and evaluate potential threats in order to develop appropriate protective measures.
The development of robust security measures is at the heart of IT security. These include
- Encryption of sensitive data
- Implementation of firewalls and anti-virus software
- Regular security updates and patches
- Access controls and user authentication
Special attention is paid to the Cloud security. Companies must ensure that their data stored in the cloud is adequately protected. This includes selecting trustworthy cloud providers and implementing additional security measures such as data encryption and access control.
Another important aspect is the development of business continuity and crisis management plans. These plans help companies to maintain operations even in the event of security incidents and to respond quickly to threats.
"Effective risk management is the key to ensuring IT security in an increasingly networked world."
Continuous monitoring and improvement of security measures is essential. Companies should carry out regular security audits and adapt their IT security concepts to new threats and technological developments.
Effects on supply chain security
The NIS2 Directive presents companies with new challenges in the area of Supply chain security. The focus is on strengthening cyber security along the entire value chain.
Requirements for suppliers and partners
Companies must ensure that their suppliers and partners implement robust security measures. This includes:
- Review of suppliers' security practices
- Introduction of security-related contractual clauses
- Regular safety audits of partners
The Supply chain security requires close cooperation between all parties involved. This is the only way to identify and rectify weaknesses at an early stage.
Checking and monitoring the supply chain
Effective risk management in the supply chain is essential. Companies should:
- Introduce continuous monitoring of supplier security
- Conduct regular supply chain cybersecurity assessments
- Developing rapid response mechanisms for identified risks
The improvement of the Supply chain security is an ongoing process. It requires constant vigilance and adaptation to new threats in the area of cyber security.
Training and sensitization of employees
The NIS2 directive emphasizes the importance of training to strengthen cyber security in companies. Regular training is crucial to sensitize employees to potential IT security risks.
Effective training programs include:
- Recognizing phishing attempts
- Secure handling of passwords
- Data protection in the workplace
- Secure use of mobile devices
Managers in particular are obliged to take part in cyber security training. This minimizes liability risks and promotes a culture of security throughout the company.
Well-trained employees are the best protection against cyber attacks.
Regular monitoring is recommended to measure the effectiveness of the training courses:
| Measure | Frequency | Goal |
|---|---|---|
| Phishing simulations | Quarterly | Improve recognition |
| IT security quiz | Half-yearly | Check level of knowledge |
| Practical exercises | Annually | Strengthening action competence |
Through continuous training and awareness-raising measures, IT security in the company is sustainably strengthened and the requirements of the NIS2 directive are met.
Sanctions and fines for violations
The NIS2 directive tightens the consequences for companies that neglect their cyber security. It sends a clear signal: IT security is no longer a sideshow. Companies must now invest more in their digital defenses.
Amount of possible fines
The new penalties are tough: essential institutions risk fines of up to 10 million euros or 2% of their global annual turnover. Important institutions face fines of up to 7 million euros or 1.4% of turnover. These sums significantly exceed the previous penalties and show that Cyber security will be expensive - or even more expensive if ignored.
Liability of managers
Personal liability for bosses and managers is also new. They can be asked to pay directly if their company violates the NIS2 rules. This increases the pressure to make cyber security a top priority. Managers must now take action and support their IT departments to minimize risks and meet the requirements.
English 
Deutsch 
Español 
Français 
Polski