The NIS 2 Directive: New rules for cybersecurity in the EU

If you want to express the threat situation for computer users in a number, then the "quarter of a million" is a good place to start: this is the number of new malware variants that security experts regularly register - not year after year, nor month after month, but actually day after day. According to estimates by the digital association Bitcom, over 200 billion euros in damage was caused in Germany alone last year by the theft of IT equipment and data as well as digital and analogue industrial espionage. And the trend is rising. It's no wonder that legislators around the world have long felt compelled to take action.

In Europe, the NIS Directive is a milestone: the first version, which was adopted in 2016 as the "Network and Information Security Directive", aimed to establish a high level of security for network and information systems in the European Union and create the basis for a uniformly high level of security. In view of growing cyber threats, the EU Commission has now followed up: The NIS 2 Directive, which was adopted in January 2024, expands the existing legal framework and brings with it significant changes and extended obligations for companies. And these will already apply from October.

Changes from NIS 1 to NIS 2

One of the biggest innovations of the NIS 2 Directive is its extended scope of application. While the original NIS Directive mainly affected operators of critical infrastructures, NIS 2 now applies to a broader range of companies. Even many medium-sized companies in industry that were previously unregulated must now implement robust cybersecurity measures. This means that more companies than ever before now have to take a close look at cybersecurity. A total of 18 sectors are now affected, divided into "essential" and "important" categories. This significantly increases the number of companies affected. Experts estimate that around 40,000 additional companies in Germany alone will be affected by the new regulations.

Under the new NIS 2 Directive, companies are obliged to implement a wide range of cyber security measures. These include the development of a comprehensive risk management concept and the introduction of emergency plans. Companies must also establish systems for quickly reporting security incidents to the relevant supervisory authorities.

Stricter security requirements and reporting obligations

NIS 2 significantly tightens the security requirements. Companies must not only implement technical measures such as firewalls and intrusion detection systems, but also take organisational measures. These include regular risk assessments, training for employees and comprehensive incident management. The aim is to ensure that all IT systems and processes are protected against a wide range of threats.

Another important change is the extension of reporting obligations. Companies must report serious security incidents to the competent national authorities within 24 hours. This initial notification must include a preliminary assessment of the incident, followed by a detailed analysis within 72 hours. The directive also promotes cooperation between companies and authorities to improve the response to cyberattacks and facilitate the exchange of threat information.

Draconian penalties and sanctions

The NIS 2 Directive also provides for stricter sanctions. Companies that do not fulfil their security requirements or fail to report reportable incidents can be subject to severe fines. The measures include on-site inspections and even the possibility of relieving management of their duties in the event of violations. In addition, supervisory authorities will in future be able to impose fines of up to 10 million euros or 2 per cent of turnover for infringements. In Germany, the implementation law for NIS 2 de facto stipulates that responsible managers are even liable with their private assets in the event of breaches.

The implementation of the NIS 2 directive will entail considerable costs for many industrial companies. Necessary investments in IT security technologies, employee training and the establishment of new processes and systems can represent a financial burden. These costs can be particularly challenging for small and medium-sized companies.

Higher cybersecurity resilience

On the positive side, the NIS 2 directive will significantly improve the cybersecurity resilience of industrial companies. Thanks to stricter security measures, companies are better protected against cyber attacks. This can not only prevent economic damage in the long term, but also strengthen the trust of customers and business partners.

Companies that successfully implement the requirements of the NIS 2 directive can strengthen their competitiveness. A strong cybersecurity strategy is increasingly becoming an important differentiator in the market. Customers and business partners prefer companies that adhere to high security standards and thus minimise the risk of business failures and data loss.

Challenges during implementation

Despite the benefits, the implementation of the NIS 2 directive poses many challenges. The lack of qualified cybersecurity specialists is a widespread problem. Companies must review their existing IT systems and processes and, if necessary, adapt them to meet the new requirements. This requires not only financial means, but also time and resources.

Conclusion: The EU's NIS 2 Directive is a significant step towards improving cybersecurity in Europe. It brings both challenges and opportunities for industrial companies. Although the implementation of the new requirements is associated with costs and effort, it also offers the opportunity to strengthen their own cybersecurity resilience and position themselves as a secure and trustworthy partner. In the long term, the NIS 2 directive will help to increase the security of network and information systems and secure the digital future of European industry.

Event information: 22 – 24 October 2024, Nuremberg:

As the "Home of IT Security", it-sa stands for a comprehensive range of information, networking and knowledge transfer on data protection and IT security. The it-sa Expo&Congress in Nuremberg connects IT security providers and IT security managers in person on site. Online, it-sa 365 – as an industry platform for IT security – also brings you together between the exhibition dates.