- Günther Klee
- 04.09.2023
- Digitalisierung
Request checklist: Is my company affected?
Table of contents
- NIS 2.0 Cyber Security Directive at a glance
- When does the new EU directive come into force?
- Who is affected by NIS2: essential and important facilities
- Who is affected by NIS2: large and medium-sized companies
- Who is affected by NIS2: small businesses in individual cases
- Required risk management measures
- Reporting obligations for affected companies
- Sanctions and liability in the event of violations
- NIS 2 vs. DORA: what is the difference?
- Do you have any questions?
NIS 2.0 Cyber Security Directive at a glance
The NIS2 Directive (Network and Information Security Directive 2) is an EU directive aimed at strengthening cybersecurity in the European Union. In essence, NIS2 extends the scope of the previous NIS Directive and covers not only critical infrastructure (such as energy and transport systems) but also important digital service providers. Affected organizations must implement strict security measures and are required to conduct risk assessments. To ensure the implementation of the directive, EU member states must establish a national cybersecurity authority.
When does the NIS2 Directive apply?
The NIS2 Directive entered into force on January 16, 2023 , replacing the current directive. Before NIS2 can have an impact on companies, it must be implemented by the member states in national laws and regulations. Member states have until October 17, 2024, to do so.
Who is affected by NIS2: essential and important facilities
Large and medium-sized companies (see definition below) from sectors with high criticality and other critical sectors are affected. Within these sectors, the terms “essential facilities” and “important facilities” are used:
| Essential facility | Important facility |
|---|---|
|
Large companies:
|
Medium-sized companies:
Large & medium-sized :
|
Medium-sized companies in sectors with a high criticality are therefore considered to be important facilities. Both essential and important facilities must implement the requirements. There are differencesin the way they are inspected by the authorities and in the sanctions imposed. While regular safety inspections are conducted “ex-ante” for essential facilities, inspections of important facilities are only conducted if there is reasonable suspicion.
Who is affected by NIS2: large and medium-sized companies
NIS2 categorizes companies by size:
| Sizes according to NIS2 | Employees | Annual turnover | |
|---|---|---|---|
| Small company | < 50 | AND | < 10 mil. Euro |
| Medium-sized company | < 250 | AND | < 50 mil. Euro |
| Large company | > 250 | OR | > 50 mil. Euro |
Note: The annual balance sheet total can also be used instead of the annual turnover, whereby the threshold between medium-sized and large companies is already 43 million (instead of 50 million).
Example: A company with 40 employees and a turnover of 12 million euros is therefore already considered a medium-sized company. If this company offers, for example, “digital services” (see above), it is considered an important institution according to NIS2 and must implement a series of risk management measures.
Who is affected by NIS2: small businesses in individual cases
Small companies (see definition above) are not covered by NIS2, but there are exceptions. The following companies fall within the scope of the directive, regardless of their size:
- trust service providers
- providers of publicly available electronic communications services
- TLD registries and DNS service providers
- Sole providers of a service that is essential for maintaining critical social/economic activities
Request checklist: Is my company affected?
Risk management measures required for affected companies
- Conducting a risk analysis with regard to the security of information systems
- Development of a plan for the prevention, detection, and management of security incidents (incident management)
- Ensuring business continuity through backup management, disaster recovery and crisis management
- Security of the supply chain and security measures for the procurement and maintenance of IT and network systems
- Measures to measure cyber and risk measures
- Training employees in the areas of cyber security cyber hygiene
- Developing guidelines for cryptography and encryption for all key areas
- Monitoring of all access points and logging
- Implemenntation of an information security management system with procedures, methods, and tools to increase information security (e.g., ISO 27001).
- Use of multi-factor authentication and single-sign-on
- Use of secure emergency communication systems
Reporting obligations for affected companies
In the event of significant incidents and threats, an early warning must be issued immediately, i.e., within 24 hours of becoming aware of the incident. An official report of the security incident must be submitted within 72 hours. A final report must be submitted to the authorities one month after this report has been submitted.
Sanctions for violations
The fine for major organizations is 10 million euros or 2 percent of global revenue.
For important organizations, the sanctions are a little less severe and amount to 7 million euros or 1.4 percent of global revenue.
NIS2 vs. DORA: what is the difference?
The NIS2 Directive and the Digital Operational Resilience Act (DORA) are both legal instruments of the European Union that deal with different aspects of cybersecurity.
NIS2 is a directive, which means that it must be transposed into national law by the EU member states. Member states have some leeway in the transposition to take into account the specific needs and circumstances of their country. DORA is a regulation, which means that it is directly applicable in all EU member states as soon as it enters into force. No national implementation is required.
NIS2 concerns operators of essential services (see definition above) and, unlike NIS1, digital service providers are now also considered to be such operators. The directive aims to ensure a high level of cybersecurity throughout the EU. DORA focuses on the resilience of the financial system in the EU. It primarily affects financial institutions and organizations in the financial sector. NIS2 and DORA are therefore different legal
Do you have any questions?
How can you best approach the topic of NIS2 in your organization? We are here to help!