NIS2 Directive - New standards for cyber security in the EU

The NIS2 directive considerably extends the scope of the safety requirements.

  1. QM24
  2. NIS2 cybersecurity

Increasing digitalisation and dependence on networked systems are making companies and government institutions in Europe more vulnerable to cyberattacks. To address these challenges and ensure a higher level of protection for critical infrastructure, the European Union (EU) has adopted the Network and Information Security (NIS) Directive 2 (NIS2). This updated version of the original 2016 NIS Directive sets new standards for cybersecurity and aims to significantly improve resilience to cyber threats in the EU.

The first NIS Directive from 2016 was a significant step towards better protection of critical infrastructure in the EU, but showed weaknesses. In particular, the widely varying implementation in the individual member states led to gaps in cybersecurity that attackers exploited. In addition, the threats and complexity of cyber attacks have evolved significantly since 2016. The NIS2 Directive was therefore introduced to close these gaps and respond to the growing risks and increasing complexity of attacks.



WHAT IS THE NIS2 DIRECTIVE?

The NIS2 Directive is the second version of the EU-wide regulations to improve cyber security and follows in the footsteps of the original NIS Directive. It aims to strengthen the security of network and information systems across the Union. The Directive lays down stricter requirements for cybersecurity and the protection of critical infrastructure and extends the obligations to a wider range of companies and sectors.

KEY ELEMENTS OF THE NIS2 DIRECTIVE

1. EXTENDED SCOPE

The NIS2 Directive extends the scope to more sectors and companies. Not only large companies, but also medium-sized companies that are considered systemically relevant to society are now obliged to fulfil the requirements.

2. STRICTER SECURITY REQUIREMENTS

The directive requires companies and authorities to introduce comprehensive security measures. These include risk management measures, technical security precautions and the establishment of security protocols to ensure that critical systems and data are protected against attacks.

3. REPORTING OBLIGATIONS IN THE EVENT OF SECURITY INCIDENTS

A key innovation of the NIS2 Directive is the stricter reporting obligation for security incidents. Companies must inform the relevant national authorities within 24 hours of discovering an incident. This reporting obligation is intended to help improve coordination at EU level and counter cyber threats more quickly.

4. PENALTIES AND SANCTIONS

The NIS2 Directive provides for tougher penalties for offences. Companies that do not fulfil the requirements risk high fines that are based on the sanctions of the General Data Protection Regulation (GDPR). This is intended to ensure that compliance with the directive is taken seriously.

WHO IS AFFECTED BY NIS2?

The NIS2 Directive significantly expands the scope of the security requirements. While the first NIS Directive was mainly aimed at operators of critical infrastructure, NIS2 now covers a broader range of industries. It can be divided into 2 groups.

1. CRITICAL SECTORS (ESSENTIAL SECTORS)

These sectors include organisations that are considered systemically important and provide essential services that are crucial to public life. These include

  • Energy supply: electricity, gas and oil companies, power generation and transmission, and operators of nuclear power plants.
  • Transport: Aviation, shipping, rail, road transport and logistics companies.
  • Banking: Banks and credit institutions.
  • Financial market infrastructures: stock exchanges, clearing centres and payment processing companies.
  • Healthcare: Hospitals, healthcare facilities and medical device manufacturers.
  • Drinking water and wastewater management: Companies responsible for the supply of clean water and wastewater treatment.
  • Digital infrastructure: Internet exchange points, cloud computing services, DNS providers and data centres.
  • Public administration: Government and administrative organisations at national and regional level.

2. IMPORTANT SECTORS

These sectors also include a large number of companies whose operations are considered essential to the economy and the smooth running of day-to-day business:

  • Postal and courier services
  • Chemical industry
  • Food production and processing
  • Waste management
  • Manufacturing and production: In particular, companies involved in the production of essential goods.

The Directive affects not only large companies, but also small and medium-sized enterprises (SMEs) that are active in the above-mentioned sectors and play an essential role in maintaining social or economic order.

Companies operating in the field of cybersecurity or in areas of high relevance to critical infrastructure could also be affected, especially if they are considered central to supply chains or digital infrastructure.

Very small companies with fewer than 50 employees or an annual turnover of less than €10 million are generally exempt from the NIS2 Directive, unless they provide essential services that are critical to national security or the public interest.

Companies and organisations in these sectors must comply with stricter cybersecurity standards, establish more comprehensive risk management processes and comply with reporting obligations in the event of security incidents.

The implementation of the NIS2 Directive poses several challenges for affected companies. Small and medium-sized companies in particular will have to make significant investments in their cybersecurity infrastructure in order to fulfil the new requirements. Coordination between the member states also remains a challenge, as the directive continues to give the national authorities a certain amount of room for manoeuvre when it comes to implementation. It remains to be seen how uniformly and effectively the new regulations will be implemented throughout the EU.

PEROBA QUALITY MANAGEMENT FROM MUNICH - NIS2 CONSULTING AND IMPLEMENTATION

NIS2 Targeted implementation of the EU Cybersecurity Directive

THE NIS2 directive not only entails a considerable financial risk for affected companies in the event of non-compliance, but in particular also a direct liability risk for responsible managers. Although there will probably be no mandatory certification, in practice, a certified ISO 27001 quality management system can not only be helpful, but can also be seen as a sign of practised awareness of the problem. Comprehensive advice on the topics of NIS2 and ISO 27001 can specifically reduce risks here.

PeRoBa GmbH Munich is a service provider with many years of experience for quality management especially in automotive and mechanical engineering. We also work closely with universities and research institutes. Managing Director Dr. Scherb teaches as a lecturer, for example, at the Hamburger Fern-Hochschule, the FOM in Munich and is also a speaker at the TÜV-Süd Akademie, the Bildungswerk der Bayerischen Wirtschaft and many other institutions.

We look forward to hearing from you. The best way to reach us is by phone at the number
+49 8106 / 230 89 92
(more contact options)  

Quality management ISO 26000, ISO 9001, VDA 6.3 and IATF 16949 - www.peroba.org