Development and Managed Hosting
ANEXIA
JUL
28
2023

NIS2 directive brings major challenges

Written on July 28, 2023 by Michael Hiess

The term NIS, which is usually also referred to as NIS1 stands for “Directive on Security of Network and Information Systems”, which was adopted by the EU in 2016. Meanwhile, the NIS Directive has been revised and the NIS2 version has been adopted by the European Parliament.

Ziele der NIS2 Richtline

What is the objective of the NIS2 Directive?

The directive was developed to improve the protection of critical infrastructure within EU member states, to prevent or detect cybersecurity incidents, and respond appropriately. The goal of the directive is to raise cybersecurity to a new level across the EU.

It harmonizes standards, strengthens risk management, introduces reporting requirements, and tightens fines to provide more comprehensive and effective protection for critical infrastructure and digital services.

 

NIS2 aims to strengthen cybersecurity for essential infrastructures across the EU and protect them against cyber threats of all kinds. In doing so, the directive addresses current cybersecurity challenges, particularly about the increasing digitization of services and the growing use of IoT devices. The aim is to improve cybersecurity resilience and responsiveness to protect both the public and private sectors in the EU. This is to ensure that vital infrastructure continues to function in times of crisis.

The directive establishes basic minimum requirements for the security of networks and information systems and requires all EU member states to standardize policies and measures to ensure cybersecurity.

Among other things, entities affected by the directive must take appropriate risk management measures for the security of their network and information systems and comply with corresponding reporting obligations.

Since this is a directive and not a regulation, it does not automatically apply in all EU countries but first must be converted into national law by all EU member states.

 

Innovations of the NIS2 Directive

The NIS2 Directive represents an updated version of the original cybersecurity directive, NIS1. It replaces the previous directive and sets new minimum requirements for the security of critical infrastructure within the EU.

In Austria, the NIS1 Directive was implemented in 2018 as the Federal Act on Ensuring a High Level of Security of Network and Information Systems (Network and Information Systems Security Act – NISG). This regulation mainly applies to companies that belong to the critical infrastructure or operate digital services such as online marketplaces, search engines and cloud computing services.

The introduction of NIS2 expands the foundation of the original directive. The expanded NIS2 directive was published in 2023 and requires all EU states to implement the requirements into national law by October 17, 2024.

NIS2 ersetzt NIS1

Why is NIS1 being replaced by NIS2?

The NIS1 directive presented by the EU Commission in 2016 was formulated too vaguely in many points and was therefore implemented very inconsistently in the various member states. For example, there were differences in the classification of critical infrastructure. Moreover, the list of providers affected by the directive varied from country to country.

In addition, there were no rules for monitoring implementation and no specific requirements for the disclosure of cyber risks. Another weakness of the NIS1 directive is related to insufficient cyber resilience and the lack of coordinated crisis responses. Against this backdrop and considering the growing threat as well as increasing cybersecurity requirements, the European Commission decided to revise the NIS Directive, whereupon the NIS2 Directive was enacted by the European Parliament on January 16, 2023.

 

Who is affected by the NIS2 directive?

The NIS2 directive extends the scope of application compared to the previous legal situation. This means that some companies or authorities that were not previously affected by IT security regulations may now be regulated after all. Therefore, it is recommended for all companies or authorities to deal with the NIS2 regulations at an early stage to be able to react to possible effects or changes in a timely manner.

 

Large and medium-sized companies from 14 sectors are affected by the NIS2 directive:

NI2 Essential Entities

The number of “Essential Entities” classified as critical has been increased to eleven sectors in the new directive, while the “Important Entities” comprise seven sectors. This means that a total of eighteen NIS2 sectors are affected.

 

NIS2 classification by company size

The NIS2 regime applies only to medium and large companies, without considering thresholds for facilities or similar criteria. Similarly, certain companies are also regulated regardless of size, such as parts of the digital infrastructure or public administration.

The classification of a company as large, medium, or small depends on the following factors:

  • A large company employs at least 250 people or has annual sales of more than 50 million euros, or total assets of more than 43 million euros.
  • A medium-sized company has between 50 and 249 employees or generates annual sales of up to 50 million euros, or total assets of between 10 and 43 million euros.
  • A small company, on the other hand, employs fewer than 50 people or has annual sales or total assets of up to 10 million euros and therefore does not fall under NIS2 regulation.

 

Affected companies regardless of company size

Regardless of classification by company size, the NIS2 Directive also applies to those providers who provide the following services:

  • Providers of public electronic communications networks or publicly available electronic communications services
  • Providers of trust services
  • Top-level domain registrars and DNS service providers
  • Providers acting as the sole provider of a service in a Member State and whose service is essential for the maintenance of critical social or economic activities or where disruption of the service could have a significant impact on public order, public security, or public health.

NIS2 Verantwortlichkeiten

Who is responsible for cybersecurity according to NIS2?

The NIS2 directive clarifies that responsibility for cybersecurity and the prevention of IT security incidents must lie at the top management level in every company. This means that senior management must ensure that all risk management measures are followed. Likewise, management can be held personally liable if these requirements are not met. To this end, supervisory authorities are given powers to conduct on-site inspections and safety reviews and to take effective, proportionate, and dissuasive measures.

This applies to public administration, regardless of whether national rules on the liability of civil servants or other employees provide otherwise.

 

When will the new regulations for companies come into force?

By October 18, 2024, at the latest, the NIS2 Directive must be transposed into national law in all EU member states.

The aim of the regulation is to strengthen the cybersecurity of key facilities. EU member states must ensure through their national legislation that the leadership teams of key institutions implement and monitor cybersecurity risk management measures and can be held accountable for breaches.

In addition, all EU member states must ensure that leadership teams participate in regular training and encourage key institutions to provide regular cybersecurity training to their staff to identify, assess, and manage cybersecurity risks and understand their impact on the services provided by the organization.

 

 

What risk management measures does NIS2 regulate?

The directive contains the following risk management measures that must be fulfilled by the companies and institutions concerned:

  • Policies: Introduction of guidelines concerning all risks and implementation of information security.
  • Incident Management: Prevention, detection, and management of security incidents.
  • Business Continuity: Ensuring business continuity through backup management, disaster recovery, and crisis management.
  • Supply chain: Supply chain security and security measures in the procurement and maintenance of IT and network systems.
  • Effectiveness: Specifications for measuring cyber and risk measures.
  • Training: Cybersecurity hygiene training and education
  • Cryptography: Specifications for cryptography and encryption for all essential areas
  • Personnel: Human Resources Security
  • Access Control: Monitoring and logging of all accesses
  • Asset Management (ISMS): An Information Security Management System includes rules, procedures, methods, and tools to increase information security. ISO 27001 is considered the gold standard
  • Authentication: Use of multifactor authentication (MFA) and single sign-on (SSO)
  • Communication: Use of encrypted voice, video, and text communication
  • Emergency communication: Use of secure emergency communication systems

In addition, supervision and cooperation between authorities and companies will be intensified, and a reporting obligation will be introduced. Within 24 hours of detecting a cybersecurity incident, immediate notification is required. If necessary, an update and preliminary assessment will be conducted by the supervisory authority within 72 hours of the initial notification. A final report must be submitted no later than one month after the initial notification of the incident. The reporting requirement is intended to improve transparency and coordination to effectively combat cybersecurity incidents.

 

Summary of the innovations of the NIS2 Directive

Compared to NIS1, the NIS2 Directive brings significant extensions in terms of responsibility, obligations, and supervision within the EU:

Sectors: The number of “Essential Entities” classified as critical increases to eleven, and the “Important Entities” have been expanded to seven sectors.

Affected entities: The regulation affects large and medium-sized companies. In addition, some operators are regulated regardless of size, including parts of digital infrastructure and public administration.

Cyber security: Requirements for operators and EU member states will be increased, including cyber security supply chains.

Cooperation: Oversight and cooperation between authorities and operators will be intensified, and European jurisdiction will be clarified.

Sanctions: Penalties and enforcement measures will be significantly increased, with maximum fines of up to €10 million, or two percent of the company’s total annual global turnover.

The complete EU NIS2 Directive →

 

Related Topics

Data souvereignty in the coud →

What is IT governance? →