NIS-2 Directive: What companies need to consider to ensure cybersecurity

What companies need to consider to ensure cybersecurity

In today’s digital age, companies are more dependent than ever on the benefits of modern technologies. However, this ongoing digitalization also brings with it increased risks, particularly with regard to cyberattacks and data breaches. The new NIS 2 Directive was introduced to ensure the security of information systems and strengthen data protection.

Significance for companies

As a company, you should not underestimate the NIS 2 Directive, as it sets out extensive obligations that you must comply with in order to ensure the protection of your IT infrastructure and cybersecurity. To help you meet the requirements of this new legislation, we have summarized the most important points below.

Expansion of the scope of application

The NIS 2 Directive now also applies to smaller companies than before. Companies with at least 50 employees, an annual turnover of €10 million, or an annual balance sheet total of €10 million fall under this directive. Similar to the GDPR, violations are subject to severe penalties.

EU member states are required to transpose the NIS 2 Directive into national law by October 17, 2024. Even though the national transposition law is not yet available, companies should start preparing now.

Which companies are affected by the NIS 2 Directive?

The directive applies to companies in “highly critical sectors” such as energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Other critical sectors include postal and courier services, waste management, production, manufacturing, and trade in chemical substances, food production, manufacturing (e.g., mechanical engineering, vehicle construction), digital service providers (online marketplaces, search engines, social networks), and research.

Risk management requirements

The NIS 2 Directive places great emphasis on an effective risk management culture. Essential and important entities must take appropriate technical, operational, and organizational measures, including risk analysis, security concepts, backup and crisis management, access controls, and encryption concepts. These measures should be state-of-the-art and tailored to individual risks.

Pursuing a holistic approach to security as a goal

Cyber threats can have different causes. Therefore, risk management measures should not only target cyber attacks, but also physical hazards such as theft, fire, or unauthorized access. Which measures are appropriate depends on your company’s risk exposure and should be proportionate to the potential social and economic impact of an incident.

Companies must report security incidents

Companies must report significant security incidents immediately. This is done in a multi-stage process: early warning, reporting of the incident itself, and final report. In addition, companies may be required to inform affected customers and users if their services are impacted.

Company management bears responsibility

Management bodies must ensure that sufficient resources are allocated to cybersecurity. In addition, there needs to be a clear division of responsibilities within the company. Regular assessments and adjustments to security measures are necessary in order to keep pace with threats.

Far-reaching sanctions planned

Supervisory authorities will be given far-reaching powers, including on-site inspections, the right to request information, and independent audits.

Violations will be subject to heavy fines:

• For essential facilities, up to €10 million or 2% of global annual turnover.
• For important institutions, up to €7 million or 1.4% of global annual turnover.
• In particularly serious cases, the authority may even temporarily dismiss managers.

Connection to the GDPR

Personal data may also be affected in the event of significant security incidents. In this case, the incident must be reported to the data protection authority in addition to the NIS 2 notification pursuant to Article 33 GDPR. A double fine for the same violation is excluded—but other measures remain possible.

Conclusion

Companies subject to the NIS 2 Directive must adapt their security measures at an early stage. Those who are prepared reduce risks, avoid sanctions, and strengthen their cybersecurity in the long term.

Contact us today and let’s work together to strengthen your cybersecurity!