NIS2 Directive Compliance for Cybersecurity in the EU
The overall requirements of cybersecurity criteria and the number of affected companies have increased significantly with NIS2. Companies are required to implement the new security measures by October 2024. If you want to implement the requirements of the NIS2 Directive easily and sustainably, you’ve come to the right place.
What is the NIS-2 directive? And what does it mean for companies?
The NIS-2 Directive (The Network and Information Security Directive) is an EU-wide regulation for cyber and information security. It contains legal requirements for IT security to bring the current minimum security standard to a new level and to remedy existing deficiencies.
Since April 2023, there has already been an existing draft bill for the new law in Germany, which has been submitted to the Federal Ministry as the NIS-2 Implementation and Cybersecurity Strengthening Act.
Among other things, the strengthened NIS-2 directive focuses on:
NIS-2 affected sectors and companies
Enforcement of NIS2 depends on the category in which an organization is classified. An organization or institution can be classified as essential (Essential Entity) or important ( Important (Important Entity). The dependence of the classification is determined by the size of the company and whether it falls under a high criticality sector or other critical sectors. Fines for violations and oversight by authorities vary by classification.
Should companies fail to comply with the new measures of the NIS-2 Directive, they may be subject to heavy fines, depending on the sector. Fines range from 10 million euros or 2 percent of annual revenue for essential facilities. Major facilities may incur costs of 7 million euros or 1.4 percent of annual sales.
NIS2 requirements simply implement
The NIS2 Directive does not specify concrete technical measures. For this, reference is made to industry standards, such as B3S! There is generally a lot of overlap with ISO/IEC 27001.
Learn at a glance how Enginsight software and matching partner services can help you implement and continuously comply with NIS2.
NIS-2 requirements for companies
The requirements of NIS2 can be roughly divided into four categories, from which security objectives and, based on them, measures can be derived to improve the security status or to demonstrate it.
Meeting security targets with Enginsight
The NIS-2 Directive is a new EU-wide constitution on the new network and information security directives that must be implemented by all affected companies by October 17, 2024. The new directive significantly increases the number of companies affected. Affected companies must check their IT security measures and adapt them to the new standard if necessary.
Whether or not a company is affected must be assessed and evaluated by the company itself on the basis of the new NIS2 criteria.
However, the NIS2 directive does not specify concrete technical measures. It points to industry standards such as B3S. There is generally a lot of overlap with ISO/IEC 27001.
However, basic security objectives can be derived from the NIS2 directive. Enginsight and partners support you in the implementation and continuous compliance with these goals from the NIS2 requirements.
Green checkmarks = direct implementation by Enginsight / gray checkmarks = solution available via Enginsight Trusted Partner.
* The listed objectives are not explicitly defined in NIS2, but reflect general basic safety objectives as recommended in international standards such as IEC 62443.
** Mandatory for critical infrastructure
*** CSIRT (Computer security incident response team) = government computer emergency response team.
Status quo How well are you positioned so far?
Your company is located in Germany or another European country and is NIS2-regulated, but you are not sure if your security measures fit the requirements of the directive? Then start now with an NIS2 requirements analysis of your IT infrastructure. Once you have identified the discrepancies between the status quo and the target state, you can implement (or have implemented) suitable security measures in a prioritized manner and relax when the need arises as a result of the amendment to the law.
By the way: IT inventorying is done in Enginsight at the push of a button. We are happy to provide the proof. Contact us.
FAQ about the NIS2 requirements
NIS-2 stands for “Network Information Security” and is a law that relates to the security of information networks. It builds on the original NIS framework and aims to strengthen cybersecurity through complementary security measures in Europe. The new requirement imposes mandatory security measures and reporting obligations on companies and organizations that were not previously affected (regulated).
In Germany, a draft bill for the new NIS2 Act is already available (NIS2UmsuCG).
In the European Union, the new NIS2 Directive (EU 2022/2555) was promulgated in early 2023. All member states are now required to make NIS2 a mandatory minimum standard through national legislation. In Germany, the implementation of the directive is expected to come into force in October 2024.
All companies and institutions that are considered critical infrastructure sectors fall under the new NIS2 directive if they have at least 50 employees or at least EUR 10 million in annual revenue and annual balance sheet. Some important ones fall under regulation regardless of their size (e.g., CRITIS). A brief overview of all sectors and requirements can be found in our PDF download on NIS2.
Depending on the classification (significant/important, large/medium/small), the amount of the fine differs. The maximum amount is €10 million or 2% of global sales.
Essential facilities are proactively, regularly audited by authorities. For important setups, a reactive check takes place, i.e. only when there are indications of violations.
With NIS 2 comes liability for management and the board of directors. They must monitor the implementation of the measures and participate in training.