The digital transformation has fundamentally changed our society, but with increasing connectivity, cyber risks are also rising. With the NIS2 Directive, the European Union has responded to this challenge and established a comprehensive legal framework for cybersecurity in critical sectors.
What is the NIS2 Directive?
The NIS2 Directive (Directive 2022/2555), which came into force in January 2023, replaces its predecessor NIS1 and significantly raises the common security level of the EU in the field of cybersecurity. It covers 18 critical sectors and creates clearer regulations as well as stronger supervisory instruments. Member States were required to transpose the directive into national law by October 17, 2024 – a deadline that 23 Member States failed to meet, which is why the Commission has already initiated infringement proceedings.
Which entities are affected?
The NIS2 Directive significantly expands the scope and covers 18 critical sectors:
- Energy: Electricity, gas, and oil supply
- Transport: Air, rail, water, and road transport
- Banking and financial market infrastructures
- Healthcare: Hospitals and other healthcare facilities
- Drinking water supply
- Digital infrastructure: Internet exchange points, DNS services, TLD name registries
- Public administration: Central and regional authorities
- Space sector
- Wastewater management
- Manufacturing of critical products: Medical devices, pharmaceuticals, chemicals
- Food production and distribution
- Digital services: Cloud computing, data centers, social networks
- Postal and courier services
- Waste management
- Providers of public electronic communications services
- Research institutions
- Manufacturing and distribution of electronics and semiconductors
- Defense and security
Specifically, the directive affects entities with more than 50 employees and an annual turnover of over 10 million euros. This means that a large number of companies and organizations face the challenge of meeting the requirements.
Core obligations for affected entities
The NIS2 Directive brings with it a series of concrete obligations:
Affected entities must register with the Federal Office for Information Security (BSI) and designate a fixed contact person – usually an Information Security Officer. This contact point must be reachable around the clock.
A central element is the establishment of an Information Security Management System (ISMS). This includes the definition of information assets, protection requirements, and the development of processes for cryptography, authentication, backups, tests, and emergency concepts.
In the event of a security incident, an initial report must be submitted to the BSI within 24 hours. In addition, the management level is directly held accountable – top management is liable for non-compliance with cybersecurity measures.
Three key strategies for enhanced security
Cybersecurity experts recommend three central measures to arm companies against cyber threats:
1. Security Awareness: Since humans represent the main gateway for hackers, raising awareness among all employees is crucial. Regular training and heightened awareness of phishing and other threats can nip many attacks in the bud.
2. Modern protection technologies: Conventional antivirus programs are no longer sufficient. Instead, the use of XDR solutions (Extended Detection and Response) is recommended, which can detect anomalies early with the help of AI. Additionally, internet proxies for monitoring data traffic and special mail security solutions should be implemented.
3. Incident Response: Every organization should be prepared daily for the worst case. This includes detailed risk plans for various attack scenarios and regular exercises to be able to respond quickly and in a coordinated manner in an emergency.
European cooperation structures
The NIS2 Directive creates new structures for cooperation at the European level:
- A network of Computer Security Incident Response Teams (CSIRTs) enables the exchange of information about cyber threats and the coordinated response to incidents.
- For larger cybersecurity incidents, the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) was created to ensure coordinated management and regular information exchange between Member States and EU bodies.
- The NIS Cooperation Group serves as a platform for strategic cooperation between EU Member States, the European Commission, and the European Union Agency for Cybersecurity (ENISA).
Conclusion: Act now rather than wait
Experts strongly advise not to wait for the final implementation of the directive into national law, but to start preparations now. The implementation of the required measures is complex and time-consuming – a significant challenge especially for smaller entities.
A two-stage approach makes sense: First, conduct an as-is analysis to determine which security issues should be solved centrally and which decentrally. Subsequently, centralized training of the management level is recommended, followed by the identification of all affected areas and the hiring of personnel for implementation.
The NIS2 Directive may initially appear as a bureaucratic hurdle, but given the increasing threat landscape, it offers the opportunity to sustainably strengthen cybersecurity in critical sectors and ultimately improve the security of our entire infrastructure.
Key requirements at a glance
Basic requirements of the NIS2 Directive
- Registration with the BSI and appointment of an Information Security Officer
- 24/7 availability of the contact point
- Initial reporting of security incidents within 24 hours
- Establishment of an Information Security Management System (ISMS)
- Definition of information assets and protection requirements
- Development of processes for cryptography, authentication, and emergency concepts
Temporal aspects
- EU directive implementation deadline was October 17, 2024
- Expected implementation into German law in 2025
- Recommendation: Proactive preparation instead of waiting
For more information on the NIS2 Directive, visit the official website of the European Commission.
