NIS‑2 Direc­ti­ve: new cyber­se­cu­ri­ty obli­ga­ti­ons adopted

6 tips for prac­ti­cal imple­men­ta­ti­on in companies

On 28 Novem­ber 2022, the Coun­cil of the EU adopted the Direc­ti­ve “on mea­su­res for a high com­mon level of cyber­se­cu­ri­ty across the Uni­on” (NIS‑2 Direc­ti­ve). It will enter into force on the twen­tieth day after its publi­ca­ti­on. The Mem­ber Sta­tes then have 21 months to trans­po­se the requi­re­ments into natio­nal law, so that new cyber­se­cu­ri­ty regu­la­ti­ons will app­ly from no later than 2024. At the latest upon imple­men­ta­ti­on of the Direc­ti­ve, com­pa­nies will be faced with exten­si­ve obli­ga­ti­ons. Due to the short imple­men­ta­ti­on peri­od, com­pa­nies should alre­a­dy now con­sider the inno­va­tions which the NIS‑2 Direc­ti­ve brings.

1. Check whe­ther you are affected

Com­pa­nies should check whe­ther they fall under the NIS‑2 Direc­ti­ve, as its scope has been con­sider­a­b­ly exten­ded. All com­pa­nies are cover­ed that employ more than 50 peo­p­le, have an annu­al tur­no­ver or annu­al balan­ce sheet total of more than 10 mil­li­on EUR and belong to one of the cri­ti­cal sec­tors. As to the essen­ti­al sec­tors, both enti­re­ly new sec­tors, such as was­te water or the manage­ment of ICT ser­vices, as well as exten­si­ons to the exis­ting sec­tors have been added. The same is true for the important sec­tors, which in the future will include, among other things, the pro­duc­tion of goods in all fields, such as the pro­duc­tion of com­pu­ters or the health­ca­re, mecha­ni­cal engi­nee­ring and mobi­li­ty sectors.

2. Imple­men­ta­ti­on of risk manage­ment measures

The NIS‑2 Direc­ti­ve expli­cit­ly sta­tes in Art. 21 that the enti­ties con­cer­ned must take appro­pria­te and pro­por­tio­na­te tech­ni­cal, orga­ni­sa­tio­nal and ope­ra­tio­nal mea­su­res, taking into account the sta­te of the art, in order to mana­ge cyber­se­cu­ri­ty risks and pre­vent the impact of secu­ri­ty inci­dents. To put this into con­cre­te terms, the Direc­ti­ve pro­vi­des for a lar­ge num­ber of mini­mum mea­su­res. The­se include, among other things, the imple­men­ta­ti­on of risk ana­ly­sis and secu­ri­ty con­cepts for infor­ma­ti­on sys­tems, the hand­ling of secu­ri­ty inci­dents, back­up and cri­sis manage­ment, ensu­ring secu­ri­ty in the sup­p­ly chain, cyber­se­cu­ri­ty trai­ning and a pro­ce­du­re to assess the effec­ti­ve­ness of risk manage­ment mea­su­res. Com­pa­nies should the­r­e­fo­re ensu­re a func­tio­ning Inci­dent Respon­se Manage­ment for the pre­ven­ti­on of cyber­at­tacks as well as for emergencies.

3. Cyber­se­cu­ri­ty is a mat­ter for the bosses

The cen­tral respon­si­bi­li­ty for risk manage­ment accor­ding to the NIS‑2 Direc­ti­ve lies with the manage­ment bodies. In par­ti­cu­lar, they are requi­red to moni­tor the imple­men­ta­ti­on of cyber­se­cu­ri­ty mea­su­res and can be held per­so­nal­ly lia­ble in the event of non-compliance. In addi­ti­on, the manage­ment bodies must par­ti­ci­pa­te in cyber­se­cu­ri­ty trai­ning and ensu­re that appro­pria­te trai­ning is pro­vi­ded to all employees as required.

4. Com­pli­ance with report­ing obligations

Com­pa­nies will be sub­ject to strict report­ing obli­ga­ti­ons in the future. Enti­ties sub­ject to the NIS‑2 Direc­ti­ve must report any secu­ri­ty inci­dent that has a signi­fi­cant impact on the pro­vi­si­on of their ser­vices. In par­ti­cu­lar­ly serious cases, users must also be noti­fied imme­dia­te­ly and, if neces­sa­ry, even the public must be infor­med. In order to com­ply with the report­ing obli­ga­ti­ons, com­pa­nies should the­r­e­fo­re estab­lish an effec­ti­ve cri­sis com­mu­ni­ca­ti­on and test it for emergencies.

5. Pre­ven­ting regu­la­to­ry measures

In order to enforce the cyber­se­cu­ri­ty requi­re­ments, num­e­rous con­trol and sanc­tio­ning mea­su­res will be available to the natio­nal aut­ho­ri­ties in the future. The­se include on-site inspec­tions, secu­ri­ty audits and ins­truc­tions or regu­la­to­ry orders. In case of non-compliance, com­pa­nies will face fines of up to 10 mil­li­on EUR or 2% of their total annu­al world­wi­de tur­no­ver. Moreo­ver, natio­nal aut­ho­ri­ties will also have the power to issue war­nings about non-compliance. In addi­ti­on to the pre­vious powers of the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI) to issue pro­duct war­nings, the­re will be an increased thre­at of public war­nings upon imple­men­ta­ti­on of the Direc­ti­ve, which can place a con­sidera­ble bur­den on companies.

6. Com­pli­ance with fur­ther requirements

The law is beco­ming the dri­ver of cyber­se­cu­ri­ty. The EU has reac­ted to the advan­cing thre­at situa­ti­on in the cyber­space and the­re will be bin­ding cyber­se­cu­ri­ty requi­re­ments throug­hout Euro­pe in the future. In addi­ti­on to the company-related requi­re­ments of the NIS‑2 Direc­ti­ve, the Cyber Resi­li­ence Act will also impo­se product-related cyber­se­cu­ri­ty requi­re­ments on companies.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.