6 tips for practical implementation in companies
On 28 November 2022, the Council of the EU adopted the Directive “on measures for a high common level of cybersecurity across the Union” (NIS‑2 Directive). It will enter into force on the twentieth day after its publication. The Member States then have 21 months to transpose the requirements into national law, so that new cybersecurity regulations will apply from no later than 2024. At the latest upon implementation of the Directive, companies will be faced with extensive obligations. Due to the short implementation period, companies should already now consider the innovations which the NIS‑2 Directive brings.
1. Check whether you are affected
Companies should check whether they fall under the NIS‑2 Directive, as its scope has been considerably extended. All companies are covered that employ more than 50 people, have an annual turnover or annual balance sheet total of more than 10 million EUR and belong to one of the critical sectors. As to the essential sectors, both entirely new sectors, such as waste water or the management of ICT services, as well as extensions to the existing sectors have been added. The same is true for the important sectors, which in the future will include, among other things, the production of goods in all fields, such as the production of computers or the healthcare, mechanical engineering and mobility sectors.
2. Implementation of risk management measures
The NIS‑2 Directive explicitly states in Art. 21 that the entities concerned must take appropriate and proportionate technical, organisational and operational measures, taking into account the state of the art, in order to manage cybersecurity risks and prevent the impact of security incidents. To put this into concrete terms, the Directive provides for a large number of minimum measures. These include, among other things, the implementation of risk analysis and security concepts for information systems, the handling of security incidents, backup and crisis management, ensuring security in the supply chain, cybersecurity training and a procedure to assess the effectiveness of risk management measures. Companies should therefore ensure a functioning Incident Response Management for the prevention of cyberattacks as well as for emergencies.
3. Cybersecurity is a matter for the bosses
The central responsibility for risk management according to the NIS‑2 Directive lies with the management bodies. In particular, they are required to monitor the implementation of cybersecurity measures and can be held personally liable in the event of non-compliance. In addition, the management bodies must participate in cybersecurity training and ensure that appropriate training is provided to all employees as required.
4. Compliance with reporting obligations
Companies will be subject to strict reporting obligations in the future. Entities subject to the NIS‑2 Directive must report any security incident that has a significant impact on the provision of their services. In particularly serious cases, users must also be notified immediately and, if necessary, even the public must be informed. In order to comply with the reporting obligations, companies should therefore establish an effective crisis communication and test it for emergencies.
5. Preventing regulatory measures
In order to enforce the cybersecurity requirements, numerous control and sanctioning measures will be available to the national authorities in the future. These include on-site inspections, security audits and instructions or regulatory orders. In case of non-compliance, companies will face fines of up to 10 million EUR or 2% of their total annual worldwide turnover. Moreover, national authorities will also have the power to issue warnings about non-compliance. In addition to the previous powers of the German Federal Office for Information Security (BSI) to issue product warnings, there will be an increased threat of public warnings upon implementation of the Directive, which can place a considerable burden on companies.
6. Compliance with further requirements
The law is becoming the driver of cybersecurity. The EU has reacted to the advancing threat situation in the cyberspace and there will be binding cybersecurity requirements throughout Europe in the future. In addition to the company-related requirements of the NIS‑2 Directive, the Cyber Resilience Act will also impose product-related cybersecurity requirements on companies.back