The implementation of appropriate cyber security in industry, public authorities and service providers is one of the greatest challenges of our time. In order to better meet this challenge and protect IT systems from hacker attacks, the European Union has adopted the NIS2 (Network and Information Security) Directive.
In this blog post, we explain the key measures that companies should take in accordance with the NIS2 Implementation Act.
What is NIS 2?
NIS 2 is the revised version of the original 2016 NIS Directive and aims to improve the security requirements for network and information systems in the EU and help Member States prevent or mitigate the impact of cyber threats. NIS 2 was adopted in December 2022 and must be transposed into national law by the EU member states by October 17, 2024.
Important innovations and requirements
Extended area of application
One of the most significant changes in NIS 2 is the extended scope of application. While the original NIS Directive only covered certain sectors (critical infrastructure such as energy, transport and health), NIS 2 now covers a broader range of sectors, including medium-sized companies that are considered essential to the economy and society. This includes, for example, the food industry, mechanical engineering, IT service providers and the public sector.
Stricter safety requirements
NIS 2 specifies stricter security requirements for companies and organizations. These requirements include, among other things:
- Risk management: Companies must implement a robust risk management system that is regularly reviewed and adapted to the threat situation.
- Security measures: Technical and organizational measures must be taken to protect and manage network and information systems. These include, for example, regular security checks including the supply chain, employee training, the use of cryptography and encryption or backup and recovery management.
- Reporting obligations: Cyber incidents must be reported immediately to the competent national authorities. The deadline for reporting is usually 24 hours after the incident is discovered.
Stronger supervision and sanctions
Supervision of compliance with the NIS 2 Directive will be tightened. National authorities will be given extended powers to check and enforce the directive. Non-compliance could result in significant penalties. This is intended to ensure that companies take the requirements seriously and actively take measures to improve their cyber security.
Conclusion
NIS 2 lays the foundations for improving cyber security in the EU. By expanding the scope of application and the institutions affected by NIS2, introducing stricter security requirements and monitoring them by national supervisory authorities, the directive is intended to help increase resilience to cyber threats. At the same time, companies should be prepared to continue business operations, at least in an emergency, in the event of a cyberattack.
For the affected companies and organizations, this means that they must continuously rethink their existing security strategies and adapt them on a risk-based basis in order to meet the requirements of NIS 2.
Time is of the essence, the deadline for the introduction of NIS2 as applicable law is October 24, 2024. ADVASO helps you to meet the legal requirements.
Interesting external links on the topic:
Information from the BMI on the draft law
NIS2 draft law as PDF (BMI from 22.07.2024)
Stay tuned: In the next blog, we will inform you about the current status of the legislative process of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) and explain the criteria for particularly important institutions.