The European Union’s NIS2 Directive (“The Network and Information Security (NIS) Directive”) marks a significant change in the area of cybersecurity. It extends the scope of the original NIS Directive from 2016 and will be implemented throughout the EU from October 2024.
In Germany, the NIS2 Implementation and Cyber Security Strengthening Act(NIS2UmsuCG) is not expected to come into force until the end of March(NIS2 Navigator).
Not all companies will be directly affected by the NIS2UmsuCG. You can use a BSI decision tree to find out whether your company is one of the obligated organizations.
This article is aimed at directors of the organizations concerned and outlines some of the obligations associated with the NIS2UmsuCG.
1. increased responsibility of the management level (IHK Bonn)
One of the key innovations of the NIS2 directive is the clear responsibility of management. While cyber security was previously often seen as a technical problem, the focus is now also on management. Managers must directly address cybersecurity risks, as they can be held personally liable for compliance. This means:
- Increased accountability: Managers must ensure that cybersecurity measures are properly implemented. They must also monitor the implementation of the measures (Section 38 (1) NIS2UmsuCG-E). Ignoring risks can lead to high penalties.
- Further training and competence building: Managers are obliged to regularly participate in training courses (Section 38 (3) NIS2UmsuCG-E). This should provide them with the knowledge and skills to recognize and assess risks and threats and inform themselves about security strategies. Cybersecurity is now becoming a central part of risk management.
2. obligation to report security incidents(IHK Bonn)
Companies must ensure that they have an effective system in place for reporting cyber security incidents. The NIS2 requires incidents to be reported to the BSI as the competent authority within 24 hours of their discovery. This means:
- Optimization of internal processes: Information security management teams (ISM teams) must ensure that internal systems and processes are capable of detecting and reporting incidents in a timely manner (Section 32 (1) NIS2UmsuCG-E). This requires investment in suitable tools and employee training (Art. 20 para. 2 NIS2 Directive).
- Transparency: In contrast to previous regulations, operators of critical facilities must not only report incidents that lead to significant adverse effects, but also those that could potentially be serious (Section 32 (3) NIS2UmsuCG-E).
3. Expansion of cyber security resources
The requirements for companies’ cyber security measures will be tightened by the NIS2UmsuCG-E. These include:
- Strengthening technical infrastructures: Companies must ensure that they have effective technical and organizational measures in place that can ward off cyberattacks (Section 30 (1) NIS2UmsuCG-E. Management must invest in technologies that offer protection and carry out regular updates.
- Increase cyber resilience: It is no longer enough to focus solely on prevention. Resilience, i.e. the ability to quickly become operational again after a cyber attack, plays a central role. The keyword here is business continuity management.
For management, this means a review of budgets and priorities. Cybersecurity expenditure is increasingly seen as an essential part of corporate strategy. The IHK Stuttgart recommends introducing an information security management system (ISMS).
4. Cultural change towards a safety culture
Another aim of the NIS2 directive is to promote a cyber security culture in companies. The cultural change relates in particular to:
- Training for all employees: Cyber security must not just be a concern for the IT department. All employees, from top management to operational staff, must be trained in security-relevant areas.
- Promote security awareness: Managers must act as role models and raise awareness of cyber threats at all levels of the company.
It is the responsibility of management not only to define security strategies, but also to implement and communicate them consistently.
Summary: Cybersecurity as a top priority
The NIS2 Directive sets a clear framework for the future of cybersecurity in Europe. For the management of affected organizations, this means a profound change in the way cybersecurity risks are viewed and handled. It is no longer enough to hand over responsibility to the IT department or the information security officer (ISO) – managers must take the lead and treat cybersecurity as a strategic priority.