2月 28, 2023
NIS2 - What you need to consider
Back in 2016, the EU established the NIS (Network and Information Security) cybersecurity directive. Because the directive was very abstract, was not implemented uniformly in the EU countries and, in addition, the Corona pandemic acted as an additional amplifier of cyberattacks, the European Commission decided to revise the directive. Since mid-January, the revised version NIS2 is now available; it replaces NIS and defines new EU minimum standards for cybersecurity of critical infrastructure. The obligations of the directive are to be implemented in national law by the end of 2024.
What's new about NIS2?
The revised NIS2 directive significantly expands the sectors that are classified as critical services. While there were only eight in NIS, NIS2 expands the sectors to 18, distinguishing between essential ("essential") and important ("important"). Here is a comparison of the scope of NIS and NIS2:
Scope of NIS
- Energy (electricity, oil, gas, heat)
- Health (utilities, pharmaceuticals)
- Transportation (air, rail, water, road)
- Banks and financial markets
- Water (water)
- Digital (Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, ICT service management)
- Industry (technology and engineering)
- Digital services (online marketplaces, online search engines, social networks)
Scope of NIS2: Essential ("Essential")
- Energy (electricity, oil, gas, heat, hydrogen)
- Health (utilities, laboratories, pharmaceuticals)
- Transportation (air, rail, water, road)
- Banking and financial markets
- Water and wastewater
- Digital (Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, data center service providers, cloud computing service providers, content delivery network providers, trust service providers)
- ICT service management, space, public administration
Scope of NIS2: Important ("Important")
- Postal and courier
- Waste management
- Chemicals
- food
- Industry (technology and engineering)
- Digital services (online marketplaces, online search engines, social networks)
- Research
NIS2 thus affects more companies, prescribes an improved risk management approach, and provides for more obligations and stricter sanctions. It now clearly sets out the procedures, content and deadlines for reporting security incidents, as well as transposition into national law and enforcement. Other new measures in the directive include:
- the establishment of national computer emergency response teams
- the creation of an incident response plan coordinated with member states' plans
- improving cooperation between private and public entities
- a cross-sector security culture that is critical to the economy and society and relies heavily on ICTs such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
The directive sets thresholds of at least 50 employees and 10 million euros in annual revenue. But beware: some companies, regardless of size, count as critical services affected by NIS2 if they are the sole provider of a service in a country that contributes significantly to the maintenance of critical activities of society or the economy.
Implementing NIS2 - act now
The federal government in Germany plans to convert NIS2 into national law by October 2024. Those who are now newly covered by the directive should act quickly. Because consulting, the selection of suitable technologies and their implementation take time. With proactive security solutions from Rohde & Schwarz Cybersecurity, you can meet the requirements of NIS2, choose the best possible protection for your sensitive data and increase your digital sovereignty.
We would be happy to advise and support you in implementing the NIS2 directive - feel free to contact us.