NIS2 Directive: What companies can expect in 2024

The NIS2 Directive (Network and Information Systems) issued by the European Parliament and Council will be transposed into national law by October 2024 and aims to increase the level of cybersecurity within the European Union. This raises the minimum IT security requirements for many companies. The successor to the previously applicable NIS Directive introduces some important changes - now, significantly more sectors and companies fall under the directive than before. Moreover, stricter reporting obligations will apply. 

Companies should therefore timely inquire whether they are affected and which measures they need to take. Below you will find an initial overview. For a detailed introduction to the topic, Enobyte offers NIS2 seminars. Of course, we are also happy to provide you with individual advice.

NIS2 defines 18 sectors as key sectors. Companies with at least 50 employees or ten million euros in annual turnover operating in these sectors must comply with the new requirements and implement measures to improve cybersecurity. For some special cases, the directive applies regardless of the size of the company, e.g. for DNS services, TLD registrars, qualified trust services, and operators of critical infrastructure (KRITIS).

Annexes I and II of the NIS2 Directive determine the basic scope of application. A distinction is made between "sectors of high criticality" and "other critical sectors". These sectors are further divided into sub-sectors, so not all businesses operating in these areas necessarily fall under NIS2.

If your company falls under NIS2, it must first contact the competent authority (in Germany, the Federal Office for Information Security - BSI) and provide the following information:

• Names and contact details, including IP address ranges
• Relevant sectors and sub-sectors according to Annexes I and II of the directive
• List of EU countries in which the relevant services are provided

The directive furthermore requires that management bodies regularly participate in training to ensure sufficient knowledge and skills for the detection and evaluation of risks, as well as management practices in the field of cybersecurity.
 

Minimum Measures

NIS2 requires technical, operational, and organizational measures for the security of systems used to provide services.
These must include at least:

• Policies on risk analysis and information system security
• Incident handling
• Business continuity in the event of emergencies, backup management and recovery, crisis management
• Supply chain security, security-related aspects of the relationship between companies and direct suppliers
• Security measures for the acquisition, development, and maintenance of network and information systems, management and disclosure of vulnerabilities
• Policies and procedures to assess the effectiveness of risk management measures
• Cyber hygiene and cybersecurity training
• Concepts for the use of cryptography and, if applicable, encryption
• Personnel security, access control, asset management
• Use of multi-factor authentication (MFA), Continuous Authentication, secure communication even in emergencies

In the future, the European Commission may issue more detailed implementing acts specifying technical and methodological requirements for these measures.

In principle, companies should determine how the measures can be implemented proportionately according to their specific risk. Non-compliance with the measures may be subject to fines.
 

Reporting obligations

Security incidents that have a significant impact on the provision of services must be reported to the competent authority or a CSIRT (Cybersecurity Incident Response Team).

The following deadlines apply:

• An initial report must be made immediately, at the latest within 24 hours
• A more detailed report, including an assessment of severity and impact, as well as compromise indicators, must be submitted within 72 hours
• At the latest after one month, a final report must be submitted, or a progress report in case the security incident is still ongoing

At the request of the competent authority or CSIRT, additional interim reports may have to be prepared and submitted.

Furthermore, the company may be required to inform customers or the public about the incident. In Germany for example, companies in the financial and insurance sectors, information technology and telecommunications, ICT services and digital services must inform their customers immediately about significant cyber threats and possible countermeasures according to the current drafts of the updated BSI Act.

If you have unanswered questions or would like a detailed consultation on the topic of NIS2, do not hesistate to contact us. Enobyte is happy to support you with the implementation of the new requirements.