NIS2 Directive: What companies can expect in 2025

The NIS2 Directive (Network and Information Systems) was issued by the European Parliament and Council in October 2024 and is currently in the process of being transposed into national law by all EU countries. It aims to increase the level of cybersecurity within the European Union by raising the minimum IT security requirements for many companies. The successor to the previously applicable NIS Directive introduces some important changes - now, significantly more sectors and companies fall under the directive than before. Moreover, stricter reporting obligations and mandatory audits will apply. 

Companies should therefore promply determine whether they are affected and which measures they need to take. Given the expanded scope of the directive, many businesses will find themselves facing new requirements and obligations. To assist you in understanding the impact on your company, we've provided an initial overview below. For an in-depth exploration, Enobyte offers specialized seminars on NIS2 compliance. Naturally, we're also available to support you with personalized guidance tailored to your organization's specific needs.

NIS2 defines 18 sectors as key sectors. Companies with at least 50 employees or ten million euros in annual turnover operating in these sectors must comply with the new requirements and implement measures to improve cybersecurity. For some special cases, the directive applies regardless of the size of the company, e.g. for DNS services, TLD registrars, qualified trust services, and operators of critical infrastructure (KRITIS). Aditionally, companies falling under the NIS2 are required to secure their entire supply chain. This forces companies who are suplpiers of NIS2 regulated entities to also adhere to the NIS2, even if they themselfs do not fall directly under the scope of the NIS2 Directive.

Annexes I and II of the NIS2 Directive determine the basic scope of application. A distinction is made between "sectors of high criticality" and "other critical sectors". These sectors are further divided into sub-sectors, so not all businesses operating in these areas necessarily fall under NIS2.

If your company falls under NIS2, it must first contact the competent authority (in Germany, the Federal Office for Information Security - BSI) and provide the following information:

• Names and contact details, including IP address ranges
• Relevant sectors and sub-sectors according to Annexes I and II of the directive
• List of EU countries in which the relevant services are provided

The directive furthermore requires that senior management regularly participate in training to ensure sufficient knowledge and skills for the detection and evaluation of risks, as well as management practices in the field of cybersecurity.
 

Minimum Measures

NIS2 requires technical, operational, and organizational measures for the security of systems used to provide services.
These must include at least:

• Policies on risk analysis and information system security
• Incident handling
• Business continuity planning in the event of emergencies, backup management and recovery, crisis management
• Supply chain security, security-related aspects of the relationship between companies and direct suppliers
• Security measures for the acquisition, development, and maintenance of network and information systems, management and disclosure of vulnerabilities
• Policies and procedures to assess the effectiveness of risk management measures
• Cyber hygiene and cybersecurity training
• Concepts for the use of cryptography and, if applicable, encryption
• Personnel security, access control, asset management
• Use of multi-factor authentication (MFA), Continuous Authentication, secure communication even in emergencies

In the future, the European Commission may issue more detailed implementing acts specifying technical and methodological requirements for these measures.

In principle, companies should determine how the measures can be implemented proportionately according to their specific risk. Non-compliance with the measures may be subject to fines.
 

Reporting obligations

Security incidents that have a significant impact on the provision of services must be reported to the competent authority or a CSIRT (Cybersecurity Incident Response Team).

The following deadlines apply:

• An initial report must be made immediately, at the latest within 24 hours
• A more detailed report, including an assessment of severity and impact, as well as compromise indicators, must be submitted within 72 hours
• At the latest after one month, a final report must be submitted, or a progress report in case the security incident is still ongoing

At the request of the competent authority or CSIRT, additional interim reports may have to be prepared and submitted.

Furthermore, the company may be required to inform customers or the public about the incident. In Germany for example, companies in the financial and insurance sectors, information technology and telecommunications, ICT services and digital services must inform their customers immediately about significant cyber threats and possible countermeasures according to the current drafts of the updated BSI Act.

If you have unanswered questions or would like a detailed consultation on the topic of NIS2, do not hesistate to contact us. Enobyte is happy to support you with the implementation of the new requirements.