NIS2: New cybersecurity regulation in 2023
by Nico Pätzel
Enhanced EU Cybersecurity Regulation for CRITIS
Critical infrastructure in focus: the importance of the NIS2 directive
Critical infrastructures are the foundation of our modern society. They ensure the supply of essential services such as electricity and water. A failure or impairment of these systems can have serious consequences. This is where the NIS2 Directive comes in. Its aim is to ensure that critical infrastructures across Europe take uniform, appropriate security precautions to arm themselves against digital attacks. This is not only about the prevention of cyber attacks, but also about a timely and effective response in the event of an attack.
The evolution of NIS policies
The cyber threat landscape has grown significantly in recent decades. In response to increasingly frequent and severe cyber attacks, the European Commission adopted the NIS1 (Network and Information Security) Directive back in 2016. This directive aimed to oblige CRITIS operators - including entities from the energy, water, finance and healthcare sectors, as well as digital service providers in the EU - to take advanced technical and organisational measures to arm themselves against cyber attacks. With the introduction of the NIS2 Directive, the EU is now stepping up its efforts and broadening the scope of security requirements to cover significantly more sectors than before.
A necessary upgrade for cybersecurity
Germany was already well prepared for the implementation of NIS1, as many of the requirements were already covered by the National IT Security Act 1.0 passed in 2015. In 2021, the IT Security Act 2.0 added to this: The scope of application was expanded and the obligations for affected companies were tightened. In addition, the Federal Office for Information Security (BSI) received expanded responsibilities, strengthening its position as the central cyber security authority of the federal government.
Despite these measures, however, the cyber threat situation remained worrying. The EU was therefore forced to revise its security directives. The NIS1 Directive was implemented inconsistently in the member states and the criteria for CRITIS operators varied considerably. This led to an insufficient cybersecurity standard in the EU. In response, the NIS2 Directive came into force in early 2023 and must be transposed into national law by October 2024.
NIS2 in detail: What businesses need to know now
The updated NIS2 Directive brings profound changes that will affect businesses and organisations across the EU. Key adjustments to the directive include:
- Expanded scope and stricter requirements
A key feature of the NIS2 Directive is the expansion of its scope. In addition to the already known "high criticality sectors", "critical sectors" such as postal and courier services, waste management and food producers are now included. In addition, companies with at least 50 employees and an annual turnover of more than 10 million euros fall within the scope. This means that no longer only large companies but also SMEs are affected by the new regulations.
- Tighter reporting requirements and supply chain security
The NIS2 directive places great emphasis on transparency and responsiveness. Companies must report security incidents within 24 hours and provide a detailed report within one month. It also emphasises the protection of the entire supply chain. Companies must set security standards for their partners and monitor compliance.
- A holistic approach to risk mitigation
The NIS2 directive emphasises the need for comprehensive risk management. This includes the implementation of zero-trust principles, regular software updates and effective network segmentation. In addition, identity and access management, encryption and multi-factor authentication are essential. Employee training and awareness, especially with regard to phishing attacks, is also key.
- Cybersecurity as a management task
The NIS2 directive makes it clear that IT security is a management task. Violations can lead to significant penalties, both for companies and for individual managers. Companies must act proactively and take the necessary measures to comply with the NIS2 Directive at the latest when it comes into force.
New challenges in cyber security: The implementation of the NIS2 law
The NIS2 law aims to strengthen the resilience of critical sectors and promote cooperation between member states. It sets clear requirements for operators of essential services and digital service providers to ensure that they take appropriate security measures and report incidents. The implementation of the law requires close cooperation between national authorities and relevant stakeholders.
Another focus of the NIS2 law is the expansion of its scope compared to the first phase. New sectors such as the financial sector and the health sector are now also taken into account. This underlines the importance of cyber security in an increasingly interconnected world.
However, the implementation of the NIS2 law into national law is not without challenges. It requires a careful balancing of security requirements and the operational needs of the companies concerned.
In addition, member states must ensure that they have the necessary resources and capabilities to monitor and enforce compliance with the law.
What's in store for companies in 2023
The NIS2 Implementation Act brings significant changes to the German CRITIS regime. In addition to operators of critical facilities, "highly relevant institutions" and "relevant institutions" are now introduced. Security requirements intensify for an estimated 30,000 companies in Germany.
- Responsible parties: The focus is on operators of critical facilities (CRITIS) as well as the newly defined highly relevant and relevant institutions (identification based on company size). Federal institutions and some special cases are also affected.
- Sectors: While the KRITIS sectors remain, the sectors of the newly defined institutions expand according to the NIS2 Directive.
- Public companies: Companies of special public interest are no longer included and are instead incorporated into relevant and, in some cases, highly relevant institutions.
- Cybersecurity: Obligations for companies will be more precise and extensive, including risk management, incident reporting, technical measures and corporate governance.
- Regulation: Government regulation is intensified through registration requirements, proof requirements, reporting requirements and mandatory information sharing. Shared responsibility via different authorities such as BSI or BNetzA is to be simplified at the same time.
- Penalties: The sanction regulations will be expanded, including new offences for fines and increased fines. Fines vary from EUR 100,000 to EUR 20 million and in some cases are linked to the total worldwide turnover of the previous business year.
- Responsibility: Managing directors can in certain cases be held personally responsible for the implementation (and "approval") of security measures in their company.
The previous CRITIS regime will be significantly expanded by the implementation of NIS2, introducing a system with multiple operator classes and different levels of obligation.
Countering the new challenges with intelligent cyber defences
The NIS2 implementation law places increased demands on CRITIS operators and operators of energy supply networks, especially with regard to the implementation of systems for attack detection. This must be the case, as these systems are crucial for identifying potential cyber threats at an early stage and responding accordingly.
With the "Active Cyber Defense-KRITIS" service, Allgeier secion offers your company a customised solution that reliably meets legal requirements and provides comprehensive, proactive protection of the IT infrastructure. Through a custom-fit search for suspicious activities, efficient, professional management of security incidents and, last but not least, an effective response to identified threats, Allgeier secion ensures that networks and information systems are protected against cyber attacks around the clock, 365 days a year.