On November 10, 2022, the European Parliament in Brussels approved the draft for the revised Network and Information Systems Security Directive (NIS2). The new directive is intended to better protect European network and information systems from hacker attacks. Once the directive becomes law as new legislation, all 27 EU member states must incorporate the requirements into national law.
This blog article answers these questions:
NIS is the “EU Network and Information Security Directive”. The directive, established in 2016, was the central measure of the European cyber security strategy. It was intended to ensure a high common level of security for network and information systems in the EU. The NIS was the first EU-wide cybersecurity legislation designed to protect critical infrastructure (CRITIS), in particular, from hacking attacks.
The directive enhanced existing cybersecurity capabilities at the national level by requiring EU members to establish state security strategies and designate appropriate authorities. It also created minimum requirements and reporting obligations for seven sectors (energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and digital infrastructures) and three digital service sectors (online marketplaces, online search engines and cloud computing services). In Germany, the NIS directive was implemented in 2017 with, among other things, the IT Security Act, which has since been superseded by the IT Security Act 2.0.
The implementation of the Europe-wide directive indeed strengthened cybersecurity capabilities and cooperation between member states. But the NIS directive was too abstract in some parts. It lacked specific cyber risk disclosure requirements and ignored implementation monitoring in member states. It also revealed additional weaknesses, such as too low a level of cyber resilience among companies or member states and too weak a common crisis response.
With the draft on NIS2, which the European Parliament has now adopted, the EU aims to take into account the threat situation, which the COVID-19 crisis has exacerbated, and the growing requirements in cyberspace. To this end, the current legal framework has been modernized and expanded.
The original NIS Directive mainly covered critical sectors. Therefore, additional sectors – divided into essential and critical sectors – have been added. These include public administration, providers of public electronic communications networks and services, waste management, aerospace, critical products (e.g., pharmaceuticals, medical devices, chemicals, etc.), postal and courier services, agri-food chains, and additional digital service platforms (e.g., data centers and social networks).
These size criteria will determine whether the new framework regulates companies:
In addition, there are areas affected regardless of thresholds or other assessment bases. These include electronic communications providers, national monopolies that are particularly important or operate across borders, and public administration.
Small and micro enterprises are unlikely to be affected by the EU NIS2 directive. However, selected companies may have to address cyber security risks in their supply chains, and this is where small and micro businesses are mentioned. Depending on whether they are involved in supply chains of essential entities, they may fall within the scope despite falling short of the minimum requirements.
In addition to expanding the target group from critical to essential and important sectors, the regulations for supervisory measures, cooperation and collaboration, and the requirements for risk management have been tightened. With NIS2, companies must have a risk management concept by including basic security elements. There are explicit provisions on cyber incident reporting procedures, the content of reports and deadlines.
The minimum requirements include the following cybersecurity measures, among others:
European and international standards also play a role. Significant security incidents must be reported to the authority within 24 hours, as with the GDPR. A more comprehensive assessment is due after 72 hours.
To ensure the extensive obligations and reporting requirements are adequately met, national authorities must comply with strict oversight measures and enforcement requirements. These governance measures by the authorities include, for example, evidence, regular and random tests, security scans or file inspections.
If the required compliance rules are not met, regulators can issue public warnings, revoke operating licenses, or hold governing bodies personally liable. In addition, if companies and institutions violate the prescribed measures, heavy fines and severe sanctions can be imposed. This can involve fines of at least ten million euros in essential sectors and up to seven million euros in major sectors.
The ratification process has not yet been completed. The NIS2 bill, already agreed upon between Parliament and Council in May 2022, was approved by MEPs on November 10, 2022. Following this parliamentary approval, the EU Council must also formally adopt the law before it is published in the Official Journal of the EU and enters into force. This could even still be the case in 2022. However, it is more likely that the law will enter into force in 2023. Once it has been adopted in the EU, the member states must transpose the regulations into national law through their legislation within 21 months.
In Germany, changes to NIS2 have been anticipated with the IT Security Act in 2021, such as new sectors, more cybersecurity requirements and sanctions. At the same time, however, some measures, such as the affectedness of individual companies, are missing. So, further adjustments through corresponding amendments to the law are pending. Until then, all obligations from the NIS Directive and the corresponding national regulations remain valid.
Dutch MEP Bart Groothuis has said this European directive will help around 160,000 companies increase their security and make Europe a safer place to live and work. In his opinion, the EU NIS2 directive is the best cybersecurity legislation Europe has ever seen. But what does this mean for businesses? What measures need to be taken?
The main innovations in the regulations relate to active risk management, the extension to more companies and the framework for action by supervisory authorities. This means that, as a first step, all institutions and organizations must conduct sound risk analyses. How high is the potential of cyber incidents, how big is the impact and what organizational and technical measures must be implemented to adequately respond to the risk?
The minimum cybersecurity strategy requirements in the NIS2 directive provide more than just guidance. They also require companies to report significant cybersecurity incidents. And they must do so as soon as possible. The notification will then be followed by a comprehensive and final report when the incident has been remediated and internal measures have been completed.
The revised Network and Information Systems Security Directive (NIS2) poses significant challenges for companies, institutions and organizations of all sizes. Companies should act and prepare now to avoid falling behind and stay ahead of the regulatory curve.
That’s because the current geopolitical situation has fundamentally changed the global cyber landscape. This is the conclusion of this year’s European Union Cybersecurity Report, published by the cybersecurity agency ENISA in October 2022. In addition, cyber offenses such as ransomware and phishing are considered the biggest threat by police officers worldwide, according to Interpol’s Global Crime Trend Report.
Under these conditions, the threat level remains high, and it’s not so much a question of if companies will be attacked, but when. This threat situation, critical in itself, is compounded by an enormous shortage of skilled workers. According to the World Economic Forum, there is a worldwide shortage of around 3 three million cybersecurity experts.
The combination of ever-increasing cyber threats, more assets to protect, and a lack of IT security expertise creates a toxic situation requiring smart, technological solutions. In this context, it is important to keep an eye on all security-relevant areas. After all, cybersecurity has long since ceased to be a purely IT issue, but also affects operational technology (OT), for example, in Industry 4.0.
At Link11, we address these challenges with AI-supported, automated and cloud-based DDoS protection. This enables enterprises, government agencies, and KRITIS operators to address skills shortages, avert serious consequences of cyber incidents, and easily implement regulatory innovations. Link11 DDoS defence is the foundation for any comprehensive IT security strategy.
Take a proactive approach and occupy the pole position. We’ll happily explain how you can use the challenge as your opportunity.
Contact us at any time for a personal consultation.