NIS-2: What the new EU directive means for companies

Kai Binkowsky
A portrait of Kai Binkowsky.

The NIS-2 Directive is about to be introduced and will have a significant impact on the cybersecurity landscape in Europe. As the successor to the original NIS Directive from 2016, NIS-2 expands the scope of application and places stricter requirements on companies, especially those operating in critical sectors (CRITIS). But what does the NIS abbreviation stand for, what is NIS and what exactly does NIS mean? In addition to clarifying these questions, this article takes a look at the specific requirements associated with the new directive for the IT sector.


What is NIS-2? A definition of the term NIS.

The abbreviation NIS stands for ‘Network and Information Security Directive’. NIS is of crucial importance in IT. The EU launched the NIS Directive in 2016 to improve cybersecurity measures in critical sectors. With the introduction of the second directive, NIS-2, the requirements were tightened and extended to more sectors and companies. Anyone asking for a NIS-2 definition should know that it is essentially a revised and expanded directive designed to ensure that all relevant companies within the EU (especially in the CRITIS sector) implement robust measures to defend against cyber threats. A key objective is to eliminate inconsistencies between EU member states with regard to cybersecurity requirements.  


Which companies are affected by the NIS-2 Directive?

Two criteria determine whether a company is affected by the new directive. The first is the size of the company and the second is the sector in which the company operates. If the company has at least 50 employees and an annual turnover of at least 10 million euros, then the first criterion is fulfilled.

A total of 18 sectors were defined for the assessment of the second criterion, most of which are similar to those of the CRITIS categorisation. Sometimes it is not so easy to answer the question about the business sector. The BSI (Federal Office for Information Security in Germany) therefore offers a short questionnaire which you can use to find out in just a few steps whether your company belongs to one of the sectors concerned.

Every rule has its exceptions – including, of course, the NIS-2 directive. Therefore, some organisations must meet NIS-2 compliance regardless of their size because a cyber-attack would cause particularly great damage there. Other organisations, on the other hand, are excluded from the scope of application despite fulfilling the criteria, for example organisations in the public security sector.


What does NIS-2 mean in practice?

Companies from critical sectors such as energy, transport, water, health or finance are affected by the NIS-2 directive – but also IT services such as DNS services, telecommunications providers or internet exchange points. Cloud providers, data centres or less obvious sectors such as IT service providers or e-commerce platforms must also comply with the new directive. All of these companies must take strict security precautions, report incidents and carry out regular assessments of their systems. The EU NIS Directive also sets out clear reporting obligations to strengthen cooperation between companies and the competent national authorities.

The 18 sectors mentioned above are divided into "Essential Entities" (eleven sectors) and "Important Entities" (seven sectors or medium-sized operators of all sectors). This determines the scope of state supervision and the penalties that are due in the event of non-compliance.


NIS-2 as a competitive advantage – a head start through compliance

Supply chain management and compliance within the framework of NIS-2 are key points in the directive. This can be used as a competitive advantage: Companies that have implemented NIS-2 solidly are an attractive alternative on the market. A potential customer, who is himself obliged to comply with NIS-2, must ultimately decide in favour of the competitor that meets the high requirements of the directive.


Business Continuity Management within the framework of NIS-2

Protecting core processes and securing operations regularly emerge as the most important products to offer as a service provider. This is because NIS-2 requires companies to implement a security incident handling policy that ensures all threats are quickly recognised and reported. These measures also include employee training, the introduction of technical protection mechanisms and the continuous monitoring of IT systems. However, preventative measures that reduce the likelihood of a critical process failing are also part of the NIS-2 requirements.

With the NIS-2 directive, business continuity management is no longer just a good idea to make a company crisis-proof, but a legal requirement. Various service providers have specialised in analysing business-critical processes and provide support in the creation of emergency concepts and security guidelines.

Conclusion

NIS-2 and the future of cyber security in the EU

The EU NIS Directive in its revised form, NIS-2, represents an important step towards protecting Europe's critical infrastructures from cyberattacks. Organisations must adapt to new requirements and review their internal security processes to achieve the necessary NIS-2 compliance. For IT departments, this means handling security incidents more effectively and intensifying cooperation with the relevant authorities. IT service providers help with the implementation, for example by creating an emergency concept.


Kai Binkowsky
Kai Binkowsky
Senior Software Developer

Kai Binkowsky is a Senior Software Developer at EIKONA Logistics. As the person with technical responsibility, he is passionate about maintaining software projects.


Add a comment

Please add 4 and 1.