EU cybersecurity reloaded: NIS 2 introduces stricter obligations in the EU
The threat posed by cybercrime is growing at an alarming rate: According to the BSI's report on the state of IT security, cybercriminals are using increasingly professional methods to exploit companies' vulnerabilities – causing major damage in the process. IT theft and industrial espionage cost Germany alone more than 200 billion euros last year. The EU is responding to this escalating threat with the new NIS 2 Directive. This considerably expands the previous legal framework and entails more stringent security requirements and reporting obligations for companies.
The discrepancy is huge: In a survey carried out in 2023, IT association Bitkom discovered that two thirds of companies in Germany expect to fall victim to hacker attacks but only 43 per cent feel equipped to deal with them. The result? Cybercrime cost the German economy more than 200 billion euros last year. Even smaller companies are increasingly being targeted by cybercriminals. In its 2023 report on the state of IT security, the Federal Office for Information Security (BSI) predicted that attacks would shift from financially robust major corporations and towards small and medium enterprises. And the problem is only getting worse as digitalisation increases. According to the latest study "Foresight Cybersecurity Threats for 2023" carried out by the European Union Agency for Cybersecurity (ENISA), a lack of knowledge and human error are currently among the top 3 threats – with supply chain compromise of software dependencies taking the number one spot.
NIS 2 now affects far more companies
But this problem is nothing new. To enhance cyber resilience in Europe, the European Union adopted the first version of the "Network and Information Security Directive" – NIS for short – back in 2016. The aim is to establish a high level of security for network and information systems in the European Union and create a basis for a uniformly high level of security. Faced with growing cyber threats, the European Commission has now taken action: The NIS 2 Directive, which came into effect in January 2023, extends the existing legal framework and entails far-reaching changes and enhanced obligations for companies. The EU member states were obligated to transpose this directive into national law by 17th October 2024. However, this implementation was delayed in Germany. Although the Federal Cabinet passed the act on 24th July 2024, it still has to be adopted by the German Bundestag. The act is not expected to come into effect until a few months' time. Spring 2025 is currently considered a realistic time frame for national implementation.
One of the most updates of the NIS 2 Directive is its extended application area. While the original NIS Directive focused mainly on operators of critical infrastructure (including the energy, transport, finance, water supply and health sectors), NIS 2 now lays out obligations for far more companies. Many medium-sized businesses in the industry, which were previously unregulated, now have to put robust cybersecurity measures in place. This means that more companies than ever before now have to carefully consider the issue of cybersecurity. A total of 18 industries, categorised as "essential" and "important", are now affected. These include chemical and pharmaceutical companies for the first time. Experts estimate that around 40,000 additional companies will be affected by the new regulations in Germany alone.
In line with the new NIS 2 Directive, companies are obligated to implement a number of cybersecurity measures. These include the development of an extensive risk management concept and the introduction of emergency plans. And that's not all – businesses have to set up systems for rapidly reporting security incidents to the relevant supervisory authorities.
NIS 2 lays out far more stringent security requirements. Besides technical measures like firewalls and intrusion detection systems, companies also have to take organisational measures. These include regular risk assessments, staff training and comprehensive incident management. The aim is to protect the entirety of the IT systems and processes against a wide range of threats.
Another important change is the enhanced reporting obligations. Companies have to report serious security incidents to the relevant national authorities within 24 hours. This initial notification must include a preliminary assessment of the incident, followed by a detailed analysis within 72 hours. The directive also calls for cooperation between companies and authorities to improve the response to cyberattacks and simplify the sharing of information about threats.
High fines and risks for managers
The NIS 2 Directive also provides for stricter sanctions. Companies which do not meet the security requirements or fail to report notifiable incidents can expect to be handed significant fines. Measures range from on-site inspections through to relieving members of management bodies from their duties in the event of breaches. And that's not all – in future, supervisory authorities will be able to issue fines of up to 10 million euros or 2 per cent of turnover. The act transposing the NIS 2 Directive in Germany actually makes managers personally liable with their private assets in the event of breaches.
Implementation of the NIS 2 Directive will entail significant costs for many industrial companies. The necessary investments in IT security technologies, staff training and the introduction of new processes and systems may represent a financial burden. These costs can be a challenge for small and medium-sized enterprises in particular.
On the positive side, the NIS 2 Directive will significantly improve the cyber resilience of industrial companies. By implementing stricter security measures, businesses will be better protected against cyberattacks. In the long term, this not only helps prevent economic loss but also makes companies more trustworthy in the eyes of their customers and business partners.
Businesses who successfully implement the requirements of the NIS 2 Directive will be more competitive. An effective cybersecurity strategy will become an even more important factor in setting companies apart from the competition. Customers and business partners prefer companies who meet high security standards and therefore minimise the risk of business disruptions and data loss.
But despite the benefits, the implementation of the NIS 2 Directive poses many challenges. The shortage of qualified cybersecurity specialists is a widespread issue. Companies must analyse their existing IT systems and processes and adapt them if necessary to meet the new requirements. This not only costs money, but also takes up time and resources.
Conclusion: More positives than negatives
The introduction of the NIS 2 Directive marks an important step on the path to enhancing cybersecurity in the EU. Particularly for industrial companies and small and medium-sized enterprises, this not only represents a major challenge but also an opportunity to increase their cyber resilience. The new regulations obligate a variety of companies to implement wide-ranging technical and organisational risk management measures and establish rapid notification processes for security incidents. Although implementation of the directive may entail substantial costs, in the long term it offers the opportunity to prevent economic loss and makes companies more trustworthy in the eyes of their customers and business partners. In order to do so, however, businesses have to make major investments in their IT security infrastructure and adapt their processes to the new requirements.
Write new comment