More requirements, more companies

The NIS2 Directive (Network and Information Security Directive) is an extended EU directive. It was published on December 27, 2022 and came into force on January 16, 2023. The aim of the directive is to increase cyber security for companies and organizations throughout the EU. It replaces the original NIS Directive and expands its scope and requirements.

The aim is to ensure a uniform level of security for network and information systems in the European Union and to establish a uniform register for security notifications. To this end, NIS2 – and the resulting German law – obliges companies and public institutions to implement stricter security measures, systematic risk management and better cooperation with authorities. The directive is intended to increase resilience against cyber attacks and ensure that the EU can effectively respond to digital threats by tracking trends and developments.

As an EU directive, NIS2 still has to be transposed into national law by the EU member states. In Germany, this is regulated by the “Law on the Implementation of EU NIS2 and Strengthening Cyber Security” (NIS2UmsuCG), which was initially scheduled to come into force on October 17, 2024. According to the current status, the law is not expected to be passed until the beginning of 2025.

The NIS2 directive is often seen as a superfluous bureaucratic instrument. However, the implementation of NIS2 will bring numerous advantages.

The advantages of NIS2

One of the biggest advantages of the NIS2 directive is the improvement of cyber security for companies. The implementation of stricter requirements for IT and information security increases resilience against cyber attacks. Through the regular risk assessments provided for by NIS2, companies also recognize and remedy existing vulnerabilities more quickly and effectively. Overall, this leads to a more robust security infrastructure.

Companies therefore benefit from a reduced susceptibility to security breaches. On the one hand, this guarantees the long-term stability and security of business operations. On the other hand, increased resilience to attacks also means lower costs that would be incurred for eliminating the consequences of a security incident or due to production downtimes. Many companies will have to make investments in security at the beginning. In the long term, however, these investments will pay off through higher availability.

Scope and requirements are expanding

The NIS2 directive affects a larger number of economic sectors than previous regulations. Previously, only certain sectors such as energy, transport and banking were affected. NIS2 will also include telecommunications providers, postal services and food production, for example, and will extend to facilities and companies from 18 industries. This means that the new rules will apply to around 30,000 to 40,000 companies in Germany that were not previously affected.

Another new feature of NIS2 is the significantly stricter requirements for IT and information security. NIS1 prescribed basic security measures for companies and the reporting of serious security incidents. NIS2 requires regular risk assessments and significantly stricter measures. In addition, organizations and companies are obliged to report significant incidents within 24 hours. Detailed information about security-critical incidents must then be subsequently transmitted to the authorities.

The directive also requires the training of employees on cyber security topics (“awareness”) and the implementation of emergency plans. Companies must ensure continuous monitoring and updating of their IT infrastructures.

A positive side effect will be the closer cooperation and exchange of information between national and European authorities. The bundled knowledge gained in this way will enable threats to be identified and combated at an early stage.

@-yet NIS2 consulting

NIS2 means increased security requirements and more comprehensive risk management for many companies. @-yet accompanies you, starting with a maturity level assessment. A subsequent business impact analysis serves as the basis for risk management. Step by step, the experts at @-yet develop your organization’s conformity with NIS2 on the basis of the implementation law. In addition to awareness training for the management level, @-yet supports technical and organizational measures.

Methodology of @-yet NIS2 consulting

NIS2 consulting and implementation with @-yet