Prepare for the New Security Requirements in NIS-2

Preparing Your Company for NIS 2 Implementation and Compliance

Preparing your company for the NIS 2 Directive involves a comprehensive approach to cybersecurity compliance, focusing on key areas such as risk management and incident response plans. As the European Union tightens regulations, businesses must prioritise aligning their IT security frameworks with the updated requirements of the Network and Information Security Directive. This includes understanding the reporting obligations to Computer Security Incident Response Teams (CSIRTs) and adhering to compliance standards that the Federal Office for Information Security (BSI) might mandate.

Organisations must also be aware of potential sanctions and fines associated with non-compliance. By implementing robust cybersecurity strategies, companies can protect critical infrastructures effectively. Prioritising these steps will ensure your business is not only compliant but also resilient against emerging cyber threats in the rapidly evolving digital landscape.

NIS 2 Overview: What Companies Need to Know

  • The NIS 2 Directive, a comprehensive cybersecurity measure of the European Union, aims to raise security standards for critical infrastructures and important companies. Since coming into effect on January 16, 2023, the NIS 2 Directive sets new benchmarks in cybersecurity within the EU. With a deadline of October 17, 2024, for implementation into national law, affected organisations face a significant challenge.
  • This revision deals in detail with the requirements of the NIS 2 Directive and offers companies a clear roadmap to implement the necessary security precautions in a timely manner. Companies must now actively engage with the requirements to avoid potential penalties for non-compliance with the directive.
  • Learn all about the affected companies, recommended actions, and deadlines, as well as the consequences of non-compliance. Our comprehensive analysis provides you with the crucial information to prepare your company for the requirements of the NIS 2 Directive and strengthen cyber resilience in an increasingly digitalised world.

For companies, it is essential to follow stricter security guidelines, as a security breach could have severe consequences, up to the paralysis of entire nation-states. The NIS 2 Directive aims to standardise and specify these security regulations to improve the resilience and responsiveness of both public and private entities within the EU. The overarching goal is to raise the general level of cybersecurity throughout the European Union. This initiative builds on the Network and Information Security Directive (NIS-1) implemented in 2016 and strives to continue and deepen its objectives.

Is a Revision of the NIS 1 Directive Necessary?

The original EU Directive on Network and Information Security (NIS) showed significant weaknesses in practice:

  • Inconsistent regulations across borders
  • Lack of monitoring of implementation
  • Vague requirements for disclosing cyber risks
  • Insufficient level of security
  • The absence of a common strategy for crisis situations

The introduction of the NIS 2 Directive aims to address these issues. It precisely defines which organisations are considered critical infrastructures and to which sector they belong. Furthermore, NIS 2 expands the circle of affected companies, introduces new obligations, foresees stricter penalties, and strengthens the approach in risk management.

Key innovations include clear guidelines on procedures, content, and deadlines for reporting security incidents, as well as their implementation, monitoring, and enforcement in national law. Moreover, NIS 2 promotes cooperation between private and public entities in case of crisis through the formation of national emergency response teams (CSIRTs, Computer Security Incident Response Team) and the establishment of coordinated incident response plans.

The full text of the NIS 2 Directive and its implementations can be found in the Official Journal of the European Union.

Which Companies Must Comply with the NIS 2 Directive?

The NIS 2 Directive affects a wide range of companies that are essential for maintaining important societal and economic activities. Here is a brief overview of who is impacted by the new NIS 2 regulations:

  • Essential Services Operators: This group must determine to what extent individual facilities are subject to the directive’s regulations. They do this based on specific criteria for identifying the relevance of their facilities.
  • Centrally Important and Important Facilities: These are mainly identified through the size of the company, with both medium-sized and large companies being affected. Medium-sized companies have two qualification paths: 1. companies with 50 to 249 employees and a turnover of less than 50 million EUR or a balance sheet total of less than 43 million EUR; or 2. companies with less than 50 employees, but a turnover of between 10 and 50 million EUR and a balance sheet total between 10 and 43 million EUR.
  • Large companies: Organisations that meet one of the following criteria: 1. at least 250 employees or; 2. a turnover of at least 50 million EUR and a balance sheet total of at least 43 million EUR.

NIS 2 Guidelines Also Apply to Small Companies

Even if your company has fewer than 50 employees and less than 10 million euros in annual turnover, don’t be lulled into a false sense of security too early. Small companies can still be affected if they fall into the criteria for (particularly) critical facilities mentioned above.

If you are unsure whether your company belongs to the critical facilities under NIS 2, don’t wait for mail – each affected company must determine this on its own initiative.

If your company, for example, is a service provider or supplier for a particularly critical company, your company is automatically also classified as critical and must also comply with strict security precautions.

Particularly Critical Facilities (“Sectors of High Criticality” Annex I):

  • Energy: Electricity, district heating and cooling, oil, natural gas, hydrogen
  • Transport: Air transport, rail transport, maritime transport, road transport
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • Management of ICT services (Information and Communication Technology services, B2B)
  • Public administration
  • Space

Other Critical Facilities (“Other Critical Sectors” Annex II):

  • Postal and courier services
  • Waste management
  • Production, manufacturing, and trade of chemical substances
  • Production, processing, and distribution of food
  • Manufacturing sector/Manufacture of goods: Manufacture of medical devices and in vitro diagnostics / Manufacture of computer, electronic and optical products / Manufacture of electrical equipment / Mechanical engineering / Manufacture of motor vehicles and motor vehicle parts / Other vehicle construction
  • Providers of digital services
  • Research

NIS 2 Implementation Act and the Associated Corporate Obligations

Since September 2023, the third draft of the Act for the Implementation of the EU Directive NIS2 and the Promotion of Cyber Security, known as NIS2 Implementation Act (NIS2UmsuCG), has been under discussion. This act obligates companies to proactively deal with security incidents in the field of information technology. Affected organisations must provide the Federal Office for Information Security (BSI) with comprehensive reports in the event of a security incident. Security incidents are defined as events that either compromise the integrity of stored, transmitted, or processed data or affect the availability or functionality of corresponding services provided or made accessible through IT systems, components, and processes.

This overview highlights the importance of complying with the NIS2 Implementation Act and the associated obligations for companies to strengthen their cybersecurity infrastructure and respond effectively to security incidents.

Specifically, it addresses the impairment of

  • Availability
  • Authenticity
  • Integrity or
  • Confidentiality of the affected data or services

Ensuring IT Security and NIS 2 Compliance with Reporting Obligations

Companies operating relevant systems must implement effective technical and organisational measures (TOM) to ensure their IT security. The following basic measures are expected to be taken:

  • Risk analysis and security for IT systems
  • Handling of security incidents
  • Maintenance and restoration as well as backup management
  • Supply chain security as well as between facilities and service providers
  • Security in development, procurement, and maintenance as well as vulnerability management
  • Evaluation of the effectiveness of IT security and corresponding risk management
  • Training on IT security and cyber hygiene
  • Encryption and cryptography
  • Personnel security, access control, and facility management
  • Multi-factor authentication
  • Secure communication
  • Crisis management and secure emergency communication

Reporting Obligation for Companies

In the event of a security incident, the impacted company is subject to an intensified reporting obligation. There are three steps:

  1. Within 24 hours of becoming aware of a security incident, a preliminary report must be submitted to the BSI.
  2. Within 72 hours, a complete report with an initial assessment of the incident must follow.
  3. Within one month, a final report must follow, detailing the incident and the nature of the threat and including cross-border effects.

Understanding the Risks of Non-Compliance: NIS 2 Sanctions & Fines

To ensure compliance with strict regulations by affected organisations, increased reporting obligations and stricter sanctions are applied in case of non-compliance. Summary of the sanction rules:

  • Penalties are punished with a tiered concept up to 20 million euros
  • Sanctions are imposed for both negligent and intentional fault
  • For important facilities, a maximum fine of 7 million euros or 1.4 percent of the global annual turnover can be imposed
  • For particularly critical facilities, fines can go up to 10 million euros or 2 percent of the global annual turnover, whichever is higher
  • No distinction is made between particularly important facilities and critical infrastructures

Note: Managing directors and their personal assets are liable.

The draft bill from the Federal Ministry of the Interior proposes that managing directors and other executive bodies of companies are liable with their private assets for complying with risk management measures. The fine can be up to 2 percent of the global annual turnover.

When Does NIS 2 Directive Become Effective?

The new Directive 2022/2555 (NIS 2) has been effective at the EU level since 2023, but the individual states must implement the directive into national law by October 17, 2024 – by then, companies must also have taken appropriate measures.

Strategies for Implementing NIS 2 Compliance in Your Company

Effective implementation of NIS 2 compliance in your company begins with a thorough assessment of current cybersecurity measures and identifying gaps in relation to the new NIS 2 Directive requirements. Companies must prioritise establishing robust incident response plans to cater to potential threats to critical infrastructures, as per European Union guidelines. Leveraging insights from the Federal Office for Information Security (BSI) and consulting with Computer Security Incident Response Teams (CSIRTs) can enhance your IT security framework. Adhering to mandatory reporting obligations and fostering a culture of proactive risk management are key to avoiding sanctions and fines. Consider integrating advanced solutions like Kiteworks to streamline compliance processes and protect your digital assets. By actively addressing these areas, your company can achieve NIS 2 compliance and safeguard its operations against evolving cybersecurity threats. Here are some additional considerations for ensuring you’re ready for NIS 2:

  • Check if your company is affected by NIS 2 and is considered a critical entity
  • If your company is affected, inform the management and determine who is responsible for implementing the corresponding measures
  • Plan and implement the necessary measures to ensure cybersecurity and risk management
  • Create an emergency plan for security incidents including business continuity, backup management, system recovery, and crisis management
  • Establish a reporting procedure and determine the responsible parties

Kiteworks Helps Organisations Comply with NIS 2 Requirements

Complying with the NIS 2 Directive is crucial for organisations to ensure cybersecurity and build trust. A checklist helps IT departments ensure compliance by defining the scope of the directive, assessing risks, creating an Incident Response Plan, ensuring continuous monitoring and maintenance, training employees, and maintaining documentation and reporting. NIS 2 compliance is a legal necessity and an opportunity to increase resilience against cyber threats. Kiteworks supports companies with a platform that facilitates compliance with NIS 2 guidelines by providing a Zero-Trust approach to protecting and managing sensitive information.

To learn more about secure compliance with NIS 2 requirements with Kiteworks, schedule a personalised demo today.

 

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Comienza ahora.

Es fácil empezar a asegurar el cumplimiento normativo y gestionar los riesgos de manera efectiva con Kiteworks. Únete a las miles de organizaciones que confían en su plataforma de comunicación de contenidos hoy mismo. Selecciona una opción a continuación.

Table of Content
Share
Tweet
Share
Explore Kiteworks