EU-NIS2 and Cyber Security: What Should Companies Know?

Cyber security – ensuring it presents companies with an almost insurmountable task. Yet with the rise of new technologies and cyber threats, protecting systems and data is of existential importance to them. The EU NIS2 Directive aims to increase the cyber security level of networks and information systems in the European Union. In this article, you will learn what is behind NIS2 and what requirements it imposes not only on operators of essential services (OES) and digital service providers (DSP), but also on risk management.

What is NIS2?

The NIS2 (Network and Information Systems) Directive stands for measures to ensure a high common level of security of network and information systems in the European Union. It was developed to strengthen cyber security in the EU and ensure the protection of critical infrastructures and digital service providers. NIS2 complements the existing NIS Directive and includes new provisions to address current threats and challenges in the digital world.

NIS2 is a directive and therefore does not have direct effect as binding law in the EU member states. This distinguishes it from a regulation such as the EU GDPR, which has direct effect.

NIS2 must be transposed into national law by October 2024; in Germany, an amendment to the IT Security Act 2.0 and the KRITIS Ordinance is to be expected.

Aims of NIS2

• Improving critical infrastructure protection:

NIS2 aims to strengthen the protection of sectors such as energy, transport, healthcare and finance. Companies in these sectors need to implement appropriate security measures to prevent and respond effectively to cyber threats.

• Promoting cooperation:

NIS2 is designed to foster cooperation among EU member states to share information on cyber threats and best practices.

• Increasing transparency:

NIS2 requires companies that act as digital service providers to implement security measures and report disruptions to their services to the relevant supervisory authority in the EU member state. In Germany, this is the Federal Office for Information Security (BSI).

Impacts on companies

The NIS2 directive to strengthen cyber security in the EU has significant implications for affected companies. The following points are important:

• Increased requirements for security measures:
  Companies are required to take appropriate technical and organizational measures to protect their network and information systems. These include the implementation of firewalls, intrusion detection systems and regular security audits. These measures must be based on current state-of-the–art technologies and updated at regular intervals.
• Need for continuous monitoring:
  As part of the requirements for security measures, companies are being asked to continuously monitor their network and information systems to detect potential threats early and respond appropriately. This requires the use of advanced monitoring tools and trained personnel.
• Mandatory reporting of security incidents:
  In the event of security incidents affecting company services, there is an obligation to report them very quickly to the BSI. This is intended to increase transparency and support authorities in taking appropriate measures to combat cyber threats. As a consequence, established reporting processes toward the BSI are recommended.

A direct compliance obligation for cyber risk assessments and management arises. This results in the need to screen and assess the supplier structure accordingly. The effort involved in using individual questionnaires does not appear to be scalable for either customers or their suppliers. For the audit, it is recommended to focus on the widespread certifications and attestations around IT security and to query these with the suppliers.

The ISO/IEC 27001 for Information Security Management Systems (ISMS) is very helpful as a basis.

NIS2 and ISO 27001 certifications

Many companies with ISO 27001 certification will also be upgrading to ISO 27001:2022 in the same period. Thereafter, there will presumably be synergies between the restructured and partly new ISO 27001:2022 controls and the EU NIS or the German IT Security Act, which has yet to be amended, and the KRITIS Regulation.

Experience with the EU GDPR Articles 42 et seq. on data protection certifications since 2018 shows that EU-wide data protection certifications and attestations have not yet been widely adopted.

Accordingly, in the case of NIS2 Articles 46 et seq. “European certification framework for cyber security”, it remains to be seen how such a certification framework will play out in practice in the EU member states.

Conclusion

The importance of cyber security for businesses cannot be underestimated, especially in light of current cyber threats. NIS2 represents an important development in the EU to strengthen cyber security and require companies to implement appropriate security measures.

Companies should closely examine the requirements of NIS2 to see if they are affected by the law in the relevant EU member state and ensure that they take all necessary measures to protect their systems and data from cyber attacks.