Part 1
The Network and Information Systems Security Directive (NIS2) is a major extension of European cybersecurity legislation, which aims to ensure a high common level of security for network and information systems across the European Union. This directive is an update of the original 2016 NIS Directive and brings significant innovations and enhancements aimed at strengthening resilience to cyber threats and improving cross-border cooperation.
The focus of NIS2 is on significantly expanding its scope. Previously, only operators of critical infrastructures, providers of digital services and companies in the special public interest were affected. The introduction of the categories of entities specified by the NIS2-2 Directive means that approximately 30,000 additional companies, in addition to the operators of critical infrastructures, are now affected and are based in the Federal Republic of Germany. The institutions are obliged to implement comprehensive technical and organizational measures in the area of information and cyber security. In addition, these companies must fulfill notification and reporting requirements in the event of a cyber attack.
The liability rules, especially for the management of the affected organizations, are also being tightened. If the companies covered by the legislation do not fulfill the corresponding obligations, or do not fulfill them in a timely or complete manner, they face heavy fines.
The update also reflects the changing cybersecurity landscape and the need to take adaptive measures against increasingly complex and diverse threats. With the introduction of NIS2, the EU is responding to the urgent need to secure both the physical and digital infrastructure that forms the backbone of our society and economy.
For IT security managers, NIS2 presents both challenges and opportunities. The directive not only requires compliance with minimum security measures, but also promotes a culture of continuous improvement and awareness of cybersecurity. Understanding and implementing this directive is therefore crucial to ensuring the future viability and resilience of European businesses in an increasingly interconnected world.
1. NIS2 Definitions and Classifications
The NIS2 sectors are defined in Appendices 1 and 2 of the NIS-2 government draft and further subdivided into “important” and “essential entities”.
Both important and essential entities are required by NIS2 to take appropriate, proportionate and effective technical and organizational measures to prevent disruptions to the availability, integrity and confidentiality of information technology systems, components and processes and to minimize the impact of security incidents.
In addition to the NIS2 sectors, the sectors of critical infrastructure will also remain in place. KRITIS operators with identified critical facilities will remain regulated accordingly and will receive further requirements from the NIS2 directive.
Important entities
Important entities are businesses or organizations that provide essential services, the disruption of which would have a serious, but not necessarily catastrophic, impact on public welfare or the economy. The classification as “essential” carries with it specific security and notification requirements that are designed to ensure that these entities take appropriate protective measures against cyber threats.
Important entities include:
Trust service providers.
Providers of publicly available telecommunications services or public telecommunications network operators that a) have fewer than 50 employees and
b) have an annual turnover and an annual balance sheet total of 10 million euros or less.
The types of institutions to be assigned are defined in Annexes 1 and 2 of the NIS-2 government draft and the
a) at least 50 employees or
b) an annual turnover and an annual balance sheet total of more than 10 million euros.
Essential entities
Essential entities are those whose impairment could lead to serious, nationwide or cross-industry crises. These entities are subject to the strictest provisions of the NIS2 Directive, including rigorous security audits and ongoing monitoring.
Essential entities include:
Operators of critical facilities.
Qualified trust service providers, top-level domain name registries or DNS service providers
Providers of publicly available telecommunications services or operators of public telecommunications networks thata) employ at least 50 employees orb) have an annual turnover and an annual balance sheet total of more than 10 million euros each.
The following applies if the organization can be assigned to an organization type listed in Appendix 1 of the NIS-2 government draft and has at least 250 employees or an annual turnover of more than 50 million euros and an annual balance sheet total of more than 43 million euros.
Operators of critical facilities
A facility is critical if it can be assigned to the energy, transport and traffic, finance and insurance, health, water, nutrition, information technology and telecommunications, space or municipal waste disposal sectors and exceeds specified thresholds.
The sectors for critical infrastructure operators are defined separately from the facilities and are defined in both the NIS-2 Directive and the KRITIS umbrella law. Critical facilities are those whose failure or impairment could have a significant impact on the security of supply or public safety. Some of the critical services and facilities still have to be defined in an ordinance. The KRITIS umbrella law is still in the works. Thresholds for critical facilities are defined in the “Ordinance on the Determination of Critical Infrastructure under the BSI Act” BSI-KritisV.
Operators of critical facilities are classified as essential entities, regardless of the size of their business.
❗️ Companies are responsible for identifying critical infrastructure and determining whether they are affected as NIS2 entities.
Test it now for 7 days free of charge!
Use our NIS-2 assistant to check to what extent you are affected by NIS 2 or whether you are an operator of critical infrastructure and learn more about your obligations and possible fines for non-compliance.
2. Requirements of the NIS2 Directive
The requirements are specifically designed to increase resilience to cyber attacks and to ensure a rapid and effective response in the event of a security incident.
Since the requirements depend on the company's risk profile, operators of critical infrastructure are subject to higher obligations and security requirements, which are not considered in the following. The same applies to companies that are already regulated by DORA or TKG. In NIS2, there are exceptions here that take into account multiple regulation. In addition, there are many exceptions and deviating regulations, particularly in the IT sector, which are not considered in the following.
However, these exceptions and special regulations are taken into account in our NIS-2 Assistant.
Registration requirements:
Important and particularly important entities must register. Registration is carried out via a registration option set up jointly by the Federal Office (BSI) and the Federal Office for Civil Protection and Disaster Assistance.
This registration requirements includes basic information such as name, contact details and the sector of the entity.
Minimum requirements for risk management measures:
The measures should comply with the state of the art, take into account the relevant European and international standards and must be based on an approach that covers all hazards.
Concepts relating to risk analysis and information technology security.
Management of security incidents.
Maintaining operations, such as backup management and disaster recovery, and crisis management.
Security of the supply chain, including security-related aspects of the relationships between the individual entities and their direct providers or service providers.
Security measures for the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities.
Concepts and procedures for evaluating the effectiveness of risk management measures in the area of information security.
Basic procedures in the area of cyber hygiene and training in the area of information security.
Concepts and procedures for the use of cryptography and encryption.
Security of personnel, concepts for access control and for the management of entities.
Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication, and, where appropriate, secure emergency communication systems within the facility.
3. Reporting requirements:
Essential entities and important entities are obliged by the NIS2 regulation to report significant security incidents immediately and to inform the recipients of their services about such incidents. The Federal Office for Information Security (BSI) offers feedback and support in dealing with the incidents.
Within 24 hours of becoming aware of the incident.
Update of the report within 72 hours of becoming aware of the incident.
Interim report at the request of the Federal Office.
A final report no later than one month after submission of the report of the security incident.
Duty to inform
The company must immediately inform the recipients of its services about significant security incidents that could affect the provision of the respective service. This information can also be provided by publishing it on the institution's website.
Duties for managing directors:
Approval and monitoring obligation: The management of particularly important institutions and important institutions are obliged to implement the risk management measures to be taken by these institutions in accordance with Section 30 and to monitor their implementation.
Claims for compensation by the company against the management: Managements that violate their obligations under paragraph 1 are liable to their institution for any culpably caused damage in accordance with the rules of company law applicable to the legal form of the institution. According to this law, they are only liable if the relevant company law provisions for the institution do not contain any liability provisions.
Training requirement: The management boards must regularly attend training courses in order to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of information technology security, as well as to assess the impact of risks and risk management practices on the services provided by the institution.
Enforcement measures and BSI supervision
The BSI can verify compliance with the obligations of important and particularly important entities.
The following enforcement measures can be taken, for example:
Ordering audits, inspections or certifications.
Defining technical and organizational requirements.
Ordering measures to prevent or remedy a security incident.
Providing information about cyber threats.
Publicly disclosing violations.
Reporting to the relevant supervisory authority.
Suspending the license and prohibiting the activity.
Fine regulations
Fines for Important entities: Fines of between €100,000 and €7 million (or up to 1.4 percent of annual turnover) depending on the infringement.
Fines for Essential entities: Fines of between €100,000 and €10 million (or up to 2 percent of annual turnover) depending on the infringement.
These fines are individually addressed in detail in our NIS-2 Assistant.
Outlook:
Part 2: Planning and implementation of the NIS2 guideline