The Most Important Points from the NIS2 Directive

What is NIS2?

The European directive NIS2 makes it mandatory to strengthen the cyber resilience of critical and important companies. A large group of people are now obliged to ward off attacks without being directly affected: companies that are part of a supply chain must also comply with the guidelines. However, if rules are disregarded, fines can be imposed.

Companies face a challenge when it comes to protecting themselves against cyber attacks. The digitalization of the market and the opportunities it offers increase the risk of cyber attacks being successful. Companies must therefore take comprehensive measures to protect themselves. These include constantly revising cybersecurity standard procedures and raising employee awareness of the potential risks.

Which Companies Need to Implement NIS2?

The European Union ensures that critical organizations and companies in its member states are better protected and can withstand attacks. In 2016, it issued the NIS1 directive ("Network and Information Security") with strict security regulations.

The new NIS2 Directive has been in force throughout the EU since January 2023 and replaces the old one. This has significantly expanded the group of affected companies and, in addition to critical infrastructure, also includes important industries and, under certain conditions, smaller companies that operate as suppliers.

The EU divides companies affected by NIS2 directives into two categories: "Essential" and "Important". Companies designated as "Essential" were named in the first version of the NIS regulations, but in the new version the category includes more classes. The second group of important organizations is redefined. Companies that have at least 50 employees and an annual turnover of over 10 million euros are directly affected:

• KRITIS businesses are a particularly essential category of organizations. Protecting them from negative effects is the duty and responsibility of the authorities. Their failure would have serious consequences for the state community. That is why NIS2 defines eleven areas to which KRITIS companies belong: Energy and water supply, transportation, finance and banking, healthcare and public administration. These sectors have a major impact on national security and must be protected accordingly.
• Organizations in which seven sectors are considered particularly important: Postal and courier services, waste, food, chemicals, digital services (for example search engines, online marketplaces, cloud services, social networks), industry (for example manufacturing of machinery, vehicles and data processing equipment) and research.

NIS2 May also be Mandatory for Small Companies

NIS2 is not normally relevant for companies with fewer than 50 employees and an annual turnover of up to ten million euros. However, there are exceptional cases where company size is irrelevant. Providers of DNS services, TLD name registries and public electronic communications networks and services must comply with the NIS2 requirements.

Medium-sized and small companies can also be the target of attacks if they supply services or materials to companies directly affected by the new EU Cybersecurity Regulation. In some cases, they often need to take the same measures in terms of security systems to protect themselves from breaches of the regulation. For example, a car manufacturer may require its suppliers to implement certain cybersecurity techniques or procedures to avoid falling foul of EU directives.

The Implementation of NIS2

Organizations covered by the NIS2 directive must implement appropriate and proportionate techniques, procedures and measures to reduce the security risks to their network and information systems and to minimize the potential impact of security incidents on recipients of their services and other services. They must also continuously assess their network and information systems to ensure security at all times.

The directive specifies various areas and measures that must be complied with as a minimum, including

• Developing concepts and procedures for risk analysis and security in information systems
• Establishing measures to deal with security incidents
• Creating a backup management and disaster recovery plan and implementing crisis management
• Ensuring security with direct vendors and service providers
• Developing strategies to disclose security vulnerabilities
• Training employees in the area of cyber security
• Implementing cryptography and encryption procedures

Organizations should make all of the above preparations as far as possible when adopting NIS2. Key steps include:

• Developing risk analysis and security policies for all information systems
• Assessing their own risk management
• Implementing a procedure for handling security incidents
• Setting up backup and crisis management systems
• Establishment of a reporting system
• Training employees in the area of cyber security
• Ensuring the security of the supply chain, including direct suppliers and service providers.

turingpoint's ISMS Portfolio

We can help you meet regulatory requirements and enhance your organization's operational security with various frameworks.

Our design options:

ISMS according to ISO/IEC27001:2022

ISMS according to the NIST framework

Custom ISMS