NIS2 – the future of cybersecurity in the EU: what companies need to know now

Cybersecurity is in the focus of global efforts to protect digital infrastructures from constantly growing threats. The fact that this is becoming increasingly important is evident not least from the report by the German Federal Office for Information Security (BSI), which in its current report on the “State of IT security in Germany” identifies a quarter of a million new malware variants on average every day.

In this context, the European Union has stepped up its efforts and released the Network and Information Security Directive (NIS2). In this blog post, we will take a closer look at NIS2, explain its regulations, discuss who it affects, when it comes into force and the impact on companies.

What is NIS2?

Already introduced by the EU cybersecurity regulations in 2016, NIS2 (Network and Information Security) is now the updated version of the European Union’s Network and Information Security Directive. The directive aims to ensure a higher level of cybersecurity in member states while strengthening cooperation between EU countries in relation to cybersecurity incidents. NIS2 updates the existing legal framework to keep in line with growing digitalization and a changing cybersecurity threat landscape, building on the success of the first directive and reflecting the increasing threat landscape in the digital space.

What regulations does NIS2 contain and who does it affect?

The NIS2 Directive, officially known as Directive (EU) 2022/2555, sets out legal measures to increase the overall level of cybersecurity in the European Union. It ensures that member states are adequately prepared, for example by requiring the establishment of a Computer Security Incident Response Team (CSIRT) and a competent national authority for network and information systems (NIS). It also promotes cooperation between member states by setting up a cooperation group to support strategic cooperation and information sharing.

The NIS2 directive aims to establish a security culture in all key sectors that are heavily dependent on information and communication technologies (ICT) and, above all, wants to ensure that critical and important companies, especially in key sectors, are better protected against cyber attacks. These include areas such as energy, transport, water, banks, financial market infrastructures, healthcare and digital infrastructure. Companies that meet certain criteria and are classified by member states as operators of essential services must take and implement appropriate security measures. They must also inform the national authorities of serious security incidents. Similarly, key providers of digital services, including search engines, cloud computing services and online marketplaces, are required to comply with the security and notification requirements of the directive.

When does NIS2 come into force?

In January 2023, the EU-wide NIS2 directive came into force, replacing the cybersecurity regulations introduced in 2016 with a stricter version.

Companies affected by NIS2 will have to implement strict security measures from fall 2024. These include increased defense against cyberattacks, compliance with specific security standards and ensuring that their systems are always up to date using the latest technology. There are also reporting obligations in the event of security incidents.

What impact does NIS2 have on companies?

The aim of the directive is to strengthen the cyber resilience of critical and important companies. Compared to before, the requirements now extend to a much larger number of companies, even indirectly if they are only part of a supply chain.

The directive has a significant impact on these companies, especially those in key sectors. The need to implement robust security measures may result in additional costs, but at the same time it provides a clear framework for protection against cyber threats. Companies should review their current security practices to ensure they meet the new standards and make adjustments where necessary. Violations of the NIS2 regulations can result in high penalties.

What are the consequences for your company?

Overall, NIS2 represents a significant step forward for the EU in the area of cybersecurity. The regulation will undoubtedly help to strengthen the resilience of digital infrastructures and promote cooperation between member states. Companies affected by NIS2 should be proactive and ensure that they comply with the directive, adapt their systems to the requirements and adequately protect their digital assets against cyberattacks during the transition period until fall 2024 to avoid potential sanctions. Customer Identity & Access Management such as cidaas can help you with this.