NIS-2 requirements for companies: What you need to know now
With the new NIS 2 Directive, the European Union is tightening cybersecurity requirements. From October 2024, companies and organisations in the EU will be obliged to implement stricter measures to protect their IT infrastructures. The NIS-2 requirements aim to improve the resilience of critical systems against growing cyber threats and strengthen security across the EU. In this blog post, we explain what the key NIS-2 requirements are and how you can prepare your organisation for them.
What is the NIS-2 Directive?
The NIS-2 Directive (Network and Information Security) replaces the original NIS Directive of 2016 and significantly expands its scope. Companies in the energy, transport, healthcare, finance and other critical sectors are directly affected by the new NIS-2 requirements. However, numerous medium-sized and large companies in other sectors will also have to adapt, as the thresholds for affected organisations are set lower.
The most important NIS-2 requirements for companies
Companies must implement a number of measures to fulfil the requirements of the NIS-2 Directive. Here are the key points:
1. risk management and security measures
The NIS-2 Directive requires a robust risk management system that identifies, assesses and minimises cyber security risks. This includes, among other things:
- Implementation of technical measures such as firewalls, intrusion detection systems (IDS) and encryption.
- Effective patch management to close security gaps.
- Ensuring the physical and virtual security of IT systems.
2. reporting of security incidents
An essential component of the NIS-2 requirements is the early detection and reporting of security incidents. Companies must:
- Report security incidents to the relevant authorities within 24 hours of discovery.
- Provide a comprehensive report on the nature of the incident and the actions taken within 72 hours.
3. training and awareness raising
Organisations must ensure that their employees are regularly trained and informed about current cyber security risks. This includes:
- Regular training to increase security awareness.
- Dedicated training programmes for IT teams to stay up to date with the threat landscape.
4. business continuity and disaster recovery
To maintain business operations during a cyber-attack, the NIS-2 directive requires the implementation of contingency plans. These include
- Strategies to ensure business continuity (business continuity planning).
- Regular backups and disaster recovery exercises to minimise the damage caused by security incidents.
5. security of the supply chain
The NIS 2 directive places particular emphasis on security in the supply chain. Organisations must regularly review the security standards of their partners and service providers and ensure that they comply with NIS-2 requirements.
6 Governance and compliance
To ensure compliance with NIS-2 requirements, companies must define clear responsibilities and regularly check that all regulations are being adhered to. This includes:
- Appointing a team or individual responsible for NIS-2 compliance.
- Regular internal audits and reviews of security measures.
What happens if the NIS-2 requirements are not met?
The NIS-2 Directive not only tightens the security requirements, but also the penalties for non-compliance. Companies that do not fulfil the NIS-2 requirements face severe fines. They must also expect reputational damage and possible legal consequences if a security incident is attributable to a lack of security precautions.
How can companies implement the NIS-2 requirements?
Implementing the NIS-2 requirements can be a challenge for many companies. It requires a comprehensive review and adaptation of existing IT infrastructure, security policies and processes. Here are some steps you can take:
- Analyse the current security posture: conduct a thorough security assessment to identify vulnerabilities in your systems.
- Establish risk management: Develop a comprehensive risk management system that proactively addresses cybersecurity risks.
- Incident Response Plan: Ensure you have a clear plan for detecting and managing security incidents.
- Involve partners and suppliers: Work closely with your suppliers and service providers to ensure they are also compliant with NIS-2 requirements.
NIS-2 requirements Risks & opportunities for companies
The NIS-2 requirements present companies with new challenges, but also with the opportunity to fundamentally improve their cyber security strategies. Those who act early can not only fulfil legal requirements, but also strengthen the trust of customers and partners.
Have we aroused your interest in a topic?
Would you like to find out more about IT security?
Then take a look at our IAM service.
Who is affected by the NIS-2 Directive?
The NIS-2 Directive has significantly expanded its scope compared to the original NIS Directive. The new requirements no longer only apply to critical infrastructure, but affect a much broader range of companies and organisations across the EU. The aim is to increase cyber security in all important sectors and create a common security basis. Here is an overview of which companies are affected by the NIS-2 requirements:
1. Critical infrastructures
As with the first NIS Directive, the NIS-2 Directive continues to focus on companies that are considered ‘critical infrastructure operators’ (CI). These include sectors such as:
- Energy: electricity producers, gas suppliers and grid operators.
- Transport: Operators of airports, ports, railways and road transport companies.
- Healthcare: Hospitals, laboratories and pharmaceutical companies.
- Finance: Banks, stock exchanges and payment service providers.
- Drinking water supply: Operators of water supply networks and wastewater treatment plants.
2. Important sectors
In addition to critical infrastructures, the NIS-2 Directive also covers numerous important sectors that were not previously regulated to the same extent. Companies from these sectors are now also obliged to fulfil the strict cybersecurity requirements. These include, among others:
- Information and communication technologies (ICT): providers of cloud services, data centres and platform services such as social networks or search engines.
- Postal and courier services: companies responsible for the secure transport of data and goods
- Food industry: Companies involved in the production, processing and distribution of food.
- Manufacturers of certain products: Especially those that are essential to other critical infrastructures (e.g. electronics or engineering companies).
3. digital service providers
A particular focus of the NIS-2 Directive is on digital service providers, which play a crucial role in the modern economy. Companies that provide essential IT and online services must fulfil strict security requirements. The companies affected include
- Providers of online marketplaces and digital platforms.
- Cloud service providers and companies that host or manage IT infrastructures.
- Providers of DNS services and network services that are central to the functioning of the internet.
4. medium and large companies
An important change compared to the original NIS Directive is the lowering of the thresholds for the organisations concerned. The NIS-2 requirements now also cover many medium-sized and large companies, even if they are not considered operators of critical infrastructure. This mainly affects companies that:
- Employ more than 50 employees.
- Have an annual turnover of more than 10 million euros.
This means that the NIS-2 Directive no longer only affects large corporations, but also a large number of small and medium-sized enterprises (SMEs), which were previously less heavily regulated.
5. supply chains and third-party providers
A key aspect of the NIS-2 directive is to strengthen cyber security throughout the supply chain. Companies that work with critical or important sectors must ensure that their service providers and suppliers also comply with high security standards. This concerns, for example:
- IT service providers and system integrators who implement security solutions for other companies.
- Suppliers and partners in production, logistics or IT infrastructure.
