NIS 2 Directive: IT security requirements

You have questions about NIS-2? Please contact us!
The NIS 2 Directive is the European legal framework to define common cybersecurity criteria all along the European Union. It defines two categories for affected entities: essential entities and important entities.


On this page you will find everything you need to know about NIS 2. 
 

What is the NIS 2 Directive?

 

The EU Directive NIS 2 ("The Network and Information Security Directive") is the evolution of the 2016 first Directive NIS, for the security of networks and information systems.  While the main objective of NIS was to define common security measures, mainly for Operators of Essential Servies (OES) and Digital Service Provider (DSP) , the NIS 2 Directive enhances the cybersecurity requirements to a larger number of companies, divided into essential and important sectors.

The NIS 2 Directive has greater capabilities than the former NIS, introducing more stringent supervision and enforcement methods. It encourages cooperation between Member States to prevent, contain and react against major cybersecurity incidents. Besides that, includes strict risk management requirements with a list of focused measures for different aspects, such as policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, the effective use of cryptography, and human resource security, access control policies and asset management.

When does NIS 2 come into force?

Deadline October 17, 2024

The new EU directive came into force on January 16, 2023. It must be transposed into national law by the member states by October 17, 2024 at the latest, without any transitional periods. 

NIS-2 applies to companies with 50 or more employees and a turnover of 10 million euros in 18 defined sectors. The two criteria of company size and company sector are therefore decisive in determining whether a company is affected by the directive. There are also some special cases. 

NIS 2: Essential & important facilities

NIS 2 defines 18 affected sectors in Annexes I and II of the EU Directive, which can be divided into important and particularly important or essential facilities as follows: 

Essential facilities

    

  • Companies with 250 or more employees or
  • Companies with a turnover of over EUR 50 million and a balance sheet of over EUR 43 million
  • Operators of critical infrastructures (KRITIS operators)
  • Special cases, e.g. qualified trust services, DNS or telecommunications providers

Sectors affected: 

 Energy
 Transportation
 Banking​​​​​​​ (own compliance framework, DORA)
 Financial market infrastructures​​​​​​​
 Healthcare​​​​​​​
■ Drinking water

 Wastewater
 Digital infrastructure
 Management of ICT services (B2B)
 Public administration at National and Regional levels as defined by each Member State
 Space

Important facilities

  

  • Companies with 50 or more employees or
  • Companies with a turnover of more than EUR 10 million and a balance sheet of more than EUR 10 million
  • Special facilities, e.g. trust services

Sectors affected: 

 Postal & courier services
 Waste management
 Chemicals (production, manufacture and trade)​​​​​​​
 Food (production, processing and distribution)​​​​​​​
 Manufacturing industry/production of goods
 Providers of digital services​​​​​​​
■ Research

Do you need support with the implementation of NIS 2?

  

Contact us

NIS 2 requirements that affected companies must implement

According to the NIS 2 Directive, affected companies must implement at least the following measures to increase their resilience to attacks and prevent security incidents as far as possible or minimize their impact.
 

Risk management

Monitoring of measures to minimize cyber risks
 

Effectiveness

Concepts and procedures for evaluating the effectiveness of risk management measures
 

Management Responsibility

Ensuring the implementation of legal requirements
 

Supply Chain

Reliability of the supply chain
  

Policies

Concepts related to risk analysis and security for information systems
 

Training courses

Cyber hygiene and training in the area of cyber security
  

Incident management

Prevention, detection and management of security incidents
  

Cryptography

Concepts and procedures for the use of cryptography and, where applicable, encryption
  

Purchasing

Security measures for the acquisition, development and maintenance of network and information systems
  

Personnel, access & asset management

Personnel security, access control concepts and asset management
  

Business continuity

Business continuity (such as backup management and disaster recovery) and crisis management

Authentication & communication

Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication, and secure emergency communication systems where appropriate

With these services, we support you in meeting the NIS 2 requirements


Is your company affected by NIS-2?

Overview in the jungle of IT regulation & legislation

 
Brussels is strengthening resilience against cyber attacks - with a complex and demanding regulatory agenda. The requirements are growing and so are the penalties for non-compliance. But is your company really affected? We explain.
 

  • Initial consultation

  


From NIS-1 to NIS-2

And what leap do you need to make?


As a company already affected by NIS-1, you are already well positioned in terms of IT security. From October 2024, however, the requirements of NIS-2 will apply, some of which are significantly stricter. What is on the plus side and what still needs to be done? We bring light into the darkness.
 

  • Delta audits 

  • Pre-audits

  


Long-distance qualities required

Prepare in time and keep going!


Depending on the transposition of the NIS-2 Directive into national legislation, the deadlines for demonstrating compliance with the minimum requirements may vary from one EU country to another. But one thing applies to all of them: the implementation of measures takes time and a lot of personal commitment. We will put you on the right implementation path in these areas:

 

  • §8a audits/§10 audits
  • ISO 27001, also based on IT baseline protection ("IT-Grundschutz")
  • Business continuity management (ISO 22301)
  • EUCS/ISO 27001 for Cloud
  • Incident management
  • NESAS


Only half the battle

The supply chain is also important!


According to NIS-2, operators of a critical infrastructure are obliged to ensure the resilience of their supply chains. On the supplier side, this means developing and manufacturing IT systems, devices and components in such a way that they meet the high IT security requirements - especially when used in a critical infrastructure. We provide proof of the obligations required by NIS-2.
 

  • Accelerated security certification (BSZ)
  • Audits in accordance with IEC 62443-X
  • SQ (EN303645 or harmonized standard)
  • Common Criteria (EU CC)
  • „CSC“ (EN303645 + Cloud)
  • GSMA NESAS

Stricter sanctions

The NIS 2 Directive entails stricter penalties and sanctions. These are based on the EU General Data Protection Regulation (EU GDPR). 

  • For essential entities, the fines can amount to up to EUR 10 million or 2 percent of annual global turnover (depending on which amount is higher)
  • For significant or important entities, the maximum fine is EUR 7 million or 1.4 percent of annual worldwide turnover (whichever is higher)

Management must monitor compliance with IT security measures. If obligations are breached, there is a risk of internal liability of the management towards the organization. 

Government inspections are also planned to check compliance. 

The implementation of the new NIS 2 Directive offers critical infrastructure operators and the public sector the opportunity to position themselves robustly in terms of IT security. TÜV NORD GROUP accompanies them on this path.

– Axel Lange, General Manager Marketing & Sales at TÜVIT

NIS 2: Status of implementation

Status of national implementation in the member states of the European Union

Berlin - 06/2023: The 4th draft of the NIS2UmsuCG has been published

The European NIS 2 Directive will be enshrined in national legislation in Germany with the NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) - on 24.06.2024, the 4th draft bill for this law was published by the Federal Ministry of the Interior (BMI). Some of the new requirements have already been integrated into the IT Security Act 2.0.

Vienna - 07/2024: National Council does not approve the NISG 2024 for now

During the parliamentary vote in the National Council on the Information System Security Act 2024 (NISG 2024) on July 3, 2024, the necessary two-thirds majority could not be achieved. The law was therefore not passed for the time being.

Madrid: Transposition of the NIS 2 Directive

In Spain, the El Centro Criptológico Nacional, published last August 1, 2024 a website with resources and general questions regarding its implementation. It has been published also a guide for the implementation of NIS 2 (Guide CCN-STIC 892) for essential entities.

 

You have questions? We are pleased to help!

  

Carsten Keil

Senior Sales Manager

+49 160 8885406
c.keil@tuvit.de