The new EU NIS2 Directive must be incorporated into German law by October 17, 2024. NIS2 stands for “Network and Information Security – Version 2.” The directive has been in force in the EU since January 2023. It aims to ensure that facilities classified as critical can supply the population in member states with essential goods and services. But how did the second version of NIS come about and how does it differ from NIS1? We will take a closer look at this and more in a series of blog articles. In the first article, we will discuss the origins and innovations of NIS2.
History of NIS1 and KRITIS
The European Union introduced its first cybersecurity directive in 2016. Today, this directive is known as NIS1. It was developed against the backdrop of an increasingly threatening situation and growing IT security requirements in Europe. The EU’s aim was to protect sectors and services that are important to society in its member states from IT attacks.
NIS1 contains binding requirements for the protection of systems belonging to companies that operate “critical infrastructures” (KRITIS). These KRITIS companies play a crucial role in society as they provide services in important areas such as energy supply, health, and transportation.
Emergence of NIS2
Advancing digitalization is also leading to a steady increase in threats. A higher level of protection is required to adequately mitigate the current risks at KRITIS companies. The EU therefore decided to revise the NIS1 Directive. After lengthy deliberations and discussions, NIS2 was the result. Following approval by the EU Parliament and the European Council, NIS2 was adopted as an updated version on December 14, 2022. After it comes into force on January 16, 2023, EU member states will have 21 months to transpose the new regulations into national law. Accordingly, affected companies should already be familiarizing themselves with the requirements of the NIS2 Directive so that they can plan and implement the necessary measures in good time.
Figure 1: Timeline of the development of NIS2
At the same time as NIS2, the so-called CER Directive – “Critical Entities Resilience Directive” – also came into force. CER regulates physical protection against sabotage and other attacks for KRITIS companies, for example in terms of access policies for data centers. The security of information and communication technology, on the other hand, is the subject of NIS2. CER is not discussed in detail in this and the following NIS2 articles.
Status of German legislation
The drafts for the existing KRITIS umbrella law (KRITIS-DachG) on CER implementation and the somewhat cumbersome NIS 2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) are currently at different stages of the legislative process.
While the implementation of the KRITIS umbrella law has already been approved by the relevant ministries and the hearings with the federal states and associations for the second draft bill have been completed, there has been little progress on NIS2. An initial draft bill was already circulating unofficially in the summer of 2023. However, the Federal Ministry of the Interior and Homeland (BMI), which is in charge of the bill, has not yet published an official version. The schedule is now becoming increasingly tight. A concrete draft bill must first pass through the cabinet and then through parliament. Due to this complex procedure, it cannot be ruled out that the start date of NIS2 on October 18, 2024, will be missed.
Industries and sectors affected by NIS2
The scope has been significantly expanded and now covers a total of eighteen industrial sectors, from water to space. The previous nine sectors of the KRITIS Regulation are included in the new areas. NIS2 continues to distinguish between high-criticality sectors and other critical sectors. The CER Directive applies to the 11 sectors with high criticality. The table in Figure 2 provides an overview of the sectors affected.
Figure 2: Sectors affected by NIS2
Like NIS1, NIS2 imposes comprehensive requirements on risk management and cybersecurity.
New classification as an affected company
Another key element of the reform is a complete reclassification of the target group. In the previous understanding of critical infrastructures, the determination of their criticality was regulated in the KRITIS Regulation (KritisVO). In the future, this will be replaced by the Kritis-DachG (CER) and NIS2UmsuCG (NIS2).
The previous three-stage procedure defined sector affiliation, specific plant categories, and concrete thresholds. Exceeding these thresholds made an operator a KRITIS within the meaning of the regulation. The virtual benchmark for these thresholds was always a figure of 500,000 people who would be affected by a failure of the critical infrastructure.
After much back and forth, it was agreed in the negotiations on NIS2 (as well as CER) to redesign the classification of critical facilities and, in future, to classify them across Europe according to company size (50 employees and above), turnover figures (€10 million/year), and sector affiliation. This classification will be regulated in the aforementioned NIS2UmsuCG in the future.
According to estimates by the Federal Statistical Office, these changes will mean that ten times more companies than before will be legally obliged to comply with the provisions of the NIS2 and CER directives. Existing KRITIS companies will automatically continue to fall under the new directive.
New features in NIS2
What are the most important differences and new features in NIS2 compared to NIS1? There are four important changes:
More than twice as many sectors (18 instead of 7) than before are classified as critical.
Violations of NIS2 requirements will be punished according to a now uniform and significantly stricter catalog of fines, which is capped only by a percentage of global annual turnover – similar to the GDPR introduced in 2018. Previously, EU countries were able to determine the penalties themselves. In Germany, the maximum penalty was €20 million.
NIS2 introduces executive responsibility for the first time. In the future, executives will be personally liable if they violate their duties – including claims for damages that must be paid from their own assets.
The new directive revises the existing reporting requirements to the Federal Network Agency and the BSI in the event of security incidents. In future, there will be a three-stage process instead of a single stage: a preliminary report must be made within 24 hours if a critical service fails – even if there is no precise knowledge of what exactly has happened. After 72 hours at the latest, the respective national supervisory authorities (in Germany, the Federal Network Agency) expect a qualified report on the incident and how it is being dealt with.
Conclusion
The new classification system means that significantly more companies are now subject to KRITIS regulation. This results in many new tasks for these companies. Especially for smaller companies, the effort required for appropriate risk management can quickly become a major challenge. Companies already classified as KRITIS must review their existing concepts and adapt them if necessary. You can find out exactly what measures should be taken here, how the classification as a critical company works in detail, and further details in one of the next blog articles.
