NIS2: Who is affected, and what needs to be done?

After our first blog article (April 2024) on the new EU NIS2 Guidline dealt with the basics, differences to NIS1, and the legislative situation, we will this time focus on the following topics: What criteria are used to categorize companies that operate critical infrastructure? What sanctions are potentially possible? What measures, especially in the area of risk management, must be implemented by the companies affected? In the following article, we provide an overview of these topics.

NIS2 categorization of affected companies

With the NIS2 Directive coming into force, companies in 18 industrial sectors—instead of the previous 9—will have to implement specified minimum information security standards from 2024 onwards. The following two main criteria apply to determine whether a company is affected:

1. Criterion: Company size

Companies with at least 50 employees and an annual turnover of more than €10 million fall within the scope of the NIS 2 Guidline if criterion 2 is also met.

2. Criterion: The company sector

Whether an organization falls under NIS 2 also depends on whether it belongs to one of the 18 defined company sectors. The company sector is the second decisive criterion, in addition to the size of the company. If both criteria are met, an organization falls under the NIS 2 Guidline.

Special cases in categorization

There are special cases in the digital infrastructure sector. Some operators are to be regulated regardless of their size. For companies that offer domain name services or trust services with qualified signature management, for example, which are considered extremely critical under NIS2, the size of the company is irrelevant. Even small or micro-enterprises that offer such services are considered particularly important entities—with all the obligations that this entails. Figure 1 provides an overview of this.

Figure 1: Special cases for digital infrastructure companies

NIS2 Sanctions

NIS2 divides sectors into eleven “essential” sectors with high criticality and seven “important” sectors. The distinction between ‘essential’ and “important” also determines the scope of government oversight and the sanctions that can be imposed for non-compliance with and violations of NIS2 requirements.

For “essential entities,” sanctions can amount to up to ten million euros or two percent of global annual turnover, whichever is higher. For “important entities,” fines can amount to up to seven million euros or 1.4 percent of global annual turnover, also based on the higher amount.

A distinction is made between negligent and intentional fault, without differentiating between “essential” and “important” sectors. Even negligence can then lead, for example, to personal liability on the part of the managing director.

Companies exempt from NIS2

A company that should actually be affected may also be completely exempt from NIS2. The NIS2 Guidline does not apply to entities in the fields of defense or national security, public security, and law enforcement. The judiciary and parliaments are also excluded from the scope of application.

To avoid multiple regulation, the NIS2 Guidline provides an exemption for entities that must meet corresponding IT security requirements under other EU directives. For example, financial institutions subject to DORA only need to provide evidence of their information security and report incidents under DORA. They therefore already meet the relevant requirements.

Measures to be ensured

What measures must the affected companies now implement? The NIS2 Guidline requires them to implement a series of compliance measures. The following ten detailed requirements for risk management are taken directly from Article 21 of NIS2. They are crucial for full compliance with the Directive:

• established concepts for risk analysis and security for information systems,
• concepts for dealing with security incidents,
• concepts for maintaining operations, such as backup management and disaster recovery, as well as the corresponding crisis management,
• evidence of supply chain security, including security-related aspects of the relationships between individual institutions and their immediate suppliers or service providers,
• Security measures for the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure,
• Concepts and procedures for assessing the effectiveness of risk management measures in the area of cybersecurity,
• Basic procedures in the area of cyber hygiene and training of employees in the area of cybersecurity,
• Concepts and procedures for the use of cryptography and, where appropriate, encryption,
• Staff security, concepts for access control and facility management (e.g., data centers),
• use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and, where appropriate, secure emergency communications systems within your own facility.

Checklist for implementing necessary measures

But how can these requirements be implemented consistently? We recommend creating a checklist. In our opinion, the following recommendations should be included in this checklist:

1. Risk assessment and management:
   The first step should be to conduct a comprehensive assessment of current security risks. This involves identifying vulnerabilities in the IT infrastructure and then developing plans to address them.
2. Implementation of security measures:
   It must be ensured that security measures comply with the requirements of NIS2. These include advanced technologies for defending against cyber threats, regular updates and patches, and effective access controls.
3. Employee training:
   An essential part of compliance is raising awareness and training all employees. It must be ensured that they understand the importance of IT security and know how to respond to security incidents.
4. Incident reporting system and SIEM:
   Effective systems for detecting and reporting security incidents must be implemented. This should enable incidents to be detected, recorded, and reported quickly and efficiently.
5. Documentation and compliance review:
   Security processes and compliance measures must be carefully documented. Regular internal audits can help to review and ensure compliance with the NIS2 Guidline.
6. Cooperation and information exchange:
   Opportunities for cooperation with other companies affected by NIS2 and with authorities should be exploited in order to exchange best practices and continuously improve one’s own security strategy.

Conclusion

The NIS2 Guidline represents a significant step forward for European IT security. Its scope has been expanded to include additional sectors. The focus is on stricter security requirements as well as transparency and cooperation.

Companies now need to check in good time whether they are affected by NIS2. If this is the case, they must review their security strategies and adapt them to the new requirements. This includes a comprehensive risk assessment, the implementation of stronger security measures, employee training, the establishment of effective incident reporting systems, and clear documentation of all measures taken.