NIS-2 - You should look at the new requirements now!
Oct. 2024 is right around the corner
Digital transformation has permeated all areas of society, parciularly after the pandemic and the required reduction of personal contact. But especially in the area of critical infrastructure, digitization is also quite risky: Companies, state-owned enterprises and public authorities are facing an increasing threat of cyberattacks, which they must counter with appropriate measures.
Just how real this threat is was demonstrated in recent years in Germany alone by the life-threatening attack on the University Hospital in Düsseldorf in 2020, the cyberattack on the IT service provider of the state capital Schwerin in 2021, and most recently with the repeated attack (so-called brute force attack) on the systems of the city of Potsdam in December 2022, after it had already been the subject of a cyberattack in 2020.
The European Union is also observing this development critically and therefore already took the first EU-wide legislative measure for critical infrastructure facilities in 2016 with the Network and Information Systems Security (NIS) Directive in order to work toward a uniform, mutually supportive level of cybersecurity in the EU member states. In Germany, the implementation was primarily done via adjustments to the IT Security Act, which, however, also fulfilled many requirements beforehand.
However, after reviewing this directive and its impact, the EU has found it necessary to tighten up the already existing directive. Thus, last November, the Council of the European Union and the European Parliament adopted the revised so-called NIS-2 Directive. It was then published on 27.12.2022 and came into force on 16.01.2023.
1. Expansion and concretization of the scope of application
Which sectors are affected by the directive?
A total of eighteen sectors are defined in Annexes I and II, compared with only seven sectors in the first NIS Directive. In addition, the sectors have been divided into “high criticality sectors” and “other critical sectors”.
Sectors with high criticality
Other critical sectors (Annex II)
To which public and private entities within the sectors does the directive apply?
The Directive specifies, through uniform criteria, which public and private entities operating within the sectors will be obliged to follow (Art. 2):
- all companies, from a number of employees of 50 persons and an annual turnover or an annual balance sheet of at least 10 million Euros
- Providers of public electronic communications networks or of publicly available electronic communications services.
- Trust service providers
- Top level domain name registries and DNS service providers
- Entities that are the sole provider in the respective Member State of a service that is essential for the maintenance of critical social or economic activities.
- Institutions that are of particular importance at national or regional level for the sector or type of service in question or for other interdependent sectors in the respective Member State
- Facilities where disruption of the service provided by the facility could have a significant impact on public order, public safety, or public health
- Facilities for which disruption of their services could result in significant systemic risk
- certain critical facilities of the public administration
- Where applicable, public administration bodies at local level and educational institutions , if determined by the respective Member State.
- Entities providing domain name registration services (registrars)
- Facilities that have been classified as critical facilities by the respective member state in accordance with Art. 6 of Directive (EU) 2022/2557
2. Specific obligations for affected facilities
- Obligation to take risk management measures to a minimum extent specified by the Directive (cf. Art. 21 (2)).
- Reporting obligations to certain national bodies/authorities (Art. 23)
- Where applicable, obligation to use specific ICT products, services and processes certified under European schemes for cybersecurity certification, if the respective Member State so determines
- For TLD name registries and registrars: Obligation to collect and maintain accurate and complete domain name registration data in a separate database in the future, in compliance with data protection provisions, the validation of registration data and parameters of data disclosure (Art. 28).
Compliance with these obligations is to be monitored by national supervisory authorities and sanctioned with fines in the event of non-compliance. The concrete design of the supervisory and enforcement measures is the responsibility of the member states, although the directive also sets out requirements in this area.
3. Determination of the relationship to sector-specific legislation
If there are already specific EU regulations for the sectors covered that are at least equally effective, such as in the Digital Operational Resilience of Financial Sector Digital Systems Regulation (DORA) and due to the Critical Entities Resilience Directive (CER), these are to be applied with priority (Art. 5).
4. Expand support and facilitate strategic cooperation and information sharing among member states through…
- The (previously existing) network of national computer emergency response teams (CSIRTs).
- Establishment of a European vulnerability database by the European Union Agency for Cyber Security (ENISA) based on notifications from member state CSIRT coordinators.
- Creation of the European Network of Cyber Crisis Liaison Organizations (EU-CyCLONe).
- Organization of topic-based peer reviews by cybersecurity experts (participation voluntary).
Implementation of the directive
It is advisable for companies to check now whether they are (recently) affected by the directive and, if so, to press ahead with planning the innovations. The technical implementation can sometimes take a long time and the real danger of cyber attacks exists regardless of the legal protection.
We are more than happy to support you in preparing for your NIS II compliance.