Implementation of the NIS 2 Directive in the EU - the current status

The NIS 2 Directive has these far-reaching effects on companies and public institutions in the EU.

The NIS-2 Directive (Network and Information Systems Directive) is an important step towards strengthening cyber security within the European Union (EU). We would like to introduce you to the far-reaching implications of the NIS 2 Directive for companies and public institutions throughout the EU.

Background and objectives of the NIS 2 Directive

The original NIS Directive was adopted in 2016 and formed the first EU-wide legal framework for cybersecurity. It obliged Member States to introduce national cybersecurity strategies and set out requirements for operators of essential services and digital service providers.

The NIS 2 Directive, published in the Official Journal of the European Union L333 on December 27, 2022, significantly updates and expands the existing framework. Its main objective is to respond to the increasing complexity and interconnectedness of digital systems as well as increasing cyber threats. The aim is to improve the resilience of critical infrastructures and ensure a high common level of security within the EU.

These are the main new features of the NIS 2 Directive

  1. Extended area of application
    The NIS 2 Directive covers a broader range of sectors and companies. In addition to the areas already covered by the NIS Directive (e.g. energy, transportation, health, finance), other sectors such as public administration, space, food supply and digital infrastructure are now also included.
  2.  Stricter safety requirements
    The requirements for the security of network and information systems have been significantly increased. Companies are now obliged to take more comprehensive measures to protect against cyber attacks and to regularly review their effectiveness.
  3. Extended Reporting obligations
    The directive tightens the reporting obligations for security incidents. Companies are obliged to report significant incidents to the competent authorities within 24 hours and to provide further detailed information within 72 hours.
  4. Liability and sanctions
    The NIS 2 Directive introduces stricter liability regulations and sanctions. Companies that fail to meet their obligations will face severe fines and other legal consequences.
  5. Improved collaboration and coordination
    The directive promotes closer cooperation between EU member states, in particular through the creation of a European Cybersecurity Center. The center is tasked with improving coordination and the exchange of information between national authorities and supporting the joint response to cross-border cyber threats.

Challenges in implementing the NIS 2 Directive

The implementation of the NIS 2 Directive poses considerable challenges for Member States and companies. These include:

  • Legal adjustments: Each EU country must adapt its national laws and regulations to the new requirements. This requires close cooperation between national legislators and the EU institutions.
  • Resource expenditure: Meeting the new security requirements requires considerable investment in technology, personnel and training. Small and medium-sized enterprises (SMEs) in particular may find it difficult to provide the necessary resources.
  • Cultural change: Creating a strong security culture within companies is essential. This requires a rethink at all levels of the organization and the establishment of cyber security as a central corporate priority.

Status of legal adaptation of NIS-2 in EU countries

By October 18, 2024 at the latest, the EU requirements must be implemented via national laws in the member states.

Three of the 27 EU member states have already implemented the legal adjustment and published corresponding regulations in the respective Official Journal: Belgium, Croatia and Hungary.

Drafts have already been presented in Germany, Finland, Italy, Latvia, Luxembourg, the Netherlands, Austria, Poland, Slovakia, Slovenia, the Czech Republic and Cyprus.

The timeframe for implementation in the remaining twelve EU Member States is not yet known. It is to be expected that it will not be possible to meet the deadline in one country or another.

Reading tip: The importance of governance for companies

These companies and institutions are affected by NIS-2

In principle, companies with 50 or more employees and an annual turnover of at least 10 million euros are affected.

The NIS 2 Directive is also aimed at "essential" and "important" institutions and companies.

Essential facilities include companies that are of significant importance to the community. Their failure would have serious consequences. NIS-2 specifically names eleven areas:

  1. Energy (electricity, district heating, crude oil, natural gas, hydrogen)
  2. Transportation (air transport, rail transport, shipping, road transport)
  3. Banking
  4. Financial markets
  5. Health (including healthcare providers, medical research, pharmaceuticals, medical devices)
  6. Drinking water (water supply)
  7. Waste water (sewage disposal)
  8. Public administrations
  9. Digital infrastructure (Internet nodes, cloud providers, data centers, electronic communication)
  10. ICT service management (B2B) (Managed Service Providers, Managed Security Service Providers)
  11. Space

The following seven sectors are counted as "important":

  1. Postal and courier services
  2. Waste
  3. Food
  4. Chemicals
  5. Digital services (search engines, online marketplaces, cloud services, social networks),
  6. Industry (including mechanical engineering, vehicle construction, data processing equipment)
  7. Research

If the company size and sector coincide, the NIS-2 Directive applies. If a company carries out a critical activity and there is a risk of an impact on public order if this activity fails, it may also fall under NIS-2 if the company size has not been reached.

However, the NIS2 Directive does not apply to institutions that carry out activities in areas such as defense, national security, public security and law enforcement. The judiciary, parliaments and central banks are also excluded.

Conclusion: From fall 2024, companies and public institutions will be required to implement the new requirements quickly and proactively arm themselves against cyber risks. This is the only way to ensure a high level of security and trust in the EU's digital infrastructure.

Share this post :