NIS 2 Directive – Greater cybersecurity for close to 30,000 German businesses and organisations

NIS 2 Directive – Greater cybersecurity for close to 30,000 German businesses and organisations.

Globally networked processes and the advancing digitalisation of our daily lives and businesses are creating opportunities for collaboration and new business models, but are also making IT infrastructures more susceptible to cyberattacks. Against this backdrop, the members of the European Union are obliged to roll out the requirements of the NIS 2 Directive into national law by October 2024. In Germany alone, this will affect cybersecurity at some 30,000 businesses and organisations.

What is NIS 2?

The NIS 2 Directive is a legislative act passed by the European Parliament that aims to achieve a high common level of cybersecurity across the European Union. At its heart is information technology at critical facilities as well as other businesses and organisations, the protection of which plays a critical role in the EU internal market’s ability to function as well as in Germany’s supply security. The directive applies to public administration, but also the supply of food, energy and water, waste management and financial institutions.

What is the aim of NIS 2?

The NIS 2 Directive sets out to increase the level of cybersecurity within the European Union through the introduction of binding measures for public administration and businesses and to optimise the sharing of information across borders.

Who is affected by NIS 2?

The NIS 2 Directive lists 18 sectors split into Sectors Of High Criticality and Other Critical Sectors. The current draft excludes public administration on a regional level, but this only applies in Germany. The sectors include all companies and organisations with 50+ employees and annual revenues of at least 10 million euros, but in some cases, companies below this threshold have also been added. That means in Germany alone, some 30,000 businesses and organisations will have to implement the NIS 2—far more than those impacted by its predecessor, NIS 1, the IT Security Act and the KRITIS Act.

What is going to change?

Responsibility – NIS2 introduces personal responsibility for members of management. In certain circumstances, these people may be temporarily prohibited from exercising managerial functions.
Stricter regulatory supervision and enforcement. That means fines of up to 2% of total worldwide turnover.
Risk and information security management systems as well as measures for combating security incidents and ensuring business continuity even during the worst case must be implemented throughout the organisation. Employee security training will also become compulsory and a process for the use of cryptography must also be in place.
A focus on supply chains – Affected businesses and organisations are obliged to impose much stricter security requirements on suppliers and service providers in their supply chain.
Notification requirements – Significant incidents must be reported within 24 hours. A detailed update must then be provided no later than 48 hours after this that includes an analysis of the incident based on its gravity, impact and what has been compromised. A final or progress report is required within one month.

What should affected companies do?

Each and every organisation and institution is obliged to check if they are impacted by the NIS 2 Directive or not. This can be done by IT specialists or on the basis of an own evaluation.

The legislation also stipulates that all affected organisations are to register with the German Federal Office for Information Security (BSI) no later than three months after national implementation. The deadline for this is currently the end of Q1/2025.

Should the evaluation deem that the organisation or business will be affected, they should immediately begin the process of examining the directive’s regulations and looking into where there is a need for action.

Rolling out the requirements of the NIS 2 Directive requires a holistic overview of management tasks and processes when it comes to governance, risk and compliance as well as of core operations. Making any changes to cybersecurity in these areas and within projects can be highly complex, eat up a lot of time and require extensive expertise.

It’s important, however, that organisations see the NIS 2 as an opportunity to enhance their resilience against cyberattacks, optimise their security strategies and ensure critical processes, data and services are protected.

How can Bechtle help?

Bechtle’s experts have developed a specific NIS 2 Assessment.

That means:

They get organisations up to speed on the wide-ranging requirements of the NIS 2 Directive, review customers’ documents and assess the suitability of measures already in place. This is then used as a basis to evaluate risks, analyse vulnerabilities, recommend specific measures and determine an action plan.
The action plan and measures are presented and discussed with the organisation’s management.
Bechtle not only offers an annual follow-up assessment, but also the implementation of an information security management system (ISMS) as well as risk and business continuity management systems. What’s more, managed services, the Bechtle Security Operations Centre (SOC) and a learning platform to raise awareness among employees are included, too.

It is absolutely critical that organisations affected by NIS 2 view cybersecurity as a holistic management task that should be implemented as such to spell the end of standalone solutions.