What is the NIS-2 Directive?
NIS-2 (Network and Information Security Directive II) is a European Union law aimed at improving cybersecurity across the entire Union. Think of the law as a set of rules for companies that work with sensitive data or provide essential services. The directive is intended to ensure that such companies have adequate protective measures against cyberattacks.
The NIS-2 Directive establishes measures aimed at achieving a high common level of cybersecurity across the Union in order to improve the functioning of the internal market.
Key Dates for NIS-2 and CER
NIS2
- October 17, 2024: NIS-2 is to be transposed into national law
- January 17, 2025: Each country is to notify the Commission of its rules and measures
- October 17, 2027: Commission review begins (review every 36 months)
CER
October 17, 2024: Member states must adopt and publish measures for compliance with this directive
- October 18, 2024: Application of these measures.
Who Drafted and Enforced the NIS-2 Directive?
The European Commission introduced NIS-2. EU member states are now responsible for integrating it into their national laws by October 2024.
By October 17, 2027, and every 36 months thereafter, the Commission reviews the functioning of this directive and reports to the European Parliament and the Council. This report is intended to assess the relevance of the size of affected companies as well as the sectors, subsectors, and types of companies that are affected.
Who Is Affected by the NIS-2 Directive and Must Comply?
While the original NIS Directive targeted specific sectors such as energy and finance, NIS-2 is broader in scope and also covers small and medium-sized enterprises (SMEs). It primarily applies to the areas of energy, transport, banking, health, drinking water supply and wastewater disposal, digital infrastructure, public administration, space, and food production and distribution.
Requirements Under NIS-2?
NIS-2 will bring stricter cybersecurity requirements and better incident reporting for companies. Companies must have a plan for managing cyber risks, including measures to prevent attacks and minimize damage if an attack occurs. The NIST Cybersecurity Framework provides a proven structure for this purpose.
The NIS-2 Directive of the EU requires:
- Enhanced security measures for operators of essential services and digital service providers.
- Establishment of CSIRTs for coordinating security incidents.
- Reporting of serious security incidents to national authorities.
- Appropriate security measures and risk management, for example through Data Loss Prevention and Zero Trust Network Access.
- Cooperation and information sharing between member states and the EU.
- Securing key technologies and critical infrastructures.
Ignoring the NIS-2 Directive and Rules? Not an Option
The exact sanctions will vary from country to country, with regular inspections and audits planned (Article 32).
Member states establish rules on penalties applicable for violations of national measures pursuant to this directive. They take all necessary measures to ensure that these penalties are effective, proportionate, and dissuasive. By January 17, 2025, member states transmit these rules and measures to the Commission and promptly notify of any subsequent changes.
What Needs to Be Done?
Since July 2023, a draft bill from the German Federal Ministry of the Interior has been available in Germany, known as the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS-2UmsucG). The exact documentation or rulebook for Germany has not yet been published.
Each member state adopts a national cybersecurity strategy that provides the strategic objectives and the necessary resources to achieve these objectives. Appropriate policies and regulations are required to achieve and maintain a high level of cybersecurity.
CER (Critical Entities Resilience Directive)
The Critical Entities Resilience Directive (CER Directive) is a significant regulation of the European Union (EU) developed to address the increasing challenges in a world of diverse crises. Its main objective is to strengthen the resilience of critical entities against various types of threats and risks, including natural disasters, terrorist attacks, cyberattacks, and sabotage.
CER is designed for cooperation with NIS-2 but does not focus exclusively on cybersecurity; it also examines physical security and resilience.
According to Article 26, member states adopt and publish by October 17, 2024, the measures necessary to comply with this directive and apply these measures from October 18, 2024 (https://www.critical-entities-resilience-directive.com/Transposition/Germany.html).
NIS-2 and CER - A Use Case
Imagine a hospital (under CER). The NIS-2 Directive ensures that its IT systems, supported by SIEM and SOAR systems, are protected against cyberattacks, while the CER Directive could require the hospital to have backup generators to maintain functionality during a power outage.
Do you need support implementing the NIS-2 Directive? Feel free to contact us.
Tool Tip
Discover Raycast: Your turbo for more Mac productivity! Raycast is more than just an application launcher. It's your personal assistant that helps you complete tasks faster, find files, and interact seamlessly with tools like Trello and GitHub. With natural language processing and custom workflows, Raycast supports every Mac user looking to improve their productivity.
