NIS 2 Directive: Requirements, Penalties and Implementation

The most important facts in brief:

• Strict compliance requirements: The NIS 2 Directive requires companies in critical and essential sectors to comply with strict cybersecurity standards; violations can result in fines of up to €10 million or 2% of annual global turnover.
  
• Extended scope of application: The directive not only affects large corporations, but also medium-sized companies and IT service providers, which are now obliged to report security incidents within 24 hours and provide extensive documentation.
  
• Efficient implementation: With professional documentation software such as Docusnap, companies can automate risk assessments, efficiently create incident reports and fully document compliance requirements in order to avoid high penalties.

In today's highly digitized world, cyber attacks and security threats are constantly increasing. In order to better protect businesses and critical infrastructure, the European Union has NIS 2 Directive (Network and Information Security Directive 2) adopted. This new policy replaces the original NIS Directive from 2016 and requires companies to implement more comprehensive cybersecurity measures.

In this article, you will learn everything important about the NIS 2 Directive: What it is, when it comes into force, what requirements it places on companies, what the penalties for violations look like and how the professional documentation software Docusnap is helping companies meet the requirements.

What is the NIS 2 Directive?

Die NIS 2 Directive (Network and Information Security Directive 2) was adopted at the end of 2022 to modernize the previous directive and meet increased cybersecurity requirements. In view of the increasing threats posed by cybercrime and the increasingly interconnected world, it was necessary to tighten up the previous regulations. The NIS 2 Directive is a key element of the EU cybersecurity strategy and aims to improve the protection of critical infrastructure and essential services across the EU.

Why was an update necessary?

Since the original NIS Directive was introduced in 2016, the threat spectrum has changed dramatically. Cyber attacks such as ransomware, DDoS attacks (Distributed Denial of Service) and phishing campaigns have increased significantly and can cause significant financial damage to companies. The previous NIS Directive did not cover all affected industries and did not provide the necessary protective measures to counter modern threats. The NIS 2 Directive specifically addresses these gaps.

Objectives of the NIS 2 Directive

The main objectives of the NIS 2 Directive can be summarised as follows:

• Increasing cybersecurity within the EU through stricter standards and regulations.
• Improving collaboration between EU Member States to identify and ward off threats at an early stage.
• Protecting critical infrastructure and essential services to ensure security of supply.
• Increasing resilience from companies and organizations against cyber attacks.
• Ensuring a fast Reporting of security incidents to reduce response times.

When does the NIS 2 Directive come into force in Germany?

The EU's NIS 2 Directive officially came into force on December 27, 2022. However, the EU member states must first transpose the directive into national law. In Germany, this should take place by October 17, 2024. Nevertheless, national legislation in Germany is behind schedule. As of November 2024, there is only a draft law from the German government to implement the NIS 2 Directive - the NIS-2 Implementation and Cyber Security Strengthening Act (NIS-2UmsuCG). It is currently expected to come into force in March 2025. From this date, the provisions of the NIS 2 Directive will also be binding for companies in Germany.

What does this mean for German companies? Companies that fall under the scope of the NIS 2 Directive should prepare for the new requirements now in order to be compliant in good time. Implementation into German law is expected through adjustments in BSI Act (Federal Office for Information Security Act) and other relevant legislation. It is advisable to take early measures to comply with the new requirements in order to avoid possible fines and sanctions.

Which companies are affected by the NIS 2 Directive?

The NIS 2 Directive extends the scope and now covers a variety of sectors that were previously unregulated. The companies concerned fall into two categories: critical and essential service providers.

Critical service providers:

• Energy supply (e.g. electricity, gas, oil)
• Water supply and sanitation
• Transport and traffic (e.g. airports, ports, railways)
• Health sector (e.g. hospitals, pharmaceutical companies)
• Public administration

Essential service providers:

• Cloud services and data centers
• Telecommunications and internet service providers
• Financial sector (e.g. banks, insurance companies)
• Digital services and online marketplaces
• IT service providers and software companies

What does this mean for companies?

The Directive not only affects large companies, but also medium-sized companies who are active in the above mentioned sectors. It is important to stress that the NIS 2 Directive affects both European and non-European companies that provide services in the EU.

NIS-2 impact assessment by the BSI

Companies that are uncertain whether they are affected by the NIS 2 Directive can use the NIS-2 impact assessment from the German Federal Office for Information Security (BSI). This test helps companies to assess whether they are subject to NIS 2 requirements. The BSI's impact assessment is an important first step in determining whether there is a need for action.

What are the requirements of the NIS 2 Directive for companies?

The NIS 2 Directive requires companies to take comprehensive measures to improve cybersecurity. The most important requirements are:

1. Risk management and safety measures

Companies must provide a detailed risk assessment carry out and appropriate technical and organizational measures implement to secure their IT infrastructure. Measures include:

• Implementation of firewalls, Intrusion detection systems and Encryption technologies.
• Introduction of Emergency plans and regular security checks.
• Vulnerability analyses and continuous monitoring to identify security gaps at an early stage.

2. Incident management and reporting requirements

The NIS 2 Directive provides strict requirements for reporting security incidents before:

• Security incidents must within 24 hours be reported to the competent authority after they are discovered.
• Within 72 hours detailed information must be provided on the nature of the incident and the measures taken.
• A final report is within a month to submit.

3. Staff training and awareness raising

To prevent cyber attacks, companies must regularly train their employees in cybersecurity. This training is intended to increase awareness of security risks and avoid human errors.

4. Documentation and verification

The NIS 2 Directive requires a complete documentation of all safety measures taken. Companies must:

• regularly update their IT documentation.
• be able to provide evidence of security measures taken during inspections.
• establish a comprehensive incident management system to prove compliance with the policy.

What are the penalties for breaches of the NIS 2 Directive?

The NIS 2 Directive provides for strict sanctions for companies that do not meet the prescribed security requirements. The amount of the penalties depends on the type of company and the severity of the infringement. A distinction is made between critical service providers and essential service providers.

1. Penalties for critical service providers

Critical service providers are subject to particularly strict requirements, as their failures could have serious consequences for society and the economy. Violations of the NIS 2 Directive may result in the following penalties:

• Fines of up to 10 million euros or 2% of annual global turnover, whichever is higher.
• Additional penalties may include publication of the infringement include to increase pressure on companies to improve their security measures.
• In serious cases, it can lead to suspension of business activities or restrict certain services until the deficiencies have been remedied.
• Company managers can be held personally responsible, especially if it is proven that they have neglected their monitoring obligations.

Examples of violations that can result in high penalties:

• Failure to report a significant security incident within the prescribed period.
• Inadequate technical protection measures such as lack of encryption or inadequate access controls.
• Negligence in carrying out regular IT security audits and risk analyses

2. Penalties for essential service providers

Essential service providers are also subject to strict security requirements, but the penalties for violations are somewhat less drastic than for critical service providers:

• Fines of up to 7 million euros or 1.4% of annual global turnover, whichever is higher.
• Essential service providers may also be required to publicly disclose their violations, which can lead to reputational damage.
• Temporary operating restrictions can be imposed until the necessary security measures have been proven.
• Managers can be held responsible if they are proven to be negligent in implementing safety requirements.

Typical violations include:

• Inadequate training of employees on cybersecurity practices.
• Lack of regular security policy reviews and updates.
• Failure to properly document IT infrastructure and security protocols.

3. Graduated sanctions and sanctioning process

The NIS 2 Directive provides for a tiered approach to the enforcement of sanctions. This means that supervisory authorities can first issue warnings and give companies the opportunity to take remedial action within a specified period before imposing drastic penalties. However, repeated breaches or serious neglect can lead to heavy fines immediately.

Implementation of the NIS 2 Directive in Austria

Legal basis and responsibilities

In Austria, the NIS 2 Directive is being transposed into national law by adapting the existing Network and Information System Security Act (NISG). The Federal Ministry of the Interior (BMI) is responsible for the implementation and works in close cooperation with the Austrian cyber security authority (CERT.at). A central point of the Austrian implementation is the strong emphasis on cooperation between private and public institutions. For example, one focus is on establishing regular exchange platforms and reporting processes between companies and authorities.

Differences to Germany

One major difference between the German and Austrian implementation lies in the definition of the thresholds for affected organizations. While Germany has clear requirements regarding the size and relevance of the affected companies, Austria takes a more flexible approach. The Austrian thresholds not only take into account the size of a company, but also its sectoral importance and the potential impact of a failure on national security. This means that smaller organizations that are critical to supply may also fall within the scope of the directive.

Focus on training and awareness

In addition, Austria places particular emphasis on training and raising awareness among employees in critical sectors. Funding programs are offered to support companies in implementing the required security measures. These practical aids differ from the German implementation, which relies more heavily on formal regulations and control mechanisms.

Implementation planned for 2025

The implementation of the NIS 2 directive is also delayed in Austria and is not expected to be transposed into national law until 2025.  The deadline for implementation was originally set for October 17, 2024, but this could not be met.  Therefore, the corresponding legal regulations are now expected to come into force in the course of 2025. Nevertheless, companies should start implementing the necessary cyber security measures now in order to meet future requirements.

How Docusnap helps companies comply with the NIS 2 Directive

Compliance with the NIS 2 Directive is a complex task that requires thorough monitoring and documentation of the IT infrastructure. Here comes Docusnap into the game, a leading software for IT documentation and IT compliance.

1. Automated IT documentation

Docusnap provides a complete automated documentation of the entire IT landscape. This includes:

• Networks, hardware, software, and permissions.
• Preparation of IT security guidelines and processes.
• Regular safety reports to comply with the NIS 2 Directive.

2. Risk management support

Docusnap helps companies to carry out risk analyses and identify security gaps at an early stage. This enables comapnies to proactively implement risk mitigation measures.

3. Incident management and reporting

With Docusnap, security incidents can be quickly identified and documented. The software facilitates the reporting of incidents to the relevant authorities and supports the creation of the necessary reports.

4. Efficient verification during audits

The complete documentation provided by Docusnap enables companies to provide comprehensive evidence during audits and inspections and to prove compliance with the NIS 2 Directive.

Conclusion: NIS 2 compliance made easy with Docusnap

The NIS 2 directive presents companies with new challenges, but these can be overcome by using suitable tools such as Docusnap. Compliance with the NIS 2 directive is essential to avoid heavy penalties and to strengthen the trust of customers and partners. Docusnap offers companies the opportunity to efficiently meet the requirements while optimizing their IT security strategy.

Why companies should act now:

• Violations of the NIS 2 directive can result in hefty fines.
  
• A robust cybersecurity strategy not only protects against penalties, but also builds trust in the organization.
  
• Using Docusnap facilitates the implementation of the directive and gives companies a competitive advantage in an increasingly digital world.