BPG BPG Beratungs- und Prüfungsgesellschaft mbH
Back to the news
Cybersecurity

NIS2 Directive - overview and status quo

IT

What is the NIS2 Directive?
The NIS2 Directive (NIS = Network and Information Security) is a further development of the European Union's original NIS Directive, which came into force in 2016. The aim of NIS2 is to further strengthen cybersecurity in the EU, improve resilience against cyberattacks and increase the resilience of critical infrastructure. The NIS2 Directive was published on December 27, 2022 and came into force on January 16, 2023.

The digital transformation brings numerous benefits, but at the same time increases vulnerability to cyber threats. Attacks on critical infrastructure, such as energy supply, healthcare and transportation, can have serious consequences for society and the economy. Therefore, the NIS2 Directive was developed to ensure a more robust and coherent approach to cybersecurity within the EU.

Who does NIS2 apply to?
By October 2024, all countries in the European Union must incorporate the regulations into national legislation. In addition, from October 2024, all companies from 18 defined sectors with at least 50 employees and a turnover of €10 million will be obliged to implement NIS2.

The sectors affected in Germany are so-called critical infrastructure operators (also known as “KRITIS”), which are already legally obliged by the IT Security Act 2.0 to take information security measures above certain thresholds. However, many municipal utilities are below the thresholds, which is why NIS2 is now expanding existing sectors and adding others:

Sectors with high criticality

  • Energy
  • Transportation
  • Banking
  • Financial markets
  • Healthcare
  • Drinking Water
  • Wastewater
  • Digital infrastructure
  • IT/ICT services (B2B)
  • Public administration
  • Space

Other critical sectors

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food industry
  • Industry (e.g. mechanical engineering)
  • Digital services
  • Research

Key innovations of NIS2

  1. Expanded scope: The directive covers more sectors than its predecessor and the threshold for classification as an “essential service” has been lowered so that more companies and organizations are covered by the directive.
  2. Increased cooperation and coordination: Closer cooperation between Member States and the EU Agency for Cybersecurity (ENISA) is called for. Joint cybersecurity exercises and the exchange of best practices should be promoted.
  3. Obligations for companies: Companies will be required to meet enhanced security requirements, including the introduction of risk management measures and specific cyber incident reporting deadlines to enable faster responses.
  4. Sanctions: The Directive provides for tougher penalties for breaches, including hefty fines to ensure compliance. In addition, national authorities will be given enhanced powers to enforce the directive.

What is the status quo in Germany?
Work is currently underway to integrate the directive into national legislation. The law that is being drafted for this purpose is called the “NIS-2 Implementation and Cyber Security Strengthening Act” (NIS2UmsuCG). Despite the draft bill and the consultation, the country does not expect the final law to be passed on time by October 2024. Other EU countries have also announced that they will not be able to meet the deadline.

What can affected companies already do today?
Despite the lack of legislation, affected companies can already derive important measures from the directive. As the implementation process is complex, it is advisable to start planning and implementing as soon as possible in order to be well positioned once the law has been passed and to avoid sanctions.

We can help you with the review or implementation of the NIS2 directive in your company with expert consultants. Simply get in touch with us:

Crowe BPG Beratungs- und Prüfungsgesellschaft mbH
Christian Maruhn
Phone: 02151 508 400
E-mail: maruhn@crowe-bpg.de

Autoren

Christian Maruhn

Further interesting topics

IT

The e-invoicing obligation in the B2B sector - introduction and significance for SMEs

In a rapidly digitalizing world, SMEs are faced with the challenge of continuously adapting and modernizing. A central element of this transformation is e-invoicing.
IT

IT emergencies and countermeasures

What would be the impact of a prolonged power outage, a hacker attack or a ransomware attack? IT emergencies can occur at any time but only few companies are aware of their significant effects on daily operations.
Wirtschaftsprüfung

The Power of Data Analytics

Data analytics are becoming increasingly important in our profession. As the volume and complexity of data generated by businesses continues to grow, auditors need to have the ability to efficiently and effectively analyze large amounts of data to identify potential risks and uncover insights.
Crowe Global, Crowe BPG

Our network: Excellence beyond borders

As of July 2020, Crowe BPG is a member of the Crowe Global network. This not only opens benefits for us, but also our clients – due to our Crowe membership, we have access to experts in all major countries all over the world.
Advisory

Crowe advises Ethypharm on the acquisition of the Argatroban business from Mitsubishi Tanabe Pharma Corporation, a Mitsubishi Chemical Group company

Ethypharm has signed an agreement with Mitsubishi Tanabe Pharma Corporation (MTPC), a company of the Mitsubishi Chemical Group, to acquire ...
Cookie-Settings