NIS 2

In order to set the standard for cybersecurity in the European Union, companies from different sectors are required to document their security strategy. The countdown is on and it’s time for us to prepare together!
Networked globe with security lock

The new EU Cybersecurity Directive – NIS 2 – will become mandatory from October 18, 2024. This binding regulation sets the standard for cybersecurity throughout the European Union and compels companies from different sectors to document their security strategy.

The countdown is on and companies are urged to act.
Let’s get prepared together!

What is NIS 2?

The EU has introduced strict cybersecurity regulations for its Member States in the form of the NIS 2 Network and Information Security Directive. NIS 2 is the successor to the NIS Directive that came into force in 2016. The implementation of a holistic security strategy is therefore no longer just necessary to protect against cyberattacks, but is also a legal requirement.

Member States must adopt the necessary measures to comply with the NIS 2 Directive by October 17, 2024, and from October 18, 2024, they are to apply these measures.

Differences between NIS 1 and NIS 2

How does NIS 1 differ from NIS 2?

NIS 2 is an improved version of the NIS Directive of 2016, which was already intended to ensure a high level of security for network and information systems in the EU, but nevertheless presented some shortcomings.

The main differences between NIS 1 and NIS 2 are:

  • The new version includes more sectors and companies that are essential for society and the economy, such as energy, healthcare, transportation, and digital infrastructure.

  • NIS 2 requires the affected companies and organizations to operate an effective risk management system and to report serious or significant cyber incidents to the responsible national authorities, which can then take necessary action. NIS 1 only provided general specifications for the security measures and the reporting of incidents.

  • The new Security Directive provides for stricter sanctions for Member States, which can amount to up to 20 million euros or four percent of global revenue if the affected companies and organizations do not implement the necessary security measures or do not report serious or significant cyber incidents to the relevant national authorities. NIS 1 left the definition of the sanctions to the Member States, which led to inconsistent application.

  • NIS 2 underlines the personal accountability of management for cybersecurity and stipulates, for the first time, that chief executives are liable with their personal assets if they fail to comply with legal regulations.

Target group of NIS 2

Who does this affect?

October 17, 2024 – this is the deadline for all 27 EU Member States to have seamlessly incorporated the NIS 2 cybersecurity regulations into their national laws. But the pressing question remains: Which companies are required to implement the NIS 2 Directive?

Essential entities: These are organizations that are active in the field of critical infrastructures. This includes, for example, energy, transport, water management, healthcare, or banks.

Important entities: This category includes leading companies in the food and chemical industry, as well as those responsible for manufacturing electrical equipment, machinery, and vehicles.

In addition, the Member States themselves have the option of extending the scope of the target groups affected by NIS 2. They can include additional entities in their national lists, thereby requiring local authorities, educational entities, and more to implement the directives.

Reminder about NIS 2

What penalties are there?

The NIS 2 Directive is strictly enforced, including high fines for failure to fulfill or comply with the reporting obligations. The extent of the penalties imposed depends on the classification of the individual companies.

Companies that are classified as “important” must pay fines of between 7 million euros or a maximum of 1.4% of their total global annual revenue in the previous fiscal year. While “essential companies” risk fines of up to 10 million euros or a maximum of 2% of their total global annual revenue.

When it comes to cybersecurity, due diligence is non-negotiable and the executive management has a duty to oversee the implementation and monitoring of these cybersecurity measures.

What does this actually mean for you?

The NIS 2 Directive is an EU directive that came into force on January 16, 2023 and is intended to improve the cybersecurity and resilience of critical infrastructures and digital service providers. The Directive requires the affected companies and organizations to maintain an effective risk management system and to report serious or significant cyber incidents to the responsible national authorities, which can then take necessary action. In order to minimize the potential harm to users, the environment, and public order, the aim is to identify security vulnerabilities at an early stage and to take preventive action against them. To ensure that all parties involved comply with the same high standards, the companies are also responsible for ensuring the security of the entire supply chain and passing on the requirements to their business partners and suppliers. Other measures include:

  • The implementation of appropriate and proportionate security measures that conform to current standards and best practices to ensure the confidentiality, integrity, availability, and authenticity of their data and services.

  • Creating and updating a business continuity plan that allows normal operating conditions to be restored following a cyber incident.

  • To prevent unauthorized access, multi-factor authentication must be implemented for access to their networks and information systems.

The European Union Agency for Cybersecurity (ENISA) will play a crucial role in monitoring and supporting the application of this legislation.

NIS 2 – manufacturer obligations
IEC 62443 – the success factor for holistic security concepts
Protection against cyberattacks and compliance with legal requirements
Can components and systems certified in accordance with IEC 62443 provide comprehensive protection against cyberattacks and at the same time meet the new EU legal requirements, such as NIS 2, the Cyber Resilience Act (CRA), and the new Machinery Regulation? Find out everything you need to know about the new legal directive, the implementation of cybersecurity in automation, and the significance of IEC 62443 in our white paper.
Download the white paper now
Networked world with security lock

NIS 2 schedule

The NIS 2 Directive came into force on January 16, 2023, and must be incorporated into national law by October 17, 2024. The implementation of the Directive will be reviewed by the Commission for the first time by October 17, 2027 and will be monitored every 36 months in the future.

It is time to take action and prepare.

NIS 2 timeline

NIS 2 already came into force on January 16, 2023

360° security cycle

Our comprehensive 360° security concept

360° security – our comprehensive range without compromises

In the dynamic world of cybersecurity, change is constant and the introduction of the NIS 2 Directive underlines this fact. As we wait for the adoption of the Directive into national law to take full effect, there is no denying the urgency to take action.

In order to meet the strict requirements of NIS 2, we must base our fundamental approach on European and international standards. These standards not only define secure products, but also define the principles for implementing resilient security systems. An excellent example is IEC 62443, a globally recognized series of standards for security in automation. Our comprehensive 360° security concept includes both technical and organizational measures that are backed by corresponding IEC 62443 certifications.