The topic of NIS 2 is currently on everyone’s lips. NIS stands for the Network and Information Security Directive. The two indicates that this is a revised version of the original EU directive from 2016.
Why does NIS 2 exist?
Due to the increasing number and severity of cyber attacks, the European legislator is pursuing the goal of strengthening the security structure throughout the EU. Based on the revised directive, affected organizations are now required to implement a comprehensive range of protective measures or to improve existing measures.
The special feature of the revised directive is that there are clearly defined areas within the text that must be addressed as part of the corporate security measures.
These should comply with the state of the art and are as follows:
1. concepts relating to risk analysis and security in information technology,
2. management of security incidents
3. business continuity, such as backup management and disaster recovery, and crisis management
4. security of the supply chain, including security-related aspects of relationships between individual entities and their direct vendors or service providers
5. security measures in the acquisition, development and maintenance of information technology systems, components and processes, including vulnerability management and disclosure
6. concepts and procedures for assessing the effectiveness of risk management measures in the area of information technology security
7. basic cyber hygiene procedures and information technology security training
8. concepts and procedures for the use of cryptography and encryption
9. personnel security, access control and asset management concepts
10. use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and, where appropriate, secure emergency communications systems within the facility
Operators of critical systems are subject to even stricter regulations regarding the implementation of attack detection systems. In addition, there will be an obligation to provide evidence every three years in future!
Stricter reporting obligations
Compared to the existing regulations under the GDPR, companies that fall under NIS 2 are subject to even stricter reporting obligations. For example, the notification period in the event of a significant security incident is now 24 hours.
More responsibility for decision-makers
38 of the Directive explicitly states the responsibility of the management for implementing and monitoring necessary measures. Paragraph two also stipulates that a blanket waiver of claims for compensation due to breaches of this requirement is ineffective.
Who is affected?
The guideline distinguishes between important, particularly important and critical facilities. Important institutions include companies that employ 50 – 249 employees or have a turnover of more than EUR 10 million and a balance sheet total of > EUR 10 million.
As part of the important facilities, the company must be assignable to the following sectors:
Energy
Transportation
Banks and financial market infrastructures
Healthcare
Drinking water and wastewater
Digital infrastructure (ICT, online platforms, cloud computing)
Post and courier services
Chemicals
Research and development
Manufacturing industry
Waste disposal
Each company is obliged to independently determine whether it falls under these regulations and subsequently register with the BSI. The relevant registration page will be made available by the authority in good time.
How can you determine the extent to which you are affected?
The BSI provides an online query for this purpose. This can be accessed via the following link:
BSI – NIS-2 impact assessment (bund.de)
An overview of the sectors required for the online query and the types of companies included can be found in this link:
KS-RA-07-015-DE.PDF (europa.eu)
The number of companies affected by NIS 2 is extensive. As a striking example of important facilities from the “manufacturing industry” sector, the following companies with more than 50 employees are also covered by the directive.
NIS 2, Annex 2, point 5.4: “Mechanical engineering”, see Section C, Div. 28 NACE:
214 Manufacture of plumbing fittings, etc.
28.15 and others Manufacture of ball and roller bearings and parts thereof
How do we support you?
The NIS 2 Directive has a significant impact on the areas of D&O insurance and cyber insurance.
We support you in implementing cyber insurance solutions as part of your holistic IT security strategy, helping you to reduce your liability and compliance risk.
As part of D&O insurance, we will be happy to advise you on solutions to cover the financial risk of management errors that may occur in the course of implementing NIS 2.
Feel free to contact us!
