Skip to main content

Get to know NIS2: All about the new guidelines to improve EU cybersecurity

It’s coming. And it’s coming sooner rather than later. We’re talking about the NIS2 Directive, which will be implemented into national law in all EU member states in 2024 in response to the ever-increasing number of cyberattacks. The new directive aims to significantly increase the level of IT security. For companies, this means new requirements for cyber risk management. Here we explain what these requirements are, how they will affect organizations, and why some companies may not see much change at all. Let’s dive in.

What’s the big deal?

Every year, data security incidents cause massive economic damage. Microsoft’s latest Digital Defense Report  predicts that cybercrime alone will cost the world $10.5 trillion by 2025. And the PwC 2024 Global Digital Trust Insights2 survey found that the proportion of organizations that have experienced a data breach costing more than $1 million has increased significantly over the past year, from 27% to 36%. This is in part due to the fact that networks have become more vulnerable in recent years as a result of increased digitalization and trends such as working from home or remotely. At the same time, attackers are using more complex and dangerous methods, like AI-powered malicious code. 
 
The NIS2 Directive can be seen as a response to this alarming trend. It’s an EU-wide minimum standard for network and information systems, designed to provide consistent protection and strengthen international cooperation in the fight against cyberthreats. The most comprehensive European cybersecurity directive to date, it must be transposed into national law by member states by October 17, 2024, and will affect thousands of organizations in 18 pre-defined sectors.

Is my organization affected?

The most important thing first: Each company must check for itself whether it falls under the NIS2 Directive and, if so, register with the relevant authority. In Germany, for example, this is the BSI (Bundesamt für Sicherheit in der Informationstechnik). The NIS2 guidelines may affect you if your organization belongs to one of the following categories:

Critical infrastructure: Operators of critical systems are in any case required to comply with the new directive.
18 sectors: Companies that are part of one of the following 18 sectors, employ at least 50 people and have an annual turnover of at least 10 million euros must also comply.

• Energy

• Transportation

• Banking

• Financial market infrastructure

• Healthcare

• Drinking water

• Wastewater

• Digital infrastructure

• IT providers

• Public administration

• Aerospace

• Postal and delivery services

• Waste management

• Chemical

• Food industry

• Manufacturing

• Digital providers

• Research

In addition, the NIS2 Directive distinguishes between “Essential Entities” and “Important Entities”, as well as the size of the company. This classification affects the level of sanctions and oversight by the authorities.

What do the NIS2 guidelines mean for my organization?

Specific minimum cybersecurity requirements are set out in Article 21 of the NIS2 Directive. According to this, companies are required to implement risk assessments and security strategies for the regular monitoring of their IT systems, including effective backup management, incident management, encrypted connections, access controls and identity management.

This leads to the following to-dos for your organization:

1. Assess the IT infrastructure and processes
2. Implement defenses against cyberattacks
3. Develop an incident response plan

How can I best prepare my organization for the NIS2 Directive?

Let’s start with the good news: If you already have common security best practices in place, you can check off many of the requirements listed above. However, the transition to a NIS2-compliant IT landscape can have far-reaching consequences, especially for organizations that are still working with legacy solutions. For this reason, organizations should not wait until national legislation is enacted, but should set the right course now. After all, they will benefit from strong IT security whether NIS2 is in force or not.

In particular, the implementation of a SOC (Security Operation Center) can help meet the requirements of the NIS2 Directive by providing comprehensive protection against digital threats. As a long-standing Microsoft Partner for Security, we offer Managed Detection and Response services for rapid incident response to minimize the impact of any potential breaches. Our SOC experts monitor IT environments around the clock to ensure critical data is protected. Of course, the benefits of a SOC will always depend on a company’s individual needs. Our experienced IT consultants will be happy to advise you on the right solution for your business – and find the right way to make your IT environment NIS2 ready.

Just get in touch with us: https://www.water-security.de/contact/

Sources

1. https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023

2. https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights.html

Back to all blogs

Featured blogs