NIS2 Directive

What is the NIS2 directive?

The NIS2 Directive is a new law of the European Union. It is intended to improve cyber security in Europe. The aim is to better protect IT systems, networks and data from cyber attacks. NIS2 is the successor to the first NIS Directive from 2016.

From October 2024, the NIS2 Directive will apply to all EU member states. In Germany, it will be implemented with the Cybersecurity Strengthening Act (NIS2UmsuCG). The new rules affect significantly more companies than before. In addition to large corporations, they also apply to many medium-sized companies, for example in the energy supply, healthcare, IT infrastructure and transport sectors.

What do companies need to do now?

Affected companies must significantly improve their IT security. They should recognize risks early on and prepare for emergencies. This also includes measures to protect important business processes.

In concrete terms, this means

• Security incidents must be reported within 24 hours
• Potential vulnerabilities and potential threats must be identified
• The identification of critical systems is mandatory
• Companies must introduce a functioning business continuity management (BCM) system and a business continuity plan
• Employees must be trained regularly
• The security of supply chains must also be taken into account

Many of these requirements can be implemented using well-known standards such as the IT baseline protection of the BSI (German Federal Office for Information Security).

Why is the NIS2 directive important?

Cyber attacks are becoming more frequent and more dangerous. A successful attack can cause high financial losses. The NIS2 directive helps companies to protect themselves better. It makes security in companies mandatory – and no longer a voluntary task.

Initially, this means more work for companies. However, those who act in good time reduce the risk and strengthen trust with customers, partners and authorities.