Effective date is October 18, 2024: On this day, the new EU Directive NIS-2 (“The Network and Information Security Directive”) officially comes into force. The aim of the Directive is to ensure a higher level of network and information security within the European Union. As a result, NIS-2 brings a new challenge for companies, as the Directive extends the scope of its predecessor NIS-1, introduces stricter security requirements and demands detailed reporting obligations. In this way, it intends to strengthen the resilience of critical infrastructures and digital services and enhance the ability of Member States to respond to and manage cyber threats. “The threat situation in cyberspace has worsened dramatically. With NIS-2, the EU is responding with a comprehensive package of measures that affects companies of all sizes,” explains Tobias Mielke, cybersecurity expert at TÜVIT. For many organizations, this means a considerable amount of additional work, for which they need to be prepared.
NIS-2 primarily affects companies with 50 or more employees and an annual turnover of more than EUR 10 million in 18 defined sectors. The two criteria of company size and company sector are therefore decisive in determining whether the directive applies to an organization or not. However, there are also some further special cases. By checking the extent to which they are concerned, companies can first gain an overview of the status quo in order to plan further measures on this basis. “Companies must now actively familiarize themselves with the requirements of NIS-2 in order to avoid high fines and potential security risks”, says Mielke.
The experts at TÜVIT support companies with various services to successfully meet the new requirements. For example, many of the NIS-2 requirements can be covered by implementing an information security management system (ISMS) in accordance with ISO/IEC 27001. Also, the introduction of a business continuity management system can help to meet the requirements.
In principle, transitional periods are provided for with the transposition into national law. However, there is already an urgent need for companies to take action in order to successfully meet the requirements and ensure the security of their IT systems.
TÜVIT has summarized the most important information about the new NIS-2 Directive on the following page: https://www.tuvit-consulting.de/en/nis-2/