NIS2: Are you wondering if you are affected?

23rd October 2024

What you need to know about the Network and Information Security Directive 2 (NIS2)

Imagine you are the managing director of XYZ GmbH and you manufacture exhaust pipes for the automotive industry with headquarters in Germany. With 67 employees, you are an important supplier to car manufacturers. Although you do not provide a critical service, your area of activity is listed as an important sector in the new NIS2 directive: According to Annex II of the NIS2 implementation, you are therefore affected by the detailed measures under NIS2, which you are expected to have to comply with from March 2025.

As a European directive, the Network and Information Systems Directive 2 (NIS2) is intended to strengthen the security of networks and information systems in Europe by harmonizing security requirements across Europe: Not only critical infrastructures, but also key economic sectors are now to be protected proactively and reactively in accordance with specific risk management and reporting requirements. As a continuation of the Network and Information Security Directive (NIS1 Directive), the changes relate in particular to the expansion of the sectors affected: Not only critical infrastructures, but also 30,000 companies classified as “important” or “particularly important” under the law have registration, verification and reporting obligations (see BSI 2024). The essential sectors include energy, healthcare and public administrations; the important sectors include research institutions, manufacturing and waste management.

What does this mean for your organization?

First of all, you are obliged to determine whether your company will be subject to the requirements of NIS2. It is worth taking advantage of the support of experts. This is because a wide range of information is relevant for the impact check:

  • Sector of economic activity of the company
  • Company size
  • Company profit / annual balance sheet total
  • Legal status of the company

The type of company also plays a role: whether your company is autonomous and independent or an affiliated or partner company. The threshold values for company size are more than 50 employees or turnover of more than 10 million euros and a balance sheet total of more than 10 million euros – two consecutive financial years are taken into account. With regard to the number of employees, it is important to note that only full-time employees and temporary workers are counted; trainees and employees on parental leave are not counted.

What are the consequences of being affected by NIS2 for your company?

Once it has been clarified that you are affected by the requirements of the Network and Information Security Directive 2, you are right to ask yourself what specific consequences this has for your company and business processes. Information security according to NIS2 means that a risk management system is in place that is adapted to the specific needs of the company. This also includes ensuring IT security, as cyber threats play a major role in the risk assessment.

According to the Allianz Risk Barometer 2024, cyber incidents are the biggest global business risk at 36%, including IT network and service disruptions, malware and ransomware, data breaches, fines, and penalties. The impact of a cyber incident can range from business and supply chain disruptions to loss of reputation and threat to existence. Although holistic risk management that takes IT, OT and IIOT (Industrial Internet of Things) into account cannot rule out cyber incidents, it can reduce their impact if they are reviewed regularly: This is because, on the one hand, risks can be eliminated or at least reduced during risk analysis and, on the other, worse situations can be avoided by initiating an emergency and crisis plan in good time.

NIS2 requires a concrete concept for risk identification, for the evaluation of risk management measures and for the assessment of critical supplier risks, considering the all-hazard approach. This all-hazards approach considers not only cyber risks, but all forms of risk – whether caused by location, misconduct or technical failure. These risks must be presented transparently so that all relevant stakeholders can be made aware of them.

If a “significant security incident” (as defined by the BSI) occurs, companies must comply with specific reporting deadlines. For the digital sector, there will be an implementing regulation that specifies when an incident is to be classified as “significant”. For other companies, there are guideline values such as the extent of the incident or the amount of damage. The following procedure applies to all affected companies: First, you must register within 3 months with an overarching platform that is probably affiliated with the BSI. In the event of an attack, an initial report must be made to this reporting office within 24 hours, a confirmation within 72 hours and a final report after one month at the latest.

In order to be optimally prepared for an emergency, emergency and crisis plans with clearly defined responsibilities must be in place and regularly practiced with all those involved. This is because damage can only be minimized in the event of an attack if risk management is regularly reviewed and adjusted and the planned procedure in the event of an attack is regularly practiced.

In the worst case scenario, an attack can lead to a production stop for our example company XYZ GmbH and thus to enormous financial losses – and it gets even worse: as XYZ GmbH is an important supplier to the automotive industry, production and operational downtimes have an enormous impact on the entire automotive production.

So, what are the benefits of NIS2 for you?

It is therefore also worthwhile for you to know and manage your security risks and thus increase protection against cyber attacks. If cyber security incidents can be detected at an early stage, the ability to act can be established and the impact of security incidents can be minimized. NIS2 places a particular focus on supply chain security and therefore also on existing business continuity management systems for suppliers.

Established emergency processes are a must-have for critical infrastructures and important economic sectors. To ensure that all key stakeholders are informed about the exact (communication) steps to be taken in the event of an emergency, NIS2 also addresses the issue of employee training and education: This includes not only the emergency exercises, but also specific awareness trainings, particularly for the areas of purchasing (supply chain), IT security and management. As the managing director of XYZ GmbH, you must therefore prove that you have attended NIS2 risk management training (in accordance with Section 38 (3) BSIG-E in German Law).

As management, you are liable for all company risks, including the increasing number of IT risks. Non-registration or non-compliance with the requirements of NIS2 will result in sanctions and heavy fines. It is therefore worth taking a close look at NIS2 now and making use of the consulting and training services on offer: We are offering a specific risk management training for managing directors and a comprehensive NIS2 readiness check to establish compliance.

Feel free to contact us for an initial consultation!


Sources:

BSI (2024): Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security, Germany): Umsetzung der NIS-2-Richtlinie für die regulierte Wirtschaft. Erste Informationen für voraussichtlich betroffene Unternehmen. (Implementation of the NIS 2 Directive for the regulated economy. Initial information for companies likely to be affected.)
Online: https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/nis-2-regulierte-unternehmen_node.html#:~:text=Die%20NIS-2-Richtlinie%20ist%20eine%20neue%20EU-Richtlinie%20zur%20Netzwerk; Access: 26.09.2024

Allianz Commercial (2024): Allianz Risk Barometer 2024, p. 4. Allianz Global Corporate & Specialty SE. Online: https://commercial.allianz.com/content/dam/onemarketing/commercial/commercial/reports/Allianz-Risk-Barometer-2024.pdf; Access: 26.09.2024

BSIG-E (2024): Entwurf eines Gesetzes zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informations­sicherheits­managements in der Bundesverwaltung. (Draft law to implement the NIS-2 Directive and to regulate the main features of information security management in the federal administration.) Online: https://www.bmi.bund.de/SharedDocs/gesetzgebungsverfahren/DE/CI1/nis2umsucg.html; Status: 07.05.2024; Access: 23.10.2024