The significance of NIS-2 and NIS2UmsuCG for companies
NIS-2 Check-up for companies
What are NIS-2 and NIS2UmsuCG?
Critical infrastructure in Europe should be better protected. With the NIS-2 Directive, the EU aims to achieve a uniform, high level of cybersecurity and to strengthen the internal market. The evolution of the NIS Directive, which was adopted in 2016, is intended not only to better protect companies and critical facilities from cyber-attacks, but also to provide them with binding guidelines for responding to attacks.
NIS-2 has been in effect since December 27, 2022, and EU member states have until October 2024 to transpose the directive into national law. In Germany, NIS2UmsuCG is already a bill that requires companies and operators of critical facilities to implement the new security standards.
Data leaks, ransomware attacks, system failures: Operators of critical infrastructures in Europe are facing an increasing number of threats. These not only lead to high economic losses for companies and customers, but also threaten social stability.
In order to better meet this challenge, NIS-2 aims to establish a uniform, high level of cyber security at EU level. The EU member states are translating the directive into national law.
With NIS-2, the EU requires all member states to comply with the same IT security standards in order to ensure a common level of cyber security and stable infrastructures in Europe. The directive obliges member states to enforce certain measures. National legislation should oblige companies to meet higher standards in the areas of risk analysis and management, incident and crisis management and encryption. NIS-2 not only affects a larger number of companies and organizations than NIS-1, but also strengthens the powers of certain national institutions such as the German Federal Office for Information Security (BSI).
With the NIS-2 Directive, the EU is strengthening and expanding the 2016 requirements. It now covers more sectors and areas of application, with companies categorized as “particularly important” and “important”. According to current estimates, the number of affected companies in Germany has increased to around 30,000.
National authorities will be given extended powers, for example for on-site inspections and for requesting data and documents. At the same time, cooperation between member states on cybersecurity issues will be strengthened.
From October 2024, NIS-2 is to be transposed into national law in Germany through a corresponding implementation law (NIS2UmsuCG). The first verification checks for companies are expected to take place three years after the law comes into force. Companies that fail to implement the relevant measures could face fines of up to 10 million euros or 2 percent of their annual turnover.
What should companies do now?
The NIS-2 Implementation Act contains various requirements that affected institutions must implement. There is currently no transition period, meaning that the requirements apply immediately. However, the past has shown that the extensive measures also require corresponding time for full implementation. It is crucial to be able to present a concrete plan. In addition, the BSI can only request proof of compliance with the requirements after a maximum of three years.
Depending on the starting point, it has proven useful to proceed according to the following phases: Impact analysis, GAP analysis of NIS-2 requirements, creation of an action plan and implementation.
The impact analysis presents particular challenges for companies with complex structures. “Parent companies” with various ‘subsidiaries’, e.g. also in other European countries, must each comply with the national implementation law in the country in which they are based.
secunet provides support in analyzing the impact and can rely on proven and tested tools.
In accordance with the well-proven clustering, secunet checks the individual requirements, e.g. in the form of interviews, including the possibility of having evidence presented. A set of questions is used, which has been compiled by experts in information security consulting with more than 20 years of experience.
If companies from other European countries are audited, the questionnaire is adapted according to national specifics.
There are companies that have already implemented a large number of information security measures or companies that have only implemented individual measures such as the use of passwords. Depending on the initial situation, the expected gaps are very different.
Depending on the information security solutions already implemented, the gap analysis results in a specific action plan, with secunet sorting the content according to the following clustering/content. Tracking can then also be done on this basis.
Particularly during implementation, it is important to continuously monitor progress, identify any need for action and then initiate corrective actions.
Here, secunet provides support with specialist project management, which combines a good mixture of technical consulting with the involvement of other security experts and a distinctive organizational skillset.
Individual consulting
What needs to be considered with an existing ISMS?
Companies that have implemented an information security management system (ISMS) are generally already well positioned. Nevertheless, we strongly recommend carrying out a gap analysis or integrating this as part of the internal audit. This allows potential gaps to be identified and closed at an early stage.
The following measures should also be considered:
- Management commitment: management should implement measures to fulfill all legal requirements.
- Review the scope of the ISMS: Ensure that the ISMS covers all relevant areas that are subject to legal requirements.
- Carrying out the registration: The mandatory registration must be carried out completely and properly.
- Establishment of a reporting process: A reporting process including compliance with deadlines must be established.
Which companies need to act now?
The extended group of affected institutions also includes medium-sized companies. All organizations covered are divided into different categories, including critical facilities, particularly important facilities and important facilities. These can be found in the following sectors, among others:
Energy // Transport // Finance // Healthcare // Drinking water // Wastewater // Waste management // Digital // Infrastructure // Space // ICT management // Logistics // Post and courier services // Food industry and trade // Manufacturing // Digital providers // Research
Particularly important facilities
Large companies with 250 or more employees or with more than 50 million euros annual turnover and 43 million euros annual balance sheet total as well as other individual companies (regardless of size) from critical sectors.
Important facilities
Medium-sized companies with 50 or more employees or with an annual turnover of 10 million euros and an annual balance sheet total of 10 million euros, as well as specific large companies.
Operators of critical systems
Critical facilities (KRITIS) with a supply capacity of 500,000 persons or more.
Federal Administration
Federal agencies, corporations, institutions, foundations under public law in accordance with NIS2UmsuCG, as well as federal ministries and the Federal Chancellery.
Secunet is ready to answer all your questions about the NIS-2 directive and the NIS2UmsuCG. Simply send us an request using the contact form. We are happy to help you.
