Welcome to the first part of our series on the important EU Directive NIS-2 and its far-reaching consequences in the area of cybersecurity. In this article, we take a detailed look at the basics and broad scope of the NIS 2 Directive. It sets ambitious new standards for companies in Europe to significantly strengthen resilience against cyber threats and thus shape a more secure digital future.
Since January 2023, the European Union's NIS 2 Directive has been setting new standards to strengthen cybersecurity across the EU. The aim is to make companies, especially those in critical infrastructure sectors, robust against cyber threats. For organizations that are already certified in accordance with ISO 27001 or BSI Grundschutz, the adjustment to NIS-2 represents less a fundamental revolution and more an extension of existing structures.
These companies can build on existing security concepts and focus more on specific expansions. The integration of NIS-2 requirements therefore offers the opportunity to efficiently supplement existing management systems.
However, with an estimated 30,000 affected organizations in Germany and 150,000 to 180,000 in Europe, there is considerable uncertainty as to which companies are actually affected. Numerous cases require careful consideration to determine whether they belong to the relevant categories. The NIS 2 Directive aims to increase the cyber resilience of affected companies and to establish a sustainably higher level of IT security.
Implementing the Directive is not a one-off product, but an ongoing process that not only affects the IT department, but involves the entire company. Security must be understood as an integral part of the corporate philosophy and requires a rethink at all levels — towards a security mindset that is deeply anchored in corporate culture.
In Germany, the NIS2 Directive is being implemented by the planned NIS2 Implementation and Cybersecurity Strengthening Act (NIS2umsuCG). However, national implementation is delayed — entry into force is now planned for March 2025. However, due to criticism of the current draft and the rule that all undecided proposals must be resubmitted after new elections, it is unlikely that this deadline will be met. These factors indicate that the law needs to be revised again. It is therefore currently unclear when it will actually be completed and implemented.
Who is affected by the NIS 2 Directive?
The NIS-2 Directive expands the circle of companies and organizations covered compared to its predecessor, the NIS-1 Directive. It is aimed at essential service providers whose functionality is of crucial importance for society. Whether a company is affected by the Directive depends on several criteria, including sector membership and company size.
Affected by the NIS 2 Directive:
Company size and its relevance:
New sectors since NIS-1:
In order to determine whether a company is affected, several criteria should be considered simultaneously. To clarify your own concerns, it is recommended that you use the Federal Office for Information Security (BSI)'s impact assessment questionnaire. This is under https://betroffenheitspruefung-nis-2.bsi.de/ available and provides initial guidance.
Affected institutions will be required to file a registration with the competent authority. Depending on sector affiliation or criticality, there are further obligations, such as reporting or verification requirements.
In the upcoming second part of this series, I will dive deeper into the practical aspects of implementing NIS-2 requirements. I'll highlight the challenges and strategies that can help you implement. Here is the second part: From risk to resilience: Future-proof cybersecurity with NIS-2
Sign in to get in touch with Carsten directly.
We are happy to provide you with inspiring content, current events and news.
