NIS 2 Directive (EU) 2022/2555 ‘Network and Information Security’

NIS2: A comprehensive guide for businesses and the role of ISO 27001 in compliance

In an increasingly digitalized world in which companies and public institutions rely heavily on information and communication technologies, the issue of cyber security is becoming ever more important. Attacks on critical infrastructures and networks can have devastating consequences that go far beyond economic damage and can also cause social and political instability.

The European Union (EU) has recognized that protecting these critical infrastructures and ensuring security in the digital space must be a top priority. For this reason, the EU adopted the first directive on the security of network and information systems, the so-called NIS Directive (NIS1), in 2016. This directive laid the foundation for a harmonized cybersecurity strategy in the EU member states.

However, with the rapid technological advances and the increase in cyber threats in recent years, it has become clear that the original NIS Directive is no longer sufficient in many areas. The EU has therefore developed a revised version, the NIS2 Directive, which has significantly tightened the security requirements and expanded the scope.

In this article, we will take an in-depth look at the NIS2 directive, examine its background, explain the most important changes and analyze the impact it will have on companies in the EU. We will also examine how NIS2 is embedded in the EU’s overall cybersecurity strategy, the role of ISO 27001 in this context and best practices for implementation.

The first NIS Directive (NIS1) was introduced in 2016 in response to the growing threats to network and information security in the EU. It aimed to ensure a higher level of cybersecurity in the EU by requiring Member States to develop national strategies, designate cybersecurity authorities and impose certain security requirements on operators of essential services and digital service providers.

Challenges and gaps in NIS1

Although NIS1 was a significant step towards a coordinated approach to cybersecurity in Europe, it soon became apparent that the directive could be improved on several points. One of the biggest challenges was that the definition of “essential services” and “digital service providers” was interpreted differently, which led to inconsistencies in the implementation of the directive in different member states. In addition, the scope of the directive was limited, which meant that many potentially critical areas were not sufficiently covered.

Another problem was that the reporting obligations and security requirements for incidents and threats in NIS1 were often considered too vague and insufficiently detailed. As a result, many incidents were either not reported at all or insufficiently reported, which impaired the ability to respond and cooperation between Member States.

The transition to NIS2

To address these challenges, the NIS2 Directive was developed, which aims to address the weaknesses of the original directive and to meet the constantly evolving threats in the digital world. The EU Commission presented the proposal for NIS2 in December 2020, and after intensive discussions and negotiations, the directive was finally adopted in November 2022.

NIS2 goes significantly further than its predecessor and contains a number of innovations aimed at strengthening the protection of critical infrastructures in the EU and improving cooperation between member states. A key point is the extension of the scope of application to other sectors and companies that were not previously covered by the NIS1 Directive but are nevertheless considered critical to the functioning of society.

The NIS2 Directive introduces a number of significant changes aimed at comprehensively improving the cybersecurity landscape in Europe. The most important changes are explained in detail below.

Extension of the scope of application

While the NIS1 Directive mainly focused on operators of essential services such as the energy, transportation and financial sectors as well as digital service providers, NIS2 significantly expands the scope. Sectors such as public administration, waste management, aerospace, chemical industry and critical supply chains are now also covered by the directive. This expansion reflects the recognition that cybersecurity threats are increasingly cross-sectoral and affect many areas that were previously considered less critical.

Tightening of safety requirements

One of the key innovations in NIS2 is the tightening of security requirements for the companies concerned. They must now take more extensive measures to protect their network and information systems against cyber attacks. This includes the introduction of robust risk management, which includes not only technical but also organizational measures. Companies must prove that they have an appropriate security architecture in place that can cope with the current threats.

Reporting obligations in the event of security incidents

One of the biggest weaknesses of the NIS1 directive was the lack of clarity in the reporting obligations for security incidents. NIS2 goes one step further here and introduces stricter reporting obligations. Companies must now report incidents to the competent authorities within a significantly shorter period of time (usually 24 hours). This is intended to ensure that incidents are detected and reported more quickly to enable a rapid response and damage limitation.

Introduction of stricter supervision and enforcement mechanisms

NIS2 also strengthens the supervision and enforcement of security requirements. National supervisory authorities will be given extended powers to ensure that companies comply with the directive. This includes regular inspections, audits and the ability to impose severe fines for non-compliance. The aim is to encourage companies to take cyber security seriously and invest the appropriate resources.

Strengthening cooperation between EU Member States

Another important aspect of NIS2 is increased cooperation and coordination between Member States. The directive calls for the establishment of a network of national coordination centers that will work closely together to share information and coordinate joint responses to cross-border cyber incidents. This should help to increase the EU’s resilience to large-scale cyberattacks.

With the introduction of NIS2, companies in the EU are facing a number of new challenges. The directive has far-reaching implications, especially for those who were not previously covered by the NIS1 directive.

Who is affected?

The extended scope of NIS2 means that a larger number of companies and sectors are subject to the new cybersecurity requirements. This includes both large companies and small and medium-sized enterprises (SMEs) operating in sectors classified as critical. Companies that were not previously considered operators of essential services must now adapt to the new requirements.

Compliance requirements and their implementation

Companies affected by NIS2 must meet a large number of compliance requirements. This includes the introduction of a comprehensive risk management system that includes both technical and organizational measures. Companies must regularly review their cyber security measures and adapt them to the changing threat situation. This requires not only technical expertise, but also close cooperation between IT departments and management.

Risks and challenges in the implementation of NIS2

The implementation of NIS2 can be a considerable challenge for many companies. For SMEs in particular, meeting the strict requirements can involve considerable costs and human resources. In addition, there is a risk that companies that do not meet the requirements will be subject to severe fines. A further risk is that companies that do not prepare sufficiently for the new requirements could fall victim to cyberattacks, which could lead to significant financial losses and reputational damage.

Potential costs and necessary investments

In many cases, meeting NIS2 requirements will require significant investment in IT infrastructure and security architecture. Companies may need to invest in new technologies to secure their networks and hire additional staff to implement and monitor cyber security measures. However, these investments are necessary to meet the increasing demands and ensure the security of their own systems.

NIS2 is a central building block in the European Union’s comprehensive cybersecurity strategy. The EU has taken a number of initiatives in recent years to strengthen cybersecurity across the continent and NIS2 plays a crucial role in this context.

Integration into the EU’s overarching cybersecurity strategy

NIS2 is part of a broader strategy aimed at increasing the EU’s resilience to cyber threats. The directive complements other initiatives, such as the EU Cybersecurity Act, which provides for the establishment of a uniform framework for the certification of cybersecurity products and services. Together, these measures should ensure that Europe is better prepared for the growing threats in the digital space.

Comparison with other EU initiatives

While the EU Cybersecurity Act focuses more on standardization and certification, the focus of NIS2 is on increasing security requirements and improving cooperation between member states. However, both approaches are complementary and contribute to creating a uniform and robust cybersecurity landscape in Europe.

Importance for the digital single market

A key objective of NIS2 is to strengthen trust in the EU’s digital single market. The harmonization of cybersecurity requirements is intended to ensure that companies across the EU have a level playing field and that citizens have confidence in the security of the digital services they use.

The implementation of the NIS2 directive requires careful planning and preparation. Some best practices are presented below that can support companies in meeting the new requirements.

Step-by-step guide to implementation

NIS2 that Europe is better prepared for the growing threats in the digital space.

• Risk assessment: The first step in implementing NIS2 is a comprehensive risk assessment. Companies should check their network and information systems for vulnerabilities and analyze the potential impact of a cyberattack.
• Creation of a security plan: Based on the risk assessment, companies should create a detailed security plan that includes technical and organizational risk mitigation measures. This plan should be regularly reviewed and updated.
• Employee training: Employee training is a crucial factor in the successful implementation of NIS2. All employees should be informed about the new requirements and know how to react in the event of a cyberattack.
• Collaboration with external experts: In many cases, it can be useful to bring in external cybersecurity experts to assist with the implementation of NIS2 requirements. These experts can provide valuable insights and practical support.

Recommendations for companies

• Early preparation: Companies should not wait until the NIS2 requirements are required by law, but should prepare for implementation at an early stage. A proactive approach can help minimize potential risks and facilitate compliance with the directive.
• Integration into the corporate strategy: Cyber security should not be viewed as an isolated IT issue, but as an integral part of the overall corporate strategy. This requires close cooperation between the IT department and management.
• Regular review and adaptation: The threat situation in the area of cyber security is constantly changing. Companies should therefore regularly review and adapt their security measures to meet current requirements.

Examples from practice

Some companies have already successfully taken measures to meet the requirements of NIS2. These examples show that early and comprehensive planning is the key to success. Companies that have already invested in cyber security measures in the past will generally find it easier to meet the new requirements.

Das ISO/IEC 27001-Framework ist ein international anerkannter Standard für Informationssicherheitsmanagementsysteme (ISMS) und deckt viele der Anforderungen der NIS2-Richtlinie ab. Es stellt eine ausgezeichnete Grundlage dar, um NIS2-Compliance zu erreichen. Allerdings gibt es einige Unterschiede und spezifische Anforderungen in NIS2, die über ISO 27001 hinausgehen. Hier ist eine Analyse, wie ISO 27001 und NIS2 zusammenpassen und welche zusätzlichen Maßnahmen möglicherweise erforderlich sind:

Similarities between ISO 27001 and NIS2

• Risk management: Both ISO 27001 and NIS2 place great emphasis on risk management. ISO 27001 requires a systematic risk assessment and corresponding measures to minimize risks, which is also a central requirement of NIS2.
• Security controls: ISO 27001 contains a comprehensive catalog of security controls that include technical and organizational measures similar to those required by NIS2.
• Vorfallmanagement: ISO 27001 verlangt die Implementierung von Prozessen zum Umgang mit Sicherheitsvorfällen, was auch eine Schlüsselanforderung in NIS2 ist.
• Documentation and audits: ISO 27001 requires detailed documentation and regular internal audits to ensure compliance with security standards, which is also in line with NIS2 requirements.

Additional requirements of NIS2

While ISO 27001 provides a strong foundation, there are some specific requirements of NIS2 that may go beyond ISO 27001:

• Extended scope: NIS2 applies to a broader range of sectors and may include additional specific requirements for critical infrastructure and systems that are not explicitly addressed in ISO 27001.
• Mandatory reporting deadlines: NIS2 sets strict deadlines for reporting security incidents (usually 24 hours). While ISO 27001 recognizes the need for incident management, the specific reporting requirements in NIS2 are stricter and more explicit.
• Enhanced collaboration and reporting: NIS2 calls for greater collaboration and information sharing with national authorities and other companies, which is not emphasized to the same extent in ISO 27001.
• Supervisory and enforcement mechanisms: NIS2 provides for specific oversight and enforcement mechanisms, including the possibility of penalties for non-compliance. These regulatory aspects are not part of ISO 27001, which is considered more of a voluntary standard.

Conclusion

ISO 27001 is a strong foundation for meeting NIS2 requirements, but does not cover all the specific requirements of NIS2. Companies that are already ISO 27001-certified need to review their existing security measures and, if necessary, supplement them to ensure that they are fully NIS2-compliant.