29. Februar 2024
The Bundesamt für Sicherheit in der Informationstechnik, Germany’s federal IT security agency, has warned that the threat posed by hacker attacks has never been as severe as it currently is. The EU aims to use NIS2 to make key companies and institutions more resilient in the face of cyberattacks. The EU member states have until 17 October 2024 to transpose the new directive into national law. Cybersecurity expert Jacques Kruse Brandao from TÜVIT explains which security requirements which companies will have to satisfy in the future.
#explore:Mr Kruse Brandao, what is NIS2?
Jacques Kruse Brandao: NIS stands for “Network Information Security”, which basically relates to every communication that happens in a company, the hardware and software it uses and the data it shares. NIS2 replaces the previous NIS directive, ramps up corporate cybersecurity requirements and also applies to a lot more companies. While the previous directive focused mainly on critical infrastructure such as utilities and the financial sector, the new one now also includes postal and courier services, vehicle and machine manufacturers, the food sector and digital services, for example. In other words, it also covers online market places, search engines, social media platforms and the data centres behind these companies, disruptions to which would massively impact on all of us. NIS2 applies to companies with a workforce greater than 50 and a turnover of at least ten million euros from 18 sectors and fields defined in the directive. Parts of digital infrastructure and public administration are included regardless of their size.
How many companies do you expect to be affected by NIS2?
The estimated number of companies covered by NIS2 in Germany is 29,000; in Europe as a whole it’s 400,000. But the directive is going to affect a whole lot more companies at the end of the day. This is because is the directly affected companies will also have to scrutinise the cybersecurity of their supply chains. Carmakers will in the future be able to oblige their small and medium-sized suppliers to implement commensurate cybersecurity measures so that they themselves don’t fall foul of EU regulations. What other requirements does NIS2 impose?
Jacques Kruse Brandao is the Global Head of Advocacy at TÜVIT. The graduate engineer has been working in the field of identification methods and cybersecurity for 20 years and often operates as a “translator” between the technical and regulatory sides of IT security.
What other requirements does NIS2 impose?
Companies will have to train their workforce in all matters of cybersecurity, running programmes, for instance, to raise their alertness levels when it comes to the danger of phishing emails. Not only that, but company directors are also to be held personally liable in the event of breaches of the requirements. So, these directors are now going to be responsible for the implementation of security measures and will no longer be able to delegate them to third parties. The basic point is that cybersecurity management is going to become mandatory for the companies concerned. They will have to start by performing a risk analysis for the equipment and software they use, clarify who has access to the internal systems and what the associated risks are, and implement suitable security measures into the bargain. It will then be a question of creating structures for a possible cyberattack: Who will take responsibility for ensuring that certain IT systems are taken off line; who will inform the authorities, business partners, and customers ? This matters because NIS2 will also usher in strict reporting obligations. The supervisory authorities will have to be informed of any incident within 24 hours and told about the countermeasures adopted within 72. In the event of breaches of these or other requirements, companies will be faced with severe penalties of up to ten million euros or up to two percent of their global annual turnover. In other words, it’s a matter of life or death for companies to implement these requirements in full to ensure that they will avoid hefty fines and minimise the consequences of cyberattacks; this will then guarantee that their production and business operations will be able to continue largely unimpaired after an attack of this kind.
According to the NIS2, affected companies must also consider the cybersecurity of their supply chains.
How can and should companies prepare for NIS2?
The transposition of NIS2 into national law in October is going to be cushioned by the introduction of transition periods, which may vary from member state to member state. But the affected businesses shouldn’t just sit back and wait for the end of these periods. This is because the reporting deadlines for cyber incidents will come into affect just twelve months after implementation, and some member states, the Czech Republic for instance, also want to make further obligations mandatory after this period. Firms which operate branches in these countries or have a supplier relationship with local companies will then also fall within the remit of NIS2. The basic point is that companies aren’t going to be told by the supervisory authorities but will have to decide for themselves whether they are subject to NIS2. Once the deadline in question has passed, they will have to register with the competent national authority, report incidents and observe the necessary requirements. And many companies still have gaps in their cybersecurity. Which is why businesses affected by NIS2 should get going now with implementation of the required measures, calling on the services of third parties for support if necessary.
© Adobe StockDeadlines and requirements: Companies should proactively prepare for the NIS2 requirements in good time and seek external support if necessary