NIS2 EU Directive: What's new for companies?
Sarah Kolberg | Juni 13, 2023
The EU Directive NIS2 came into effect in January 2023. It extends the minimum requirements for network and information security of the NIS Directive. NIS2 must be implemented into national law of the member states by October 2024. A major change brought by NIS2 is that a much broader range of companies must comply with the EU directive. Find out what NIS2 entails, who it applies to and how macmon NAC can help with its implementation.
What is NIS 2?
NIS stands for Network and Information Security. The NIS Directive was adopted by the European Union in 2016. It contains minimum requirements in network and information security for companies and institutions of the critical infrastructure (CRITIS) of the member states.
In addition to public administration, the following sectors were defined as CRITIS companies under the EU NIS Directive:
- Health
- Energy and water supply
- Transportation and traffic
- Finance and insurance
- Food and beverages
- Information technology and telecommunications
NIS2 is a revised version of the directive and was adopted in January 2023. The aim is to standardize and modernize the European security level.
What is new about NIS2?
Member states must have Computer Security Incident Response Teams (CSIRT) and designate a national network and information system authority.
Other changes of NIS2:
- Type of requirements and measures
- Monitoring of implementation
- Incident reporting obligations
- Extended sanction regulations for non-compliance
One of the most important changes is the extension of the EU directive to a much larger part of the economy.
Why NIS 2?
NIS2 is intended to harmonize the level of security in Europe. The NIS Directive has been implemented very differently by the member states, so there is still a high degree of heterogeneity in cyber security levels within the EU.
Some European countries are significantly more vulnerable to cyber attacks. In addition, the increased threat situation requires an overhaul of the legal framework.
Who does NIS2 apply to?
NIS2 applies to companies and critical infrastructure institutions. In NIS2, the EU also plans to extend the requirements to "particularly important institutions". These include large companies and medium-sized companies in certain sectors that perform socially critical tasks. A threshold value of at least 50 employees and an annual turnover of 10 million has been set.
The newly defined CRITIS include:
- Banking & finance
- Chemical industry
- Digital infrastructure
- Energy industry
- Healthcare
- ICT Service Management
- Food supply
- Public Administration
- Transportation
- Water treatment and supply
In addition to the sectors already mentioned, the directive also applies to:
- Waste management
- Digital services
- Research
- Logistics
- Production
- Manufacturing industry
Companies in the special public interest:
- Defense equipment and VS-IT (UBI_1)
- Value creation (UBI_2)
- Hazardous substances (UBI_3)
What is the status of NIS2 in Germany?
In Germany, a draft for implementation into national law has been available since April 2023: The NIS2 Implementation Act (NIS2UmsuCG). However, the draft law still must pass through the federal administration and the legislature.
The NIS2UmsuGG is an amendment to modernize the BSI Act, in particular the CRITIS Regulation. The following aspects of the BSI Act will be revised: Risk management measures, incident reporting obligations, registration with the BSI, proof of implementation and information obligations.
Risk management measures have not yet been clearly defined, but areas have been identified:
- Risk analysis
- Management of security incidents
- Maintenance of operations
- Supply chain security
- Evaluation of the effectiveness of risk management
- Training and cyber hygiene
- Cryptography
- Personnel, access and assets
- Multi-factor authentication
- Secure development and procurement
Why is NIS2 still such a minor topic in the media?
Until now, the strict regulatory security requirements of the NIS Directive have only affected a small proportion of companies. NIS2, on the other hand, is comparable in scale to the General Data Protection Regulation (GDPR). This had an enormous scope, requiring companies to invest a great deal of time and effort. Although NIS2 is similarly far-reaching, until now there has been little awareness of the directive in the German corporate landscape. One reason for this is that the EU directive must first be transposed into national state law of the member states.
How does macmon NAC help with the implementation of NIS2?
macmon NAC can provide support in many areas of the required risk management measures. As a tool for network access control, access rights can be defined for personnel and endpoints. Only authenticated endpoints can access the network, ensuring secure communication. The topology gives you an insight into all network devices and creates awareness of your own environment. All connected endpoints in the network can be identified with the help of reporting. You can use this insight for risk analysis. Network monitoring makes security-relevant events visible and saves them in the local database for 90 days. Optionally, the events can also be saved for an unlimited retention period with the macmon NAC Past Viewer. This means that security incidents can also be investigated retrospectively for any period of time.
With the help of macmon NAC Compliance, you can enforce security policies in the network. Clients and endpoints only receive authorizations for necessary network areas. The macmon NAC VLAN Manager enables segmentation of the company network. The communication of these segments can be prevented from other parts of the network in a controlled manner if necessary. This ensures that operations can be maintained even during an attack.