EU Cyber ​​Security Directive puts companies under time pressure

In addition, the guideline applies not only to operators of critical infrastructures, but to organizations of all types and sizes. “The crux of the matter: currently 80 percent of companies probably don’t know that they are affected by NIS 2,” says Timo Kob, founder and CEO of Hisolutions, an IT security consultancy. The IT security expert estimates that the regulation could apply to an additional 40,000 German companies.

Which companies should deal with the directive and what tasks they now have: an overview.

Why is the EU taking up the issue?

The EU justifies its initiative by saying that the digital infrastructure has become a central component “of everyday life and for cross-border exchange”. Cyber ​​security is therefore “more important than ever for the smooth functioning of the internal market”. Disturbances could “impair the pursuit of economic activities” and “cause serious damage to the economy and society of the Union”.

A first Europe-wide “Guideline on the security of network and information systems” has been in effect since 2016. It primarily obliges the operators of critical infrastructures to take protective measures against cyber attacks, i.e. organizations and companies that are important for maintaining important social functions and security.

In view of the growing threat, the EU passed the new legislative package at the end of 2022, which goes beyond the previous regulations – and also beyond the German IT Security Act 2.0.

It is not the only initiative from Brussels: At the same time, the EU is introducing the “Cyber ​​Resilience Act”, which sets specifications for the design of products “with digital elements” such as hardware and software. “The EU wants to make cyber security as effective as possible,” says Dennis-Kenji Kipker, Professor of IT Security Law in Bremen – in view of the global threat situation that makes sense.

Which companies are affected?

Particularly strict requirements apply to “sectors with high criticality”, as the guideline states. These include energy suppliers, transport companies such as airlines and train operators, Internet and cloud providers, banks, healthcare providers and space-related organizations, as well as public administration (here is the full list).

The EU directive also provides for requirements for “other critical sectors” – and these are many sectors: postal and courier services as well as waste management, the chemical industry as well as food production, manufacturers of “data processing equipment” as well as the car industry, as well as digital services such as online marketplaces and search engines (here is the complete overview).

>> Read here: These cybersecurity jobs promise some of the best salaries

Another novelty: the guideline includes companies with at least 50 employees and a turnover of ten million euros. “NIS 2 affects everyone, from medium-sized companies to the Dax 40,” emphasized Iris Plöger, who is responsible for digitization at the Federation of German Industries (BDI), at the Handelsblatt Cybersecurity conference in November. In German industry, “a large number of companies” will have to meet the requirements.

However, the exact structure is open: the Member States must specify which institutions are essential or important.

What must companies do?

Probably the central requirement: IT security is becoming part of corporate management. Organizations must implement risk management and contingency plans. A system for the rapid reporting of incidents to the supervisory authorities will also become mandatory in the future.

Securing the supply chain is a big issue because it is complex. Again and again, criminals and spies penetrate the systems of other companies via suppliers – for example via IT service providers such as Kaseya and Solarwinds. Here, too, companies must develop a protection concept.

Most houses do not have the competence to implement the measures themselves – and there are not enough consultants. Timo Kob, Founder and CEO of Hisolutions

In addition, there is a catalog of technical measures that will be mandatory in the future; the directive mentions “cyber hygiene”. These include, for example, systematic data backup, concepts for access control, the management of weak points, the encryption of information and employee training.

What does that mean for management?

Companies are already obliged to protect themselves against the risks of hacker attacks, as provided for by stock corporation and GmbH law. “The board of directors or management have always had to work with the usual duties of care, including data protection and IT security,” says lawyer Kipker.

With the new guideline, however, there is increasing pressure to do this systematically: In the event of violations, institutions “of high criticality” face penalties of up to ten million euros or two percent of global sales, other companies of up to seven million euros or 1.4 percent of the proceeds.

“The EU is transferring the model from data protection to cyber security,” says Kipker – the General Data Protection Regulation also allows penalties in the millions. The result: “Due to the high fines, companies have to deal with cyber security as an independent topic, not just as an appendage to compliance or data protection.”

What problems does implementation entail?

According to experts, companies that are already subject to the regulation for IT security should not find it too difficult to implement the NIS 2 directive. This applies to energy suppliers as well as to automotive suppliers who, under pressure from the major manufacturers, need the industry-specific Tisax certification.

But: “All the measures that have so far only been mandatory for large companies must now be introduced by many more houses,” says Hisolutions board member Kob. “Although this makes sense in order to improve the level of IT security, it can hardly be managed in this short period of time.”

>> Read here: Four lessons learned from the Continental hack

For a medium-sized company with 500 or 1000 employees, it could take a whole year to establish a management system for IT security: “Such a process is very tough.”

Kob fears a bottleneck. “Most houses do not have the competence to implement the measures themselves – and there are not enough consultants available.”

The expert considers it unrealistic that thousands of companies will be able to introduce the complex systems by autumn 2024. “21 months is not enough for the implementation of NIS 2, failure is inevitable,” warns Kob.

What is the future schedule?

The EU member states have until October 17, 2024 to transpose the directive into national law. The Federal Ministry of the Interior (BMI) intends to present a draft bill in the first half of this year and implement the requirements “essentially through changes in the BSI Act”. Changes to the IT Security Act 2.0, which came into force in 2021, are also likely to be necessary.

“I am skeptical whether the federal government will be able to implement the directive by the end of 2024,” says lawyer Kipker. In the coalition agreement, the three-party alliance has undertaken many digital projects that need to be tackled at the same time. In addition, the regulation of IT security is complex – for example because there is already a German law.

More: “At the breaking point”: Experts for cyber defense are becoming scarce