Who is affected? The extended scope of NIS2

Everyone knows, or should know: The Internet is by no means a harmless playing field. In many areas, it has become a real battleground on which cyber criminals attack states, companies and organizations. Their aim: data theft, influencing democratic processes and cyber extortion.

This is the prelude to our preliminary story on the need for legal regulations on cyber security.

In Europe, we responded back in 2016 with the NIS Directive – a first cautious step to protect the digital Achilles’ heel of our networked society.

The original NIS Directive aimed to secure the network and information systems of critical infrastructure operators and providers of essential services. But cyber threats are evolving rapidly, and what seemed sufficient yesterday has largely proved ineffective or at least inadequate.

Enter NIS2: A tightening, an expansion, a necessary evolution!

The new NIS2 Directive extends the scope, tightens security and reporting obligations and aims to increase Europe’s resilience to cyber attacks. From energy suppliers to digital platforms and public administrations – almost no organization is exempt.

The transformation from NIS to NIS2 is therefore not just a change of form, but is intended to be a decisive step in the expansion of our digital fortress.

Anyone who does not transform their organization now and establish cyber security in their organization

Prevention, robust protection of IT infrastructures and fast response times make a decisive difference between security and chaos.

The current status of the NIS Directive: key objectives and challenges

The NIS Directive, Europe’s first comprehensive attempt to create a uniform level of network and information security, pursued the clear goal of strengthening the resilience of critical infrastructures against cyber attacks. The main components included the establishment of national cybersecurity requirements, the creation of cooperation groups at EU leveland the introduction of stricter reporting obligations for security incidents.

Challenges in implementation and the goal of harmonization

Despite the ambitious goals, the implementation of the directive faced significant challenges. One of the points of criticism was the inconsistent application of the directive across different member states, which led to a fragmentation of the cybersecurity landscape in the EU. This lack of uniformity weakened the effectiveness of the directive, as not all member states introduced the same strict standards.

Another weakness was the limited scope of the NIS Directive, which was mainly restricted to operators of critical infrastructure and providers of essential services. Many companies offering increasingly digitized services did not fall under these categories, meaning that large parts of the European economy remained unprotected.

Listen now:

Listen on Spotify: https://bit.ly/49gizXS

Enjoy on Apple Podcasts: https://apple.co/42lNbVB

In addition, the reporting obligations proved to be inadequate, as many incidents were either reported too late or not at all, partly for fear of reputational damage or legal consequences. These delays in communication prevented an effective and timely response to security threats.

The NIS Directive was an important first step, but global crises and conflicts show that the dynamic evolution of cybersecurity threats in Europe requires a continuous and adapted response.

Cyber threats are developing as rapidly as our technological development and make it urgently necessary to strengthen these regulations. This is where the NIS2 directive comes in, with the aim of closing the gaps that have been discovered and creating a more robust security network across Europe.

NIS2: Stronger security, greater range – details at a glance:

Main objectives of NIS2

The NIS2 Directive aims to create a high common level of cybersecurity across the European Union. The main objectives of the revised directive are

  1. Strengthening the security and resilience of network and information systems, which are crucial for the functioning of the economy and society.
  2. Extend the scope to include more sectors and companies that are considered important for the EU’s infrastructure and economy.
  3. Improve cooperation between Member States to improve the ability to respond to incidents and crises.
  4. Harmonization of safety requirements and reporting procedures to ensure that the same minimum standards apply throughout the EU.

Scope of application of NIS2

NIS2 significantly extends the range of sectors and companies affected compared to the original NIS Directive. The most important sectors now covered by the directive include:

  • Energy: electricity, oil, gas
  • Transportation: air, rail, water, road
  • Banking and financial market infrastructures
  • Healthcare: Hospitals and medical facilities
  • Drinking water supply and wastewater disposal
  • Digital infrastructure: data centers, cloud services, trust services
  • Public administration and digital services
  • Aerospace, defense industry, and manufacturing sector (especially manufacturers of critical products)

In addition, important digital platforms such as social networks, online marketplaces and search engines are now also included.

Extended reporting obligations and new safety requirements

The NIS2 Directive significantly tightens the reporting obligations:

  1. Shorter reporting deadlines: Organizations must now report security incidents more quickly, often within 24 hours of discovering the incident.
  2. More detailed reporting: Reports must be more comprehensive and contain detailed information about the nature of the incident, the data involved and the potential impact.
  3. Regular reviews and reports: Companies must conduct regular reviews of their security systems and produce reports on their cybersecurity policies and practices.

The new safety requirements include:

  • Risk management: Introduction and maintenance of risk management practices that include both technical and organizational measures.
  • Security audits and tests: Regular security audits and tests are carried out by internal or external experts.
  • Incident response management: Establishing and maintaining effective incident response plans in order to be able to react quickly to security incidents.

These extended requirements and reporting obligations are intended to create a more robust security landscape across the EU and thus strengthen digital and economic resilience.

Importance and benefits of NIS2: A legally binding framework for a cyber shield

1. strengthening IT security through NIS2

The NIS2 Directive is a key instrument for strengthening IT security in the European Union. By setting stricter security standards and introducing comprehensive reporting requirements, NIS2 helps to increase resilience against cyber attacks. The directive ensures better detection, prevention and response to IT security incidents. By harmonizing security requirements across all member states, NIS2 also creates a consistent security landscape that makes it possible to combat cross-border threats more effectively.

2. expected benefits for various stakeholders

For companies:

  • Increased cyber security: Stronger security standards and regular audits improve protection against cyber attacks.
  • Building trust: Compliance with NIS2 strengthens customer confidence in the security of company services.
  • Risk minimization: Reduces the risk of financial and reputational damage from data leaks or security breaches.

For public administrations:

  • Critical infrastructure protection: Better security measures protect essential public services.
  • Efficient incident response: Clear guidelines improve the ability to respond to security incidents.
  • Improved cooperation: Facilitates the exchange of information and cooperation between EU states.

For end users:

  • Data protection: Stronger regulations protect personal data better against unauthorized access.
  • Transparency: Extended reporting obligations ensure clear information on data protection practices.
  • Trust in digital services: More secure online environments strengthen trust in digital services.

NIS2 can effectively contribute to strengthening our digital ecosystem by providing a solid foundation for cybersecurity for all stakeholders – from large corporations to small and medium-sized enterprises, public institutions and end users. These comprehensive measures are crucial to securing the European digital infrastructure in an increasingly networked and digitalized world.

Implementation status in Germany: The path to compliance with the NIS2 Directive

Current status of implementation of the NIS2 Directive in Germany

Germany is actively working on the implementation of the NIS2 Directive, but is facing challenges that are causing delays in the process. It was originally planned that the NIS2 Directive would have to be transposed intonational law by October 17, 2024. With the draft bill that has now been presented, it is likely that Germany, unlike other EU member states, will be able to meet this deadline.

Current status: Draft bill of the Federal Ministry of the Interior

The
Federal Ministry of the Interior and for Home Affairs
 has submitted a draft bill via the Federal CIO Markus Richter on May 7, 2024, which is intended to transpose the NIS2 Directive into German law.

Next Steps

The next steps in the legislative process include consultation with associations and the federal states, followed by submission of the cabinet draft to the Bundestag and Bundesrat. It is expected that this process will be intensive and time-consuming, as the affected stakeholders are to be fully involved.

The implementation process in Germany is an example of how challenging it can be to transpose extensive and complex EU directives into national law. The goal is clear: to strengthen cyber security at national and European level in order to protect our digital infrastructures and our data more effectively.

And now?

Your click, our common path: How your support shapes our digital future…

Stay tuned, my Rock the Prototype format provides you with free valuable knowledge on crucial tech topics in software development andtheir social impact.

Please support me by subscribing to my newsletter, podcast & YouTube channel. Of course, I also appreciate your feedback, comments and likes!

As always, Mein provides you with relevant knowledge and offers a compact overview.

Linkedin : https://lnkd.in/exv82i4M Compact information – easy to understand!

Until then, stay safe, creative and above all curious!

Your Sascha Block

Über den Autor:

Sascha Block

Ich bin Sascha Block – IT-Architekt in Hamburg und der Initiator von Rock the Prototype. Ich möchte Prototyping erlernbar und erfahrbar machen. Mit der Motivation Ideen prototypisch zu verwirklichen und Wissen rund um Software-Prototyping, Softwarearchitektur und Programmierung zu teilen, habe ich das Format und die Open-Source Initiative Rock the Prototype geschaffen.