Since its adoption, the EU Directive NIS 2 (Network and Information Security Directive 2) has been a central element of the European cyber security strategy. It aims to strengthen the resilience and protection of critical infrastructures (KRITIS) in Europe. In January 2025, many companies and organizations will need to further adapt their IT security standards. But what is the current status? What does NIS 2 actually mean for companies?
Reminder: What is NIS 2?
The NIS 2 Directive is the revised version of the original NIS Directive (2016/1148), which was introduced as the first Europe-wide regulation on cybersecurity. The aim at the time was to create uniform safety requirements in the EU. With NIS 2, the EU is now going one step further:
- Extended scope of application: NIS 2 affects more sectors, i.e. industries, than the original NIS. In addition to energy, transport and health, supply chains, digital services and IT service providers are now also affected.
- Higher standards: Organizations must implement stricter technical and organizational measures for cyber security.
- Stricter reporting obligations: Security incidents must be reported more quickly and in greater detail.
- Sanctions: NIS 2 provides for severe fines for violations, similar to the GDPR.
To whom does the NIS 2 Directive apply?
The impact of NIS 2 is determined on the basis of various criteria. The directive affects both large and medium-sized companies and organizations in critical sectors such as energy, transport, banking, healthcare, public administration and digital service providers. In addition to the sector, criteria such as company size and systemic relevance also play a role. Detailed information on the companies concerned can be found under this link at openkritis.de
By when do I have to have implemented NIS 2?
That is difficult to say. The NIS 2 Directive was originally due to be transposed into national law by the EU member states by October 17, 2024. To date, January 9, 2025, this has not happened. The NIS 2 Implementation Act (NIS2UmSuCG) was originally scheduled to come into force in March 2025, but this is not realistically expected before summer 2025 due to the upcoming elections and the associated formation of a new government.
However, it is important to note here: Despite the delay, it is recommended that companies deal with the upcoming requirements now and prepare for them, as the law will affect not only operators of critical systems (KRITIS) but also large parts of the German economy. There is no transitional period for the NIS 2 Directive. As soon as the national implementation law comes into force, the obligations of NIS 2 will apply directly to the companies concerned.
Conclusion
At first glance, the NIS 2 directive may seem like another bureaucratic hurdle, but it makes perfect sense. It helps us all to be better prepared for the growing threats and to put our IT systems on a stable footing. Of course, implementation is not a sure-fire success and there is a lot to do – from technical measures to organizational adjustments. But in the end, we benefit from it.
You can find more information on this topic at this link.
If you have any questions on this topic, please feel free to contact us. You can reach us by phone, e-mail or via a contact form.
