Was ist die NIS2-Richtlinie?

Die NIS2-Richtlinie ist eine EU-weite Cybersicherheitsrichtlinie, die Mindestanforderungen an die IT-Sicherheit und das Risikomanagement von Unternehmen und Organisationen festlegt. Sie erweitert den Anwendungsbereich der bisherigen NIS-Richtlinie und verpflichtet deutlich mehr Einrichtungen zu Maßnahmen in den Bereichen Cybersecurity, Meldepflichten und Governance.

Welche Unternehmen sind von der NIS2-Richtlinie betroffen?

Von der NIS2-Richtlinie betroffen sind insbesondere mittlere und große Unternehmen aus kritischen und wichtigen Sektoren, darunter Energie, Transport, Gesundheit, IT-Dienstleistungen, öffentliche Verwaltung und digitale Infrastrukturen. Entscheidend sind Branche, Unternehmensgröße sowie die Bedeutung der Dienstleistungen für Gesellschaft und Wirtschaft.

Welche Anforderungen stellt NIS2 an Unternehmen?

Die NIS2-Richtlinie verpflichtet Unternehmen unter anderem zu einem systematischen Risikomanagement, zur Umsetzung technischer und organisatorischer Sicherheitsmaßnahmen sowie zu verbindlichen Meldepflichten bei Sicherheitsvorfällen. Zusätzlich werden klare Verantwortlichkeiten auf Management-Ebene eingeführt und regelmäßige Prüfungen der Cybersicherheitsmaßnahmen gefordert.

NIS-2 - everything you need to know about EU-wide cyber security

If companies and institutions that are relevant to the functioning of economic and social systems fall victim to cybercrime, this can quickly have far-reaching consequences - both at national and international level. The EU-wide NIS 2 Directive aims to ensure a high common level of security of network and information systems in the European Union. NIS 2 came into force in January 2023 and replaces the 2016 NIS Directive, which was established as the first EU-wide cyber security legislation.

What does this mean for companies when NIS-2 is transposed into national law on 17 October 2024 and must be implemented?

There will be many changes for companies. The most important ones include the following:

The extension of the scope includes the expansion of the NIS-2 directive to include additional sectors and organisations. NIS-2 now includes clearly defined critical sectors that bear increased responsibility for the security of their networks and information systems. These sectors must fulfil the new requirements. The draft bill from the Federal Ministry of the Interior suggests that the German legislator will go even further than required by NIS-2. Some of the regulations are very complex.

The German government plans to issue new thresholds that will apply to both cyber security (NIS-2 and BSIG (BSI Act)) and physical security (EU-RCE). This regulation aims to increase the monetary thresholds for determining company size classes in commercial accounting law. These changes are intended to reduce the bureaucratic burden on companies and cut costs. Raising the thresholds allows many companies to fall into a lower size category and therefore have less stringent obligations. This is an important step towards reducing bureaucracy and supporting small and medium-sized enterprises.

The EU RCE Directive (Regulation on Resilience and Resistance), which deals in particular with the physical security of critical infrastructures, is being implemented in Germany through the so-called KRITIS umbrella law.

NIS-2 stipulates that management bodies (executive board, management, etc.) should be responsible for monitoring the implementation of risk management measures and requires that a breach of this obligation leads to the private liability of the management bodies.

The German government appears to want to implement these requirements particularly strictly. The draft bill stipulates that the management bodies must fulfil their obligations personally. In addition, they are also to be liable to their organisation for fines imposed as a result of their breaches of duty.

This can have fatal consequences, particularly for board members and managing directors of large companies. National penalties, fines and sanctions are to be imposed for violations of the requirements of NIS-2. (Art. 34 Art. 35 Art. 36)

Essential sectors (essential facilities): Penalties up to a maximum of at least EUR 10 million or 2% of global turnover for breaches of Article 21 or 23 (cyber security measures and notifications)
Important sectors (important facilities): Fines up to a maximum of at least EUR 7 million or 1.4% of global turnover for breaches of Article 21 or 23

The upper limit for fines is increased from the previous EUR 20 million (Section 14 para. 5 BSIG in conjunction with Section 30 para. 2 sentence 3 OWiG) to up to 2% of the organisation's global annual turnover. As it is envisaged that the organisations may not waive their claims for compensation against the management bodies, the new liability rules for management bodies are potentially life-threatening.

The business areas of companies in the digital world are exposed to an enormous security risk in their networked infrastructures, their dependence on data and software solutions and the constantly new attack vectors. This is particularly true for operators of critical infrastructures. In view of the current geopolitical situation, they are digital targets for potential cyberattacks and are exposed to an increased risk that requires special protection. This is why the mandatory implementation of NIS-2 is important in order to identify relevant companies and oblige them to build up appropriate cyber capacities.

Allocation of sectors in the "KRITIS & NIS 2" comparison

NOTE: According to the draft bill of the Federal Ministry of the Interior for the implementation of the NIS Directive, the regulations in the BSIG on UBI are to be cancelled. According to the draft, UBIs will be included in the new category of "essential facilities & important facilities".

Affectedness according to company size

In a second step, the size of the company must be taken into account in order to define whether it is an essential or an important organisation. Companies with fewer than 50 employees and an annual turnover of less than 10 million euros are not covered by the NIS 2 Directive.

Special cases

The following companies are affected by NIS-2 regardless of their size. (Article 3, paragraph 1, point a / NIS-2)
Trust service providers
Domain name registries of the top level domain
DNS service providers
Providers of public electronic communications networks with medium sized organisations
Public administration
Companies that are considered to be the only provider of a service in an EU Member State that is critical to public life
Companies whose disruption has a significant effect on public order, safety or health
Companies that are categorised as critical under the EU Resilience Directive
Companies that were already classified as critical before 16 January 2023 (Article 3, paragraph 1 / NIS-2)

Providers of public electronic communications networks are an exception - only companies of at least medium size are affected. These are organisations that have between 50 and 250 employees and either an annual turnover of between 10 and 50 million euros or an annual balance sheet of at least 43 million euros.

In practice

A major challenge is that the group of companies affected by NIS-2 has been significantly expanded and includes not only organisations from the so-called critical sectors, but also many medium-sized companies that will be required to take action under the directive, which will be transposed into German law from October 2024.

One of the major obligations for companies under the NIS-2 Directive is risk management. NIS-2 requires that risk management measures are taken to protect critical services. The associated tasks of incorporating regulatory requirements into corporate governance and managing them are new for many of these companies and are therefore extremely challenging.

The acute threat situation and the obligation to implement measures in the context of regulation massively increase the pressure on companies to act. This means major changes, investments and reorganisations, especially for companies that were not previously part of the critical infrastructure.

At its core, the regulatory perspective is always about legal, regulatory or official requirements that are intended to ensure that companies take appropriate measures to guarantee the security and integrity of network and information systems.

This requires comprehensive governance in companies, in which the framework conditions for compliance with regulatory requirements are monitored, measured and documented. Many regulatory requirements relate, among other things, to ensuring and guaranteeing the security, integrity and confidentiality of data that is often stored and processed in IT systems. An IT governance model is a prerequisite for managing these regulatory definitions. It is an essential component for the effective implementation of regulatory definitions in the IT sector and also forms the foundation for strengthening the level of security and cyber resilience in the company organisation.

With an IT governance model, companies define the guidelines, processes and controls required to ensure that IT systems comply with regulatory requirements. For risk assessment, it is important that an IT governance model supports the identification, assessment and management of risks associated with IT systems and processes. This includes the implementation of mechanisms for automated monitoring of systems, the creation of compliance reports and the provision of evidence for supervisory authorities or auditors. This co-operation is important as security breaches can have serious and far-reaching consequences, both legally and financially.

An IT governance model is essentially about

Creating guidelines for dealing with company-wide IT infrastructure and processes
Monitoring and controlling IT systems and processes
Risk management in the IT area
Compliance methods, monitoring and reporting
Change management and adaptability to changing regulatory conditions

For companies, this means that they need comprehensive IT governance that can also reflect the constantly changing legal and regulatory requirements.

A common and globally recognised reference model is the IT governance framework COBIT (Control Objectives for Information and related Technology), which can serve as a basis for the introduction and optimisation of IT governance. It is published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). COBIT is a very comprehensive framework that also contains descriptions of monitoring activities as well as a large number of control objectives and activities for checking compliance.

Materna supports companies in the awareness and categorisation of regulatory definitions in the context of IT governance in companies.

The topics of NIS-2, regulation, governance, risk and compliance are therefore closely linked. In our approach, we consider the interaction of regulatory definitions, the implementation and management of these aspects on the basis of best practices, which therefore have a major influence on risk management and the associated information security. Our experience in this area stems from our many years of involvement in the regulated sector and the security standards that can be achieved as a result. However, they are also an ideal blueprint for any corporate IT, as this approach ensures efficiency.

Consultancy, implementation, operation and training

Consultancy in the context of regulation with a focus on security and compliance
Project-related consulting with analysis and design
Operation of highly available and secure infrastructures (measures to maintain information security during operation, including monitoring and success control),
Company-wide change communication across all levels
Training and workshops, including for sensitising employees

Securing the IT infrastructure

Risk analyses and maturity level checks (readiness, awareness)
Technical and organisational solutions (Infrastructure as Code, SIEM, -SOC-)
Surveillance solutions and monitoring
Company-wide IT service management solution
Security and vulnerability management
ISMS consulting
GDPR/DSGVO-compliant IT infrastructure according to the zero trust principle (analysis, measures, implementation)
Cloud security in the context of cloud migrations (analysis, measures and implementation)
Complex security architectures (design, implementation & management)

Please feel free to contact us

Portrait von Ansprechpartner Robert Stricker

What does this mean for companies when NIS-2 is transposed into national law on 17 October 2024 and must be implemented?

Extension of the scope of application

Governance and directors' and officers' liability

Allocation of sectors in the "KRITIS & NIS 2" comparison

Affectedness according to company size

Special cases

Challenges faced by companies

Implement, manage and monitor regulatory definitions

The Materna expert tip

Please feel free to contact us

Robert Stricker Abteilungsleiter Security Consulting

Robert Stricker
Abteilungsleiter Security Consulting