NIS 2 Directive

The NIS 2 Directive is an EU directive that aims to ensure a high common level of cybersecurity in the European Union. It replaces the original NIS Directive from 2016 and strengthens the security requirements, addresses the security of supply chains and introduces harmonised penalties. The NIS 2 Directive was adopted by the European Parliament and the Council of the EU at the end of 2022 and has been applicable in the EU since 18.10.2024. Member states must transpose the directive into domestic law.

NIS 2 primarily addresses requirements for companies:

While the NIS 1 Directive mainly applied to critical infrastructures and providers of relevant digital services, the NIS 2 Directive expands the sectors to include the producing trade, among others: engineering, manufacturers of data processing devices, electronic and optical products, electrical equipment, motor vehicles and motor vehicle parts as well as any other vehicle construction. Within these industries, companies with more than 50 employees or an annual turnover or an annual balance sheet of over 10 million euros are affected.

To achieve NIS 2 compliance, affected organisations must take several measures, including:

• Risk management: Implementation of processes to identify and assess risks.
• Security measures: Introduction of technical and organisational measures to reduce risk.
• Reporting of incidents: Establishment of procedures to report security incidents to the competent authorities.
• Monitoring and audits: Regular review and assessment of security measures.

NIS 2 is enforced by national authorities in EU Member States, which are responsible for monitoring and ensuring compliance with the directive. In Germany, the competent authority is the Federal Office for Information Security (BSI).

Enforcement measures:

1. Reporting obligations: Companies must report security incidents. NIS 2 introduces a three-tier reporting system to improve transparency and responsiveness.
2. Supervisory measures: The German Federal Office for Information Security (BSI) has extended powers to conduct audits and inspections to verify compliance with security requirements.
3. Penalties: Failure to comply with the directive may result in penalties, which vary depending on the severity of the infringement.

Support and advice:
The BSI offers affected companies support and advice to facilitate the implementation of NIS 2. Companies should take proactive measures to improve their IT security and prepare for the new requirements. The European Union Agency for Cybersecurity (ENISA) offers a lot of helpful information on cybersecurity.

NIS 2, the Cyber Resilience Act and the Machinery Regulation are part of a comprehensive EU regulatory framework to strengthen cybersecurity and resilience. While the NIS 2 focuses on the security of networks, information systems and corporate-level requirements, the Cyber Resilience Act aims to improve the cybersecurity of products with digital elements. The Machinery Regulation supplements these measures by specifying security requirements for machinery and industrial products.

• Additional Industrial Security specifications (incl. IEC 62443)
• European Union Agency for Cybersecurity (ENISA)