The October 17th 2024 deadline for NIS2 compliance has been and gone. Now, EU member states are working to implement the directive into national law. With the potential to impact over 160,000 companies across the EU and even indirectly extend its reach to UK firms, NIS2 demands a comprehensive overhaul of existing cybersecurity practices.
We spoke with Dr. Frank Schemmel, DataGuard’s Senior Director for Privacy, Compliance & Public Affairs, to get the latest update on NIS2. How is the directive progressing, and what impact will it have? Are organisations ready, or will many scramble at the last minute to comply?
Dr. Schemmel, could you provide a quick overview of the NIS2 Directive and its significance for businesses operating within the European Union?
The Network and Information Security Directive 2, or NIS2, introduces stricter legal requirements for cybersecurity across Europe. Its primary goal is to enhance the cyber resilience of businesses in 18 relevant sectors.
The directive aims to establish a managed security posture, ensure adequate levels of security maturity, address the security of supply chains, and streamline reporting obligations. The overall aim is to achieve deep-rooted cybersecurity resilience throughout Europe.
To put this into perspective, approximately 160,000 organisations will be affected across Europe. The number is even higher when considering the indirect impact on suppliers and other connected businesses, highlighting the directive's broad reach.
Which industries are the most affected by this directive?
With NIS2, cyber security is finally becoming a top priority in organisations. Whether I am the CEO of a critical infrastructure company, a large international corporation, or just the managing director of a medium-sized supplier in the automotive industry, new cyber security requirements apply to me.
The chemical industry, in particular, and therefore the entire manufacturing sector in Germany, must also adapt to higher standards of cyber security, as must the mechanical engineering industry. Both are the backbone of the German economy, and both usually lag behind in terms of cyber resilience.
Check if NIS2 applies to you: NIS2 Checker
The same applies to the health industry – every week we hear about cyberattacks that cripple hospitals. During the pandemic, some cynics claimed that data protection kills, but I would say that low cyber resilience does.
The directive's focus on supply chain security means that even companies below certain thresholds—like having fewer than 250 employees—may be affected if they are part of the supply chain for critical sectors. Compliance requirements will cascade down the entire industry value chain, directly and indirectly impacting businesses.
NIS2 is an EU directive, but will it also affect UK businesses?
Despite Brexit, the UK remains closely integrated with the European market. NIS2 will have extraterritorial effects, similar to the GDPR. UK companies in EU supply chains or markets will still need to comply with these regulations, which are often contractually required to meet NIS2 standards.
Failing to comply could result in losing business opportunities, as many contracts will include provisions for damages that can exceed the fines imposed by the directive itself.
What are the main requirements under NIS2 that companies must adhere to?
NIS2 adopts an "all hazards" approach to protect network and information systems and their physical environments from various threats. The requirements include governance policies, risk management, incident management—including prevention, detection, and response to cyber incidents—and business continuity measures such as backups and disaster recovery plans.
A significant enhancement in NIS2 compared to its predecessor is the emphasis on supply chain and procurement security. Companies must ensure that their suppliers meet the required security standards.
Related: Cyber security & supply chain risk management: Mistakes & best practices
Training is also important, particularly for executive management, who must be equipped to assess and respond to cybersecurity risks. Additionally, the directive sets strict reporting obligations, requiring incidents to be reported to national cybersecurity authorities within 24 hours, with a more detailed report required within 72 hours and a final report after one month.
If we take Germany as an example, the government estimates that achieving the necessary security maturity under NIS2 will involve one-off costs of €2.1 billion and annual costs of €2.2 billion for organisations in Germany alone. Extending this to the entire EU, the costs could approach €10 billion annually.
Industry 4.0 is considered one of the most vulnerable to cyberattacks. Has there been progress in its cybersecurity efforts over the past few years?
Yes, I believe there has been some progress, particularly among larger organisations. However, there's still a lot of room for improvement. Many companies have invested heavily in digitisation and connected products, but not enough regarding security and sustainability has been done.
A significant issue is that most Industry 4.0 devices and network standards currently do not have the technical capability to embed robust cybersecurity measures, such as those used in traditional information systems.
Related: Cybersecurity in Industry 4.0: Why manufacturing bears a quarter of all cyberattacks
As a result, companies often have to develop their cybersecurity management systems and solutions, as what's available on the market may not be sufficient. So, while there has been progress, it's clear that Industry 4.0 still faces considerable challenges in becoming fully cyber-secure.
With the deadline for implementing NIS2 into national law approaching, are countries on track to meet it?
The deadline for transposing NIS2 into national law is October 17, 2024. However, many countries, including Austria and Germany, are expected to miss this deadline. A reliable draft bill in Germany is currently being discussed, and it's projected to become law by early 2025. Once the law takes effect, organisations will have three months to assess whether they fall within the scope of NIS2 and report to the relevant authorities.
Will there be legal consequences for countries that can’t make it in time?
Yes, the EU Commission, which oversees the implementation of EU laws, has the authority to take legal action against member states that do not comply. This could involve suing the countries before the European Court of Justice.
A similar situation occurred with the EU whistleblowing directive, where several countries, including Germany, delayed implementation for over two years. As a result, the EU Commission took legal action, and some countries faced significant daily fines, with Germany paying between €500,000 and €600,000 per day for non-compliance.
However, it’s less likely that such severe penalties will be imposed for NIS2, especially if countries like Germany demonstrate progress by submitting a final draft bill and showing efforts to meet the requirements.
Given that many are drawing parallels between the GDPR and NIS2, do you think there are similarities in their significance and impact on the industry?
Absolutely. NIS2's impact on cybersecurity will be comparable to GDPR's effect on data protection. Just as GDPR has set a global standard for data protection, NIS2 aims to do the same for cybersecurity. However, the real impact will depend significantly on how rigorously the directive is enforced by regulators.
“NIS2's impact on cybersecurity will be comparable to GDPR's effect on data protection. Just as GDPR has set a global standard for data protection, NIS2 aims to do the same for cybersecurity. However, the real impact will depend significantly on how rigorously the directive is enforced by regulators,” Dr. Frank Schemmel, DataGuard’s Senior Director for Privacy, Compliance & Public Affairs
Are organisations ready for NIS2, or will there be a last-minute scramble for compliance?
Some organisations are already taking the necessary steps to improve their cybersecurity measures, but many are not there yet. For example, according to the German government, only 17% of directly affected organisation (DE) have implemented sufficient measures so far. This indicates a significant portion of companies may resort to a last-minute scramble to achieve compliance.
The pressure to meet the requirements will likely increase as the deadline approaches, particularly since NIS2 also covers supply chain security, obligating even those companies that are not directly targeted by the directive.
Related: What every business in the EU needs to know about the NIS2 Directive
Beyond the operational impact, NIS2 introduces direct liability for top management if effective measures are not implemented. This is a lesson learned from the GDPR, where failure to comply can result in severe consequences.
In the worst-case scenario, managers of critical organisations could be prohibited from continuing their business activities due to non-compliance, effectively putting the company at risk of closure. Although such extreme enforcement actions may not happen immediately, the possibility underscores the seriousness of adhering to the new regulations.
With cyber threats increasing as they are, is NIS2 a good enough standard to strengthen information security in organisations?
NIS2 is a step in the right direction. The directive sets standards for various sectors, including infrastructure, and requires measures like incident management and supply chain security. However, its effectiveness depends heavily on enforcement.
“The good news is that if your organisation is ISO 27001 certified, you have already taken significant steps towards becoming NIS2 compliant. In fact, by building an ISO 27001-compliant ISMS, you complete about 70% of the NIS2 requirements,” Dr. Frank Schemmel, DataGuard’s Senior Director for Privacy, Compliance & Public Affairs
If regulators do not enforce it properly, larger organisations might comply minimally, thinking they can handle any regulatory challenges with legal defences. Smaller businesses might assume they are under the radar and not a target for enforcement, but cyber attackers often go after the weakest links. This makes supply chain security crucial, as disruptions can impact entire industries if major suppliers are compromised.
What advice would you give to an organisation that has yet to start preparing for NIS2?
If you haven't started, the first step is implementing an Information Security Management System (ISMS) and getting it certified. This provides a framework for managing and reducing risks. Companies should thoroughly audit their supply chains and IT systems to identify vulnerabilities. It's really important to begin this process now, as it can be time-consuming to map out and address all potential risks.
The good news is that if your organisation is already ISO 27001 certified, you have already taken significant steps towards becoming NIS2 compliant. In fact, by building an ISO 27001-compliant ISMS, you complete about 70% of the NIS2 requirements.
How can DataGuard help with NIS2 compliance?
DataGuard can help organisations with NIS2 compliance by starting with a NIS2 readiness assessment. This assessment helps identify what measures companies have already implemented, what gaps exist between their current security measures, and what is required under NIS2.
DataGuard also supports the implementation of an Information Security Management System (ISMS) and provides asset and risk management tools. Additionally, we offer training programs, including specialised training for executive management, to ensure they understand and can oversee the necessary security measures.
Frequently Asked Questions
What are the NIS2 requirements?
NIS2 mandates comprehensive cybersecurity practices, including risk assessments, incident management, business continuity plans, and supply chain security. It also emphasizes the need for executive management to be actively involved in overseeing cybersecurity efforts.
Is NIS2 in effect?
NIS2 has been adopted by the EU and is being incorporated into national laws by member states. The directive's compliance deadline is October 17, 2024, by which time all affected organizations must adhere to its requirements.
Does NIS2 apply to my company?
NIS2 applies to companies operating in the EU that provide essential and important services in sectors such as energy, transport, health, and digital infrastructure. It also includes companies involved in the supply chains of these critical sectors.
Check if you’re affected: NIS2 checker
What are the reporting obligations for NIS2?
Under NIS2, companies must report significant cybersecurity incidents to national authorities within 24 hours of detection, followed by a detailed report within 72 hours, and a final report after one month. This process ensures timely response and transparency in handling cyber threats.
What is the difference between NIST and NIS2?
NIST provides voluntary cybersecurity guidelines primarily used in the U.S., focusing on best practices and frameworks. NIS2, however, is a mandatory EU directive that sets legal requirements for cybersecurity across the EU, with specific obligations and reporting requirements that companies must follow.
