The NIS-2 Directive: What companies need to know now

social-intranet-page
Benedikt
20
August
2024

The increasing digitization and networking of processes not only brings advantages, but also new risks. To meet these challenges, the European Union has adopted the NIS-2 Directive. It represents a further development of the first NIS Directive (Network and Information Security) and aims to strengthen cybersecurity in Europe. But what exactly does the NIS-2 Directive mean, who does it apply to, and how does it differ from the GDPR? In this article, we give you a thorough overview and explain what steps companies need to take to remain compliant.

 

1. What is the NIS-2 Directive?
The NIS-2 Directive is an EU-wide regulation that aims to improve the security of network and information systems across the Union. It sets out strict requirements for companies and organizations classified as operators of critical infrastructure (e.g. in the energy sector, healthcare or finance). In addition, the NIS-2 Directive extends the scope to additional sectors and companies that were not previously covered by the original NIS Directive.

The main objectives of the NIS-2 Directive include:

  • Improving cyber resilience in the EU.
  • Harmonization of safety requirements in the Member States.
  • Strengthening cooperation between EU countries on cybersecurity.

 

2. Who does the NIS-2 Directive apply to?
The NIS-2 Directive is aimed at a wide range of companies and organizations operating in the following sectors:

More precise recording of sectors

categoryDetails
High criticality sectors (Annex 1)
  • energy
  • transport
  • Banking
  • Financial market infrastructure
  • Healthcare
  • Drinking water supply and distribution
  • Digital infrastructure
Other critical sectors (Annex 2)
  • Groceries
  • Manufacturing of chemicals
  • Processing of wastewater and waste
  • Space travel
  • Public administration
  • Postal and courier services
Large companies
  • Companies with over 250 employees
  • Annual turnover over 50 million euros
  • Total assets over EUR 43 million
Medium-sized companies
  • Companies with 50-250 employees
  • Annual turnover up to 50 million euros
  • Total assets up to EUR 43 million

The NIS-2 Directive divides the companies concerned into two main groups: essential and important entities. It regulates public administrations, certain areas of digital infrastructure and providers of critical services whose disruption could have a significant impact, regardless of the size of the company. This allows the application of graduated security requirements to ensure that both very critical and less critical service providers are monitored accordingly.

Categories:

  • Essential Entities
  • Important Entities

Companies must belong to certain sectors from Annexes 1 and 2 and meet certain size criteria to fall under the NIS-2 Directive.

With our checklist you can quickly check whether your company is affected by the NIS-2 Directive.

 

3. Differences between the NIS-2 Directive and the GDPR
The NIS-2 Directive and the GDPR are two central EU regulations that pursue different but complementary goals. While the GDPR focuses on the protection of personal data and privacy, the NIS-2 Directive aims to strengthen cybersecurity and the resilience of network and information systems. Both directives set strict requirements, but with different focuses and scopes. These differences are crucial for companies that have to comply with both sets of regulations.
 

featureNIS-2 DirectiveGDPR
GoalImproving cybersecurity and resilience of IT systemsProtection of personal data and privacy
scopeCompanies in critical sectors (e.g. energy, transport)All companies that process personal data
AffectedEssential and important facilities, depending on sector and sizeAll natural persons within the EU
Regulatory contentSecurity measures for network and information systemsPrinciples for the processing of personal data
Consequences of violationsFines of up to 2% of annual worldwide turnoverFines of up to 4% of global annual turnover

 

4. What adjustments do I need to make in my company?
In order to meet the requirements of the NIS-2 Directive, companies must take various technical and organizational measures. These adjustments include in particular:

1. Risk management: Implement a comprehensive cybersecurity risk management system that is regularly updated.

2. Security measures: Introduction of measures such as firewalls, encryption, and intrusion detection systems to secure networks and information systems.

3. Incident management: Establish a system for detecting, responding to and reporting security incidents. This includes working closely with the relevant authorities to report incidents within established timelines.

4. Continuous monitoring: Implementation of processes for continuous monitoring of network and information systems in order to detect threats at an early stage.

5. Training and awareness: Regular training for employees to increase security awareness and avoid human errors that could lead to security incidents.

6. Compliance and documentation: Companies must ensure that all measures taken are documented and regularly checked for their effectiveness. This documentation is crucial for providing evidence in the event of audits or inspections by the supervisory authorities.

Companies should take a proactive approach to ensure they meet all requirements of the NIS-2 Directive. Close cooperation with internal and external security experts is essential to implement the necessary adjustments efficiently and effectively.

 

Can you be more specific?
No, the NIS-2 Directive contains general requirements and no specific technical measures. This is because it covers a large number of companies and sectors that have very different infrastructures and risks. Uniform technical solutions would not meet the specific requirements of the various industries. Instead, companies must develop an individual security concept based on their specific threats. This keeps the directive flexible and adaptable, but can also be complex to implement.

 

Am I NIS-2 compatible with Loxonet as a supplier?
With Loxonet as your supplier, you are optimally equipped for the NIS-2 directive. Our solutions cover all relevant requirements so that you can easily comply with the legal requirements. Here are the key reasons:
 

aspectDetails
Risk management
  • Comprehensive risk assessment and mitigation
  • Regular updates and audits
Security measures
  • Advanced IT security solutions
  • Protection against cyber attacks
  • Data backup and encryption
Incident management
  • 24/7 monitoring
  • Rapid response to security incidents
  • Close cooperation with authorities
Compliance documentation
  • Automated reporting
  • Audit-proof archiving
  • Comprehensible documentation
Certificates of our data centers
  • TISAX
  • TDC 1.0
  • SOC1, SOC2
  • BSIC5
  • ISO/IEC 27001, 27017, 27018, 27701
  • ISO9001, 14001
  • ISO/IEC 20000-1, 22301
  • ESARIS

Does this also apply to critical sectors and important facilities?

Yes, this also applies to critical sectors and important facilities. Loxonet meets the requirements for:

  • High criticality sectors (Annex 1 NIS-2)
  • Other critical sectors (Annex 2 NIS-2)
  • Essential Entities
  • Important Entities

Our solutions are designed to meet the strict security requirements of these sectors. Through comprehensive certifications and adapted security measures, we ensure that all regulatory requirements are met.

 

Conclusion
The NIS-2 directive brings with it a wave of bureaucracy and uncertainty, as it contains strict requirements without concrete technical instructions. This can deter many companies rather than motivate them to face the challenges of digitalization. At Loxonet, however, we have the expertise and solutions to fully meet the requirements of the directive. This means that you are on the safe side despite the complex bureaucracy and can concentrate on your core business while we ensure compliance.

app-store
The social intranet is also available as an app .
Your social intranet – anytime, on any device!
Please accept all cookies to write us in the support chat.