We are privacy compliant without cookie banners. Further information in the privacy policy.

Home » Riscreen Compliance Blog » NIS 2: What’s important for companies in 2024

NIS 2: What’s important for companies in 2024

Is your company affected by NIS 2?

Directly to the NIS 2 test

Overview: NIS 2

In this article, we clarify the most significant points for companies in 2024 on the subject of NIS 2.

Weaknesses of NIS 1

The digitalization and networking of society have expanded the threat scenario. At the same time, many companies in the EU lack a sufficient level of IT security. Resilience in member states and sectors is too inconsistent due to NIS 1. There was a lack of common understanding of the main threats and challenges. As a result, the directive was revised, and a political agreement was reached on May 13, 2022. The new NIS 2 Directive was officially adopted in November 2022.

Building on the pillars of the previous NIS Directive

The NIS 2 Directive builds on the three main pillars of the previous NIS 1 Directive:

  1. National cybersecurity strategy: Member States must establish a national cybersecurity strategy and designate national Computer Security Incident Response Teams (CSIRTs) and a competent national cybersecurity authority.
  2. NIS Cooperation Group: to support and promote strategic cooperation and information sharing between Member States and CSIRTs.
  3. Sectors of critical importance: The NIS 1 Directive ensures cybersecurity measures in seven key sectors, such as energy, transportation, healthcare and digital infrastructure.

The NIS 2 Directive aims to rectify the shortcomings of NIS 1, adapt it to current needs, and make it fit for the future. It does this by extending the scope of application to new sectors, introducing clear size criteria, and eliminating the distinction between operators of essential services and digital service providers. The directive aims to strengthen security and reporting obligations, address cyber risks in supply chains and supplier relationships, and improve cooperation and information sharing between member states.

Coverage of the NIS 2

The NIS 2 Directive covers sectors of high criticality, but also critical sectors. The classification of companies is based on their importance, whereby a clear size criteria rule has been introduced.

Critical sectors (essential entities) are, for example:

  • Energy
  • Transport and traffic
  • Banking
  • Health
  • Drinking water
  • Digital infrastructure
  • Public administration

Important sectors (important entities) are, for example:

  • Post and courier
  • Waste
  • Food
  • Manufacturing industry
  • Research
  • Digital services

With our NIS 2 test you can find out whether your company is affected within a few minutes free of charge.

Stricter security requirements and reporting obligations

The NIS 2 Directive aims to standardize security requirements and reporting obligations so as not to overburden companies in different member states. It sets out ten key elements that companies must consider in their cybersecurity policies, including

  • Incident handling
  • Supply chain security
  • Vulnerability Handling
  • Disclosure
  • Use of cryptography

The incident reporting requirement is phased, with companies having 24 hours to submit a pre-warning, followed by a full report within 72 hours and a final report within one month. Reports must be made to the relevant supervisory authorities. A list of the relevant authorities can be found on the enisa page.

The directive sets out a clear framework for the monitoring and enforcement of the rules by the competent authorities. This includes regular audits, on-site and remote inspections, requests for information, and access to documents or evidence. The directive differentiates between essential and important companies and introduces uniform sanctions, including administrative penalties for breaches of the cybersecurity guidelines.

High penalties possible

The relevance for each company is reflected in the potential penalty. For critical sectors (essential entities), penalties of up to €10 million or 2% of global turnover are provided for. For important entities, penalties of up to €7 million or 1.4% of global turnover are provided for.

Implementation by October 2024

Member states must transpose the directive by October 17, 2024. The Commission will regularly review the functioning of the directive and report to the Parliament and the Council for the first time by October 17, 2027.

Test: Is your company affected by NIS 2?

Free NIS 2 test (screenshot)
The NIS 2 test from Riscreen

Significantly more companies are impacted by NIS 2 than by NIS 1, but many companies are still exempt. It is therefore essential to know whether NIS 2 is relevant for your company at all.
We have developed a test for this based on the current directive. It takes about 2 minutes. You can access the NIS 2 test here free of charge.

Interview Series: KRITIS and NIS 2 Talk (in German)

For affected companies, NIS 2 has a significant impact on IT requirements. That’s why two experts discuss the topic together in this video series:

  • Christian Müller is technical managing director of Trufflepig IT-Forensics GmbH, an IT security company for IT prevention, incident response, and forensics.
  • Henrik von Kunhardt advises organizations of various sizes worldwide on compliance, data protection, and money laundering prevention with his company Riscreen GmbH.

1. What does KRITIS mean?

In this part, the experts talk about the meaning of KRITIS and its background.

Vidoe: What does KRITIS mean? | KRITIS and NIS 2 Talk

2. What do NIS 2 and RCE mean?

In this part, the experts discuss the meaning of NIS-2 and RCE and how they are related.

Video: What do NIS 2 and RCE mean? | KRITIS and NIS 2 Talk

3. To which companies does KRITIS apply?

In this section, the experts talk about which companies are affected by KRITIS and NIS 2 in the first place.

Video: Which companies are covered by KRITIS? | KRITIS and NIS 2 Talk

4. Why are KRITIS or NIS 2 necessary?

In this section, the experts talk about why it makes sense for companies to implement the KRITIS and NIS 2 requirements, and not just from a legal perspective.

Video: Why are KRITIS or NIS 2 necessary? | KRITIS and NIS 2 Talk

5. Better IT security thanks to NIS 2?

In this section, the experts talk about why it makes sense for many companies to implement the KRITIS and NIS 2 requirements, and not just from a legal perspective.

Video: Better IT security thanks to NIS 2? | KRITIS and NIS 2 Talk

6. Does ISO-27001 help with KRITIS?

Does ISO 27001 bring massive benefits in terms of IT security? What does it look like in practice? To what extent does ISO 27001 certification have a positive impact on KRITIS compliance?

Video: Does ISO 27001 help with KRITIS? | KRITIS and NIS 2 Talk

7. How high are possible penalties?

How high are the penalties that can be expected for KRITIS or NIS 2 compared to the GDPR or the Money Laundering Act?

Video: How high are possible penalties? | KRITIS and NIS 2 Talk

8. How should companies implement NIS 2?

Which points are relevant for IT security? Where are particularly serious weaknesses that could lead to insolvency?

Video: How should companies implement NIS 2? | KRITIS and NIS 2 Talk

9th TOMs for IT security

What typical mistakes happen again and again that have an impact on the core security of a company’s IT?

Video: TOMs for IT security | KRITIS and NIS 2 Talk

Source cover image: AI

| Revised:

Hint: This text has been translated by an AI (German > English). Slight errors may occure.