The first NIS Directive came into force in 2016. The NIS 2 Directive is a significant enhancement of the original Directive. The new EU Directive aims to further strengthen cybersecurity within EU member states. It also serves to ensure the protection of critical infrastructure and essential and important facilities.
NIS 2.0 expands and tightens cybersecurity requirements. This is in response to the growing threat of cyber-attacks.

„It is encouraging to see EU countries and lawmakers acknowledging the catastrophic impact of successful cyber-attacks across industries, by agreeing to tougher cybersecurity rules for businesses.“
Trevor Dearing, EMEA Director of Critical Infrastructure at Illumio in Portswigger

man puts a stamp on a document

What are Essential and Critical Facilities?

With the introduction of the NIS2 Directive, the number of companies affected has increased significantly.
The original NIS Directive (NIS1) affected approximately 30,000 companies across the EU. With NIS2, there will be more than 100,000 companies.
Companies with 50 or more employees, a turnover of €10 million or more and that belong to certain sectors are classified as essential and important. These include sectors such as

  • health care
  • Transportation
  • finance
  • water supply
  • digital infrastructure
  • Chemical industry and
  • public administration.

As some entities are regulated regardless of their size (e.g. research institutions and public administrations), medium-sized companies may also be affected.
 

Key changes from the first NIS Directive

The original NIS Directive focused on “critical facilities” and “critical infrastructure” operators, similar to the German KRITIS companies. NIS2 now covers a much wider range of sectors.
NIS2 sets out more detailed and stringent security requirements. These include regular risk assessments and the implementation of measures to prevent and respond to cyber attacks.
Companies must report cyber incidents that have a significant impact on the provision of their services more quickly and in more detail. An early warning must be issued within 24 hours and the incident must be reported within 72 hours.

NIS2 extends the powers of national authorities to enforce the directive and to impose penalties for non-compliance. Penalties can amount to millions of euros.
 

Deadlines and responsibilities

EU member states must implement the NIS2 Directive into national law by October 2024 at the latest.
In Germany, this is accomplished by the NIS2 Implementation Act.
It integrates the requirements of the EU Directive into the national IT Security Act.
The Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security, BSI) is responsible for monitoring. The BSI plays a central role in supporting and monitoring the NIS2 implementation laws.
 

Stricter regulations

The directive requires all organizations to protect their networks, information systems and physical system environments. It also supports the implementation of a Zero Trust model to improve overall resilience to cyber-attacks.
The NIS2 directive requires organizations to ensure that cryptography and network security are state of the art. Affected organizations should therefore take a number of technical and organizational measures to ensure this.
These include the regular review and renewal of digital certificates and the implementation of a robust Public Key Infrastructure (PKI) system.
 

Cryptography

Cryptography is a central element of the NIS2 policy. It uses mathematical algorithms to encrypt sensitive data. This means that only authorized users can access it. Combined with digital certificates, cryptography enables secure communication across networks.

Network Security

Network security includes firewalls, intrusion detection systems, and regular security updates. It protects the integrity, confidentiality, and availability of data.

Digital Certificates and Certificate Management

Digital certificates serve as electronic IDs that confirm the identity of a user, device, or organization. They are issued by Certificate Authorities (CAs) that act as trust anchors.
They contain critical information such as the certificate owner’s public key and the issuer’s identity.

Digital certificate management is critical to maintaining the security and integrity of IT systems. Digital certificates have a limited life. They must be continuously monitored and managed to prevent them from expiring or being compromised.

Certificate management tools such as essendi xc provide automated and centralized management. This allows companies to keep track of all issued and used certificates. This closes security gaps and reduces administrative effort.

PKI

The Public Key Infrastructure (PKI) plays a key role in network security. It provides the framework for managing digital certificates. PKI helps organizations create and manage trusted digital identities. This is essential to protect against identity theft.

 

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) is one of the most important cybersecurity measures. It provides an additional layer of security. It requires the user to authenticate using multiple factors. It is usually a combination of

secuirty shield with stars which should demonstrate a password 4 stars which should demonstrate a security token a digital fingerprint
Something the user knows (password) something they have (security token) or something they are (biometrics).

Only then does the user gain access to IT systems.
Together, certificates, MFA and PKI form a strong shield against cyber-attacks.
 

 

Quick Summary

The NIS2 Directive represents a significant tightening of cyber security requirements for companies in the European Union. With the extension to new sectors, the protection of critical infrastructure will become even more comprehensive. In particular, operators of critical infrastructure and essential and important facilities are affected. They must take extensive measures to comply with the new requirements.
Organizations can protect their systems and ensure their operations through proactive security strategies and regular reviews.
Key actions include

  • a focus on digital certificate management and
  • the integration of multi-factor authentication.

Failure to comply with NIS 2.0 can result in millions of dollars in fines. Therefore, it is imperative to ensure timely implementation.