Are you ready for the NIS2 Directive?
Get ready in time, ensure NIS2 compliance and strengthen your cyber resilience.
The NIS2 Directive is the European Union's response to the growing number of cyber threats: The new “Network and Information Security Directive” introduces stricter cybersecurity regulations for more sectors and companies. The objective remains the same: to protect (critical) infrastructures and increase resilience to cyberattacks.
If you are affected, you should act quickly: By March 2025, EU member states must adopt the Directive into national law, which requires companies to implement the provisions therein. Failure to comply with the minimum requirements could result in fines of up to 10 million euros or 2% of the global annual revenue.
Take advantage of our expertise to prepare ahead and implement the NIS2 requirements: We will review your status quo, create a roadmap, and guide you on your path to an organization that is compliant with information security and cybersecurity requirements.
Am I affected by the NIS2 Directive?
The NIS2 Directive makes cybersecurity relevant for many more companies: Experts estimate that approximately 150,000 companies across the EU are affected. This is because NIS2 also applies to smaller companies with 50 or more employees or an annual revenue and balance sheet total of 10 million euros. In addition, the number of sectors affected has been increased from eleven to 18. Eleven sectors are considered highly critical (essential entities) and seven more are otherwise critical (important entities).
What is the difference between essential and important entities?
The classification is based on the size of the company and on the sector: Essential entities are organizations that operate in a critical sector and have more than 250 employees or an annual revenue of more than 50 million euros and a balance sheet total of 43 million euros.
Essential critical sectors:
- Energy: Electricity, oil, natural gas, hydrogen, district heating and district cooling
- Transport: Aviation, rail transport, shipping, road transport
- Banking
- Financial market infrastructure
- Healthcare: Hospitals, research, pharmaceuticals, medical devices
- Drinking water supply
- Waste water treatment
- Digital infrastructure: Data centers, DNS services, cloud computing
- ICT service providers: Managed service and managed security service providers
- Public administration: Public authorities and offices at the national and regional level
- Outer space: Operators of ground infrastructure
All other organizations with more than 50 employees or an annual revenue of more than 10 million euros are considered important entities.
Important critical sectors:
- Postal and courier services: Letter and parcel delivery
- Waste management: Waste collection and recycling
- Chemicals: Production and trade of chemical substances
- Food: Production, processing, and distribution of food
- Production: Manufacturers of medical devices, machinery, vehicles, and electrical appliances
- Digital services: Search engines, marketplaces, social networks
- Research: Research institutions
Important: EU member states can expand the requirements if a company meets certain criteria that indicate it plays a key role for society, the economy or for certain sectors or types of services.
What will be changing under NIS2?
The biggest change is the expanded scope of companies. Furthermore, the cybersecurity requirements are now more stringent: Affected companies must take appropriate “state of the art” measures in areas such as risk management, business continuity management (BCM), supply chain security and incident response.
In addition, national regulatory authorities have stronger enforcement powers, and there will be greater penalties for violations as well as stricter reporting obligations. The latter require companies to report security incidents immediately, but at least within 24 hours of becoming aware of them by submitting an initial early warning report and following up within 72 hours by submitting an updated detailed report.
What are the penalties and liability risks?
Not only are the requirements becoming more stringent, but the pressure to enforce them is also increasing – such as through tighter sanctions and personal liability at the management level. Non-compliance with the NIS2 Directive could result in:
- Fines of up to 10 million euros or 2% of the total global annual revenue for essential entities
- Fines of up to 7 million euros or 1.4% of the total global annual revenue for important entities
- Management liability for violations of the Directive
- Ban/discharge from managerial functions
- Temporary suspension of services
What NIS2 requirements do I have to meet?
In order to be NIS2 compliant, a security program must cover the following requirements at a minimum:
Implement an ISMS now and meet the NIS2 requirements.
With a certified information security management system (ISMS) that complies with ISO/IEC 27001, you establish a solid foundation for meeting the specific requirements of the NIS2 Directive.
The ISMS helps you to identify and assess risks, take appropriate security precautions, and monitor their effectiveness. It also promotes a proactive approach to information security through regular reviews, audits, and continuous improvement.
How TÜV Rheinland supports you with NIS2:
NIS2 Quick Check
Find out whether and to what extent the NIS2 Directive affects your company. We also identify and prioritize company-specific risks and areas for action. The resulting recommendations will enable your company to take the appropriate next steps.
Comprehensive consulting services
Take advantage of our consulting services to comply with the NIS2 guidelines. They range from detailed gap analyses regarding NIS2, BCM, ISMS, data protection and compliance to maturity assessments or the conceptual design of security solutions. We also test and assess your security technologies for protecting against, detecting, and responding to attacks.
Implementation and operation
Together we will create your customized NIS2 package of measures: You can either acquire your own custom solution or obtain it as a Managed Service with variable modules – from implementation and basic support to complete operation including SOC services.
Your benefits at a glance:
- Comply with legal requirements
- Protect critical business processes
- Stay on top of IT risks
- Introduce targeted security measures
- Invest in the right measures
- Minimize personal liability risks
- Maximize information security
Let us support you towards NIS2 compliance.
If you are affected by NIS2, act now and start implementing the required measures. We support you with comprehensive consulting, customized service modules and reliable implementation to get you to your goal.
Contact
