Corporate IT Security Requirements - The NIS 2 Directive is Coming

Operators of critical infrastructure, among others, are now victims of hacker attacks and cyberattacks on a daily basis. German lawmakers already reacted last year by tightening the legal requirements for IT security to be implemented by operators through the IT Security Act 2.0. European lawmakers are now following suit and taking the next steps in their cybersecurity strategy with the Cyber Resilience Act for products with digital elements (CRA, we reported) recently proposed by the EU Commission and the NIS 2 Directive.

The update to the Network and Information Systems Security Directive (NIS 2 Directive for short), adopted on Nov. 28, 2022, among other things expands the scope of the NIS Directive, which dates back to 2016. According to this, more institutions and sectors are to be obliged to take substantial (re)measures in the area of cybersecurity.

More companies + more obligations = more IT security?

In addition to the critical sectors covered by the NIS Directive to date (energy, transport, water, health, digital infrastructure and finance), providers of public electronic communications services and digital services, social media operators, manufacturers of critical products (e.g., medical devices) and postal and courier services, among others, will also have to review and, if necessary, adapt their IT security measures once the Directive has been implemented accordingly.

For example, affected companies and operators will face the following risk management measures, among others:

• Participation of management bodies in cybersecurity training and implementation of such for employees;
• Implementation of appropriate and proportionate technical, operational and organizational measures to be based on a cross-hazard approach with necessary attention to, among other things, supply chain security, the potential use of cryptography, and security measures in the acquisition, development and maintenance of technology systems;
• Compliance with more streamlined reporting requirementsfor significant security incidents: initial report to national competent authority within 24 hours, detailed report within 72 hours, final report after one month;
• Registration/information obligations to national authorities to collect and maintain overviews of critical infrastructure operators.

Fines for companies, consequences for managers

To ensure that the comprehensive security requirements are implemented, European lawmakers are expanding the possible supervisory measures of national authorities (e.g., on-site inspections, regular security audits including ad hoc audits) and setting stricter enforcement requirements.

In the event of violations, operators face fines of up to EUR ten million instead of the previous maximum of EUR two million in Germany, or of at least 2% of total global sales. In addition, authorizations granted in individual cases for services or activities provided by critical infrastructure operators can be temporarily suspended and managers can be directly prohibited from performing management duties.

Why not only critical infrastructure operators are affected

Complementing the expansion of the sectors to include domain registrars comes the obligation that in the future they must store the personal information of all domain holders, such as name, address and telephone number. They will have to respond to requests from law enforcement agencies within 72 hours. Anonymous services are therefore likely to have a harder time in the future.

And even companies that do not initially qualify as critical infrastructure should keep an eye on the implementation of the directive. Because not only can member states oblige operators of critical infrastructure to use certain IT products and services. For such, they can also stipulate a certification requirement. The requirements that the manufacturers of these products and services must fulfill for successful certification depend on (possibly new) so-called schemes for cybersecurity certification, which the European Union Agency for Cyber Security ("ENISA") develops on behalf of the EU Commission and which the latter may declare mandatory under certain circumstances.

And now?

Following the Council's final approval of the draft, the directive will be published in the Official Journal of the European Union in the coming days and will enter into force on the twentieth day after its publication. Member states will then have 21 months to transpose the directive into national law. 

However, companies are already well advised to critically review their IT security and implement further protective measures if necessary. Attackers are not waiting for regulatory intervention by the state anyway. An early review and adaptation of the company's own security also facilitates conformity with the expected national regulations.

However, the end of the line has probably not yet been reached in this respect anyway. In view of the increase in threats and their impact on the economy and social life, it is to be expected that further requirements will be placed on IT security and existing requirements will be further tightened. In any case, the member states have the option of going beyond the requirements of the NIS 2 Directive and imposing stricter rules when implementing it, if this has not already been done (in part). It is good that German lawmakers are already providing parallel financial support for affected companies.