What is NIS2?
NIS2 stands for Network and Information Systems Directive 2 and is an EU directive to strengthen cyber security in Europe. In particular, it aims to improve the security of critical infrastructure by defining minimum cybersecurity standards for critical infrastructure. The directive is an evolution of the original NIS directive and aims to better protect organizations and critical infrastructure from cyber threats and enable a high level of security across the EU.
The NIS2 Directive was proposed by the European Commission in December 2020, entered into force at the EU level on January 16, 2023, and requires that the obligations of the Directive be implemented by October 17, 2024.
What are critical infrastructures?
Critical infrastructures (CRITIS) are organizations and facilities with important significance for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences.
What are the objectives of NIS2?
NIS2, just like NIS, defines a set of measures to ensure a high common level of security of network and information systems in the European Union. The directive created a uniform legal framework for the EU-wide development of national capacities for cyber security, stronger cooperation between the member states of the European Union, and minimum security requirements for and reporting obligations on critical infrastructures.
What is new in NIS2?
NIS1 required critical infrastructure operators to implement various measures to ensure cybersecurity. However, NIS1 was quite abstract and was not uniformly implemented. It also lacked specific requirements for cyber risk disclosure.
Because of the increased threat level and cybersecurity requirements during the Corona pandemic, NIS2 was eventually developed.
NIS2 describes which companies or organizations are classified as critical services and in which sector they fall. It affects more companies, mandates improved risk management, and imposes more obligations and stricter penalties. In addition, NIS2 clearly defines the procedures, content and deadlines for reporting security incidents and their implementation in national law.
To whom does NIS2 apply?
The following sectors are defined as highly critical or critical according to NIS2:
Sectors with high criticality
- Energy
- Transportation
- Banking
- Financial market infrastructures
- Healthcare
- Drinking water
- Wastewater
- Digital infrastructure
- ICT services management (B2B)
- Public administration
- Space
Other critical sectors
- Postal and courier services
- Waste management
- Production, manufacture and trade of chemical substances
- Production, processing and distribution of food
- Manufacturing/production of goods
- Digital service providers
- Research
An attack on the energy infrastructure, for example, could lead to power outages and significant disruptions. The AS4 protocol, which will soon be mandatory, is intended to ensure that messages can be exchanged securely between trading partners.
Requirements and deadlines for reporting security incidents
- Early warning within 24 hours of knowledge: suspicion of whether the incident is based on illegal or malicious action and whether it is transboundary.
- Detailed report within 72 hours of knowledge: initial assessment of security incident including severity, impact, and indication of compromise, if applicable.
- Progress/final report one month after notification: Detailed description, indication of the nature of the threat, root causes, remedial actions, cross-border impact if applicable.
What does NIS2 mean for companies?
For affected companies, NIS2 imposes a number of obligations, including registration with the competent authority in their own Member State, disclosure of contact details, and reporting of significant security incidents, i.e., incidents that may lead to serious operational disruptions. The biggest change for companies, however, will be the additional security requirements imposed by NIS2.
NIS2 expands the original scope of NIS1 to new essential facilities and now includes government institutions. In the future, companies will have to report all security-related incidents within their IT infrastructures without delay and agree to certain control mechanisms by national supervisory authorities.
This should make it easier to anticipate potential security risks and initiate more targeted countermeasures. Failure to comply consistently with the regulations could result in fines and penalties, which have become even stricter with NIS2.
State of the art is mandatory
The NIS2 directive obliges companies and institutions to implement adequate technical and organizational security measures that address the respective risks. Indispensable for this is knowledge of the typical dangers of the new technologies and the possibilities and methods of attack – especially by cybercriminals: NIS2, for example, requires companies to conduct regular risk assessments regarding cybersecurity. In addition, companies and institutions must implement preventive measures to protect against security incidents.
What measures does NIS2 require?
Some of the most important requirements that NIS2 brings with it are:
For the area of email security, this means the use of cryptography and encryption in email communication to ensure the protection of critical data. However, the law implementing NIS2 in the EU is not yet much more concrete: it has been available as a draft since spring 2023, so we still have to wait for more specifics. Nevertheless, this shows that effective email encryption is a fundamental part of complying with the NIS2 directive.
What does NIS2 mean for email security?
In the context of NIS2, email service providers are required to take appropriate security measures to protect their services from cyberattacks and to ensure the confidentiality, integrity and availability of email communications. Protection against malware, phishing and spam is the goal here.
This may include implementing security standards, monitoring security incidents, and cooperating with the relevant authorities in reporting security incidents.
What happens if NIS2 is not complied with?
Here, NIS2 again distinguishes between sectors with high criticality and other critical sectors.
Sectors with high criticality
Here, NIS2 means large companies with more than 249 employees or more than 50 million euros in sales and more than 43 million euros in balance sheet. In addition, there are some special cases that are independent of size.
In the event of non-compliance, these companies face penalties of up to a maximum of at least 10 million euros or 2% of global sales in the previous year – whichever is higher.
Other critical sectors
NIS 2 here means large companies with more than 249 employees or more than 50 million euros in sales and more than 43 million euros in balance sheet. In addition, there are medium-sized companies from both sectors mentioned above with at least 50 employees or 10 million euros in sales and more than 10 million euros in balance sheet, as well as special cases that are independent of size, such as facilities that are classified as “important” by the state (for example, sole providers).
In the event of non-compliance, these companies face penalties up to a maximum of at least 7 million euros or 1.4% of global sales in the previous year – whichever is greater.
Enhance cybersecurity – with NoSpamProxy.
Take important steps towards NIS2 compliance by securing your IT infrastructure and protecting your email communication. Try NoSpamProxy now for free!