Despite the improved cyber resilience in the EU, the legal frameworks for cyber security in the Member States remain different. The European Union has announced a new EU cybersecurity strategy and new regulations to make physical and digital critical infrastructures more resilient (NIS2). The attack surface has changed dramatically since 2016, including the impact of COVID-19 and the changing tactics of cyber adversaries.

It is also worth noting that the overall attack surface has changed dramatically since 2016 - including but not limited to COVID-19 and the changing behaviour and tactics of cyber adversaries. The Commission has conducted an extensive stakeholder consultation to identify the impact and vulnerabilities of the NIS Directive.

The Commission has identified the following main problems:

• insufficient level of cyber resilience of companies operating in the EU
• inconsistent resilience across Member States and sectors
• insufficient common understanding of the main threats and challenges among Member States
• lack of a common crisis response

NIS2

On 16 January 2023, the NIS2 Directive (EU 2022/2555) came into effect to improve cybersecurity measures across the region by establishing a common framework of cybersecurity requirements for companies and Member States. Member States are obliged to implement the Directive by 17 October 2024. Compared to the original NIS Directive, NIS2 introduces additional measures and requirements in the area of cybersecurity:

• The focus shifts to supply chain security.
• Mandatory cyber risk management is being introduced.
• Companies are obliged to train their employees and carry out regular cyber security audits.
• In the event of breaches, the company management will be held personally responsible.
• Violations can result in severe penalties.
• Formalised reporting deadlines have been introduced for responding to incidents.

NIS2 also extends the scope to a larger number of sectors and lowers the threshold for affected organisations:

• A wider range of sectors/industries are now covered by the regulations.
• The selection criteria for covered entities have been adjusted, resulting in a larger number of covered entities.

New sectors

NIS2 introduces numerous new sectors and sub-sectors. The “Transport” sector has hardly changed, apart from the addition of public passenger transport, which is, however, associated with many additional restrictions. The situation is different with the “Manufacturing/production of goods” sector. This completely new sector contains sub-sectors such as “Manufacture of computer, electronic and optical products”, “Manufacture of electrical equipment”, “Manufacture of machinery and equipment”, “Manufacture of motor vehicles, trailers and semi-trailers” and “Other transport equipment”. All of these sub-sectors are specified in more detail by reference to NACE Rev. 2. In this specific case, section C divisions 26-30. If we look at the economic sectors listed there, two things stand out: Firstly, a large number of economic sectors are included, which, secondly, are not “critical” even on closer inspection. This shows that NIS2 should not be misinterpreted as a guideline only for “critical” sectors and therefore neglected. As company management, you are well advised to explicitly check whether you are affected by NIS2 - regardless of what your gut feeling tells you. It is also a good idea to document the result of the audit accordingly, even in the negative case.

Standardised criteria

In contrast to the original NIS Directive, NIS2 introduces clear, EU-wide criteria on the basis of which organisations are either regulated or not regulated. On the one hand, NIS2 significantly expands the regulated sectors, including areas that would not immediately be considered “critical”. On the other hand, NIS2 replaces the terms “Essential Service Operators” and “Digital Service Providers” with “Essential Entities” and “Important Entities”, which emphasises the broader focus of NIS2 beyond the original "critical infrastructure".

Another aspect concerns the size of the organisation. NIS2 is based on the “definition of micro, small and medium-sized enterprises” (EU 32003H0361) and sets a so-called “size cap” threshold. Companies with more than 50 employees in a sector fall under NIS2. However, in some sectors or exceptions, smaller companies may also be affected by NIS2.

One aspect that is often overlooked concerns self-registration. While companies under NIS (or the corresponding national implementations) were informed by the state that they must fulfil the respective regulatory requirements, there is an obligation to self-register under NIS2. According to NIS2, member states must provide an (online) platform on which companies can register. However, it is up to the companies themselves to check whether they fall under NIS2 or not.Formularbeginn

Supply chain

Another important aspect of the NIS2 Directive concerns securing the supply chain. Companies affected by NIS2 must assess the risks along their supply chain and, if necessary, minimise them by taking measures, but also by diversifying or changing suppliers. It can therefore be assumed that the requirements of NIS2 will also be passed on contractually in the supply chain in future. Even companies that are not directly affected by NIS2 could be obliged to comply - not due to legal requirements, but due to contractual requirements in order not to jeopardise their supply relationships.

“Am I already KRITIS or what?”

There are nasty voices claiming that NIS2 also regulates some areas that are not critical. In fact, it is a fallacy to believe that NIS2 focuses on critical areas. In fact, NIS2 deals with resilience in the EU - much more comprehensively than NIS! NIS2 has adopted the focus of NIS - but the understanding of resilience is much broader (especially economically) and also includes downstream companies in the second, third, fourth ... of the supply chain.

From an economic perspective, one could say that practically every company today has a value-added relationship with the “manufacturing/production of goods” sector. Accordingly, this is very favourable for companies in this sector from an economic perspective. However, it is precisely this interdependence that requires this sector to be focussed on accordingly and to be covered by NIS2 from a regulatory perspective!

New companies affected

In contrast to other sectors, where only the sub-sectors have been expanded, the “manufacturing/production of goods” sector is a novelty in the NIS2. As a result, there has so far been little regulatory pressure to deal with the requirements. This changes abruptly with NIS2! And regardless of the sector, it should not be underestimated that companies with 50 employees or more may be affected by the requirements! NIS2 is therefore by no means just an issue for the “big players”.

If these companies do not currently operate an information security management system (ISMS), they may have to rethink their entire IT operations before the local regulations are implemented. Reactive responses to requirements, incidents and attacks would have to give way to structured, risk-based and documented IT operations. This is a challenge, especially if it is only just beginning. NIS2 treats cybersecurity in a similar way to other business areas. While it is common in finance, for example, to have real-time business metrics available, NIS2 extends this approach to cybersecurity. Status, risks and operational metrics need to be available at all times - not just in the event of an incident. With an unstructured approach, a belief in quick fixes and postponing documentation, it is impossible to obtain such metrics in a timely manner. This means that smaller companies in particular are facing significant changes in processes, organisation, IT operations and the perception of IT.

Competition in the internal market

As part of minimum harmonisation, NIS2 defines cybersecurity requirements and obligations much more comprehensively than the original NIS Directive. One explicit aim of this new regulation is to reduce distortions of competition in the internal market that have arisen due to different implementations of the NIS Directive. The original German implementation was already very comprehensive, which in some cases led to higher costs for German companies and corresponding disadvantages in European competition. NIS2 therefore levels the playing field and creates standardised requirements for all. Whether this is only a minor change for German companies or a massive change for companies in other countries is initially irrelevant. The decisive factor is rather that the same rules apply to everyone, which is ultimately a manifestation of the EU's economic single market concept.

Standards and implementation

In view of the original NIS Directive in the context of critical infrastructures, it may be surprising that (cyber) risk management in NIS2 appears to be more IT-centred. While ENISA has created mappings for NIS not only to IT standards such as the ISO/IEC27001 series and the NIST CSF, but also to OT standards such as ISO/IEC62443, the NIS2 guideline so far only mentions ISO27000:

[...] measures to protect these systems [...] in accordance with European and international standards such as those of the ISO/IEC 27000 series [...].

It is therefore all the more regrettable that other standards, such as ISO/IEC62443, provide much more specific implementation instructions in the OT area. Unfortunately, there are still no industry-specific security standards (B3S) from the BSI for the “manufacturing industry/production of goods” sector. However, it is to be expected that the BSI will at least issue recommendations for action by the time the NIS2 implementation comes into force in Germany. However, it is not advisable to wait until they are published before implementing them. All the more so as 80% of the necessary measures have been “standard” and described accordingly for years. In other words, it is always advisable to deal with the basic requirements at an early stage so that the remaining 20% can be implemented on this basis once industry-specific requirements are in place.

Summary

In general, it must be recognised that the European Commission has created a sensible regulation with the NIS2 Directive, which addresses many of the weaknesses of the original NIS Directive. On the one hand, it expands the scope of risk management and specifies requirements, reporting obligations and potential sanctions much more comprehensively, both for affected companies and indirectly for their supply chains. On the other hand, these requirements balance out the distorted competition in the European Union, which is ultimately one of the main reasons for the European Single Market and therefore also the basic idea behind the European Union.

Companies that are newly affected by NIS2, whether through expanded sectors or due to their size, may face considerable challenges. If they have not yet structured their IT operations (e.g. without an ISMS), they are faced with the task of not only structuring their IT operations, but also implementing risk management and technical measures as well as introducing procedural and organisational changes until the German regulation is implemented in just under a year.

In both cases, the number of directly affected companies and indirectly affected companies (via the supply chain) will increase significantly due to the extended scope of NIS2. As a company directly affected by NIS2, it is therefore easier now and in future to procure the relevant goods and services in a “NIS2-compliant” manner. Even if the supplier itself is not affected by NIS2, it is often in its own commercial interest to ensure compliance.