Cyber security in the EU: NIS-2 directive raises security level

The European Union is strengthening the cyber security of its member states. The NIS-2 Directive - NIS stands for Network and Information Security - was published by the EU on 27 December 2022 and came into force on 16 January 2023. It replaces the previous NIS Directive of 2016.

NIS-2 changes the information security requirements for companies and critical infrastructure facilities. Significantly more companies are now affected by the directive and the framework for fines has been significantly increased - to the level of the European data protection regulation EU-DSGVO. Fines amount to up to 10 million euros or 2 percent of global annual turnover.

With NIS-2, the EU is making another attempt to bring cyber security in the EU to a higher level. While Germany already formulated national requirements for critical infrastructures in 2015 - and thus before the first NIS directive - with the IT Security Act, implementation in other member states has been slower. The EU wants to avoid these divergences in the further implementation. In particular, the scope of application will be defined much more concretely.

For the first time, a distinction is made between entities of the categories "essential" and "important", which are subsequently subject to different requirements. The distinction is primarily based on newly defined threshold values - details are regulated in Art. 3 of the Directive.

Annex 1 lists the sectors concerned. The sectors with high criticality include energy, transport, banks, financial market infrastructures and digital infrastructures. Public administration is also explicitly mentioned here. The category of other critical sectors includes, for example, postal and courier services, providers of digital services, but also manufacturers of medical devices, mechanical engineering and vehicle construction. The scope of application of NIS-2 will consequently bring changes compared to the KRITIS sectors known in Germany and the IT Security Act.

NIS-2 must now be transposed into national law by national legislators by 17 October 2024 and will apply from 18 October 2024. In Germany, it is expected that the IT Security Act 2.0 and the KRITIS ordinances will be revised. A first draft bill for a KRITIS umbrella law and the IT Security Act is expected before the parliamentary summer break in 2023.

Companies should already act now and assess the affectedness and possible implementation gaps on the basis of the present directive. KPMG provides support for the impact analysis as well as the planning and implementation of the NIS-2 requirements.