NIS 2: The new EU rules on cyber security explained

Jan Tissler

The European Union is implementing stricter rules on cyber security. Hundreds of thousands of companies are affected. And not just them: Partner companies and supply chains are also to become more secure. We present the new "NIS 2" directive.

The EU has launched a directive "for a high common level of cybersecurity". Officially, it is known as "Directive (EU) 2022/2555" or "NIS 2" for short, as it is the second attempt to increase network and information security. The EU member states now have until fall 2024 to transpose it into national law. It is relevant for Switzerland because the directive explicitly includes supply chains and partner companies.

Which companies are affected?

The new directive affects around ten times more businesses than its predecessor from 2016. According to estimates, there are around 160,000 companies across Europe. In Germany alone, there will be around 20,000.

For example, NIS 2 has increased the list of sectors from eight to 18. They are categorized as "essential" and "important". A detailed overview can be found in Annexes I and II of the directive linked above.

The energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, management of ICT services (B2B), public administration and space sectors are therefore particularly important.

The list of "other" critical sectors includes postal and courier services, waste management, production, manufacture and trade in chemicals, production, processing and distribution of foodstuffs, manufacturing/production of goods and providers of digital services.

In any case, companies in these sectors with more than 50 employees and an annual turnover or annual balance sheet of more than 10 million euros are affected. However, smaller companies may also be affected if they are the only provider of an essential service in a member state.

What do these companies need to do?

The obligations can be found in Chapter IV of the Directive. According to Article 21, affected companies should "take appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems (...) and to prevent or minimize the impact of security incidents on the recipients of their services and on other services." What is considered "proportionate" should be based, among other things, on the assessed risk, the possible consequences and the size of the operation.

Article 21 also lists a minimum standard for security measures. These include a concept for risk analysis, plans for dealing with security incidents, crisis and backup management, concepts for evaluating the effectiveness of measures, encryption, access control and multi-factor authentication.

Swiss companies that follow the ICT minimum standard are already well positioned here.

Article 21, paragraph 2, also explicitly mentions: "security of the supply chain, including security-related aspects of the relationships between individual entities and their direct suppliers or service providers". Paragraph 3 states that entities must consider "the overall quality of the products and cybersecurity practices of their vendors and service providers, including the security of their development processes".

If a security incident occurs, the company must report it within 24 hours and provide a detailed assessment to the competent authority within 72 hours. Failure to do so could result in penalties of up to 10 million euros and 2 percent of annual turnover. CEOs and board members will also be held accountable if an organization fails to implement the aforementioned measures.

Why these new rules?

It is not only since yesterday that EU policy has recognized that increasing digitalization and networking also represent a potential threat. However, previous attempts to comprehensively raise security standards have not been particularly successful.

The direct predecessor of the new regulations is Directive (EU) 2016/1148, which already had the same thrust, but its implementation in the member states was hardly monitored and in many places it was less specific than the new version.

In the meantime, even more processes have been digitized, automated and networked. At the same time, the number of attempted and successful attacks on networks of industrial plants and public institutions has increased.

Closing words

The new EU directive largely follows what is already recommended and practiced internationally. As mentioned, Switzerland has similar recommendations for "minimum standards" in corporate cybersecurity, although these are not binding.

However, it is a good idea for businesses of all kinds to be aware of potential threats and their consequences, even if they are not considered part of the "critical infrastructure". Cyberattacks such as ransomware attacks can cause considerable monetary damage and ruin a company's reputation.