NIS 2: The new EU cybersecurity rules explained

Hundreds of thousands of businesses, partner companies and supply chains are affected by NIS 2. We explain the new EU cybersecurity rules.

The EU has launched a directive “for a high common level of cybersecurity”. Officially known as “Directive (EU) 2022/2555” or “NIS 2” for short, it is the second attempt to increase network and information security. EU member states now have until autumn 2024 to transpose it into national law. The directive also also affects Switzerland because it explicitly includes supply chains and partner companies.

Which companies are affected?

The new directive affects about ten times more companies with respect to its predecessor from 2016. According to estimates, about 160,000 companies across Europe will be affected, and around 20,000 in Germany alone.
For example, NIS 2 has increased the list of sectors from 8 to 18, categorising each as either “essential” or “important”. A detailed overview can be found in Annexes I and II of the directive linked above.

Industries such as energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT services management (B2B), public administration and space are all considered particularly important.
The list of "other" critical sectors includes postal and courier services, waste management, production, manufacture and trade of chemical substances, food production, processing and distribution, goods manufacturing/production, and digital service providers.
Regardless, companies in these sectors with more than 50 employees and an annual turnover or balance sheet of more than 10 million euros will be affected. However, the directive may also impact smaller businesses if they are the sole provider of an essential service in a Member State.

What do these companies need to do?

The obligations can be found in Chapter IV of the Directive. According to Article 21, affected companies should "take appropriate and proportionate technical, operational and organisational measures to manage the risks to the security of network and information systems (...) and to prevent or minimise the impact of security incidents on the recipients of their services and on other services". What is regarded as "proportionate" will be determined, among other things, by factors such as the assessed risk, the possible consequences and the size of the operation.

Article 21 also lists minimum standards for security measures. These include, for example, a risk analysis concept, plans for dealing with security incidents, crisis and backup management, concepts for evaluating the effectiveness of the measures, encryption, access control or even multi-factor authentication.
Swiss enterprises that adhere to the ICT minimum standard are already well positioned in this regard.

Article 21, paragraph 2, also explicitly mentions: "supply chain security, including security-related aspects of the relationships between individual entities and their direct vendors or service providers". Paragraph 3 states that entities must take into account "the overall quality of the products and cybersecurity practices of their vendors and service providers, including the security of their development processes".
If a security incident occurs, the company must report it within 24 hours and provide a detailed assessment to the competent authority within 72 hours. Failure to do so will result in fines of up to 10 million euros and 2 per cent of annual turnover. CEOs and boards of directors will also be held accountable if an institution fails to implement the above measures.

Why these new rules?

EU policy has long recognised that increasing digitalisation and networking also represents a potential danger. However, previous attempts to comprehensively raise security standards have not been particularly successful.

The direct predecessor of the new regulations is Directive (EU) 2016/1148, which had a similar thrust, but whose implementation in member states was hardly monitored, and which in many respects was much less specific than the new version.

In the meantime, even more processes have been digitalised, automated and networked. At the same time, the number of attempted and successful attacks on the networks of industrial plants and public institutions has increased.

Closing words

The new EU directive largely follows what is already recommended and practised on a global scale. As mentioned, comparable recommendations for "minimum standards" in cybersecurity also exist for Swiss companies, although these are not binding.

Regardless, all kinds of businesses should be addressing potential threats and their consequences, even if they are not considered part of the "critical infrastructure". Cyber attacks such as ransomware attacks can cause significant financial damage, not to mention ruin the company's reputation.