The EU’s new NIS2 Directive has come into force. It tightens the requirements for cyber and information security, and requires a holistic, risk-based approach for companies. Many more companies will now be considered to constitute critical infrastructure due to their role as subcontractors.
Regular cyber attacks are currently underlining the necessity of the EU’s update of the NIS Directive for cyber and information security.
“The original NIS Directive was vaguely formulated, which is why there are major differences in the way it was implemented in the individual Member States. The new NIS2, which came into force in Denmark in January, lays down much stricter requirements and represents a desire to standardise cyber and information security across EU member states,” says Andreas Norstedt, Security Advisor at DBI – the Danish Institute of Fire and Security Technology.
Both NIS and NIS2 are aimed at sectors with critical infrastructure, but with NIS2, the requirement is extended to apply to more sectors as well as subcontractors working for the companies concerned.
“This means, for example, that a company that produces cables for the energy sector must also comply with NIS2,” explains Andreas Norstedt.
The directive states that companies with more than 50 employees and an annual turnover of 10 million euros or an annual balance sheet of 43 million euros must comply with the requirements, and that the companies’ management teams must approve the safety measures and ensure that they are subject to internal control.
“Many of them will have to get a move on, as the measures must be implemented by October 2024, according to Danish legislation. Most Danish companies have good control over IT security, but one new feature is that NIS2 requires a risk-based approach to cyber and information security. This means that a risk assessment must also be conducted, a contingency plan must be drawn up and the physical environment must be under control. A holistic approach means that an energy company must have a plan to continue to deliver power, whether it’s a cyber attack or a flood in the server room that’s compromising cyber and information security,” explains Andreas Norstedt.
In 2025, the relevant supervisory authorities will start monitoring the companies covered by NIS2 to ensure that they are complying with the requirements.
“The supervisory authorities will have far-reaching powers – including access to data, documents and information on areas such as risk assessments and implementation of measures. If it becomes clear that a company is not complying with NIS2, it can result in a large fine. The EU has matched the levels of fines with those for GDPR violations, which can amount to fines of up to 10 million euros or 2% of a company’s global turnover,” says Andreas Norstedt.
The EU’s NIS2 Directive lays down minimum requirements for:
Sectors covered by NIS2 according to the Directive: