EU NIS 2 — Why all industries should take action now

The European Union's NIS 2 Directive (Network and Information Systems) has been in force since January 16 and is responding to increasing cyber attacks in times of geopolitical crisis, which threaten particularly socially relevant institutions and organizations. This new directive requires increased technical and organizational information security for the expanded 18 industries that are classified as “critical infrastructure”: including health, energy, information technology & telecommunications, finance & insurance, and transportation and traffic. Recently, companies with just 50 employees or an annual turnover of 10 million euros have to fulfill certain obligations with regard to cyber security, as well as providers of digital services and parts of public administration, which are regulated regardless of their size.

Measures to be implemented include the development of an ISMS, such as in accordance with ISO 27001 or basic IT protection, as well as specific technical measures. Specific technical requirements include stringent multi-factor authentication and technical-organizational access controls such as SSO. At the same time, the competencies of the European cybersecurity authority ENISA, which is used as a central reporting and registration authority for all companies subject to the regulation, will be strengthened.

Expanding industries, which are regarded as critical infrastructure, is one thing and will initially only affect the sectors mentioned, while other companies outside of them see no urgent need for action. However, Article 21 of the new regulation includes a directive which also applies to industries outside the extended areas. In addition to the necessary internal cybersecurity measures, NIS 2 also requires security in the critical infrastructure supply chain. Conversely, this means that all IT service providers, hardware providers and system houses responsible for central processes fall under NIS 2 guidelines in order to remain operational. As a result, the new NIS 2 guidelines have significantly more impact on market participants outside the regulated sector than initially expected, at least as soon as they have customers in the extended KRITIS area.

Why you should trade now

The increased requirements must be implemented in national law by October 2024 at the latest. Reliable implementation of the necessary measures through adequate solutions requires a certain amount of time, especially when the demand for cybersecurity solutions and service providers suddenly increases rapidly.

Regardless of whether you are part of the expanded critical infrastructure or a service provider, a certain amount of lead time is necessary to sufficiently test, close potential gaps and be in the best position when it comes into force, because the fines and liability for violations should not be underestimated. The framework of fines is linked to sales to the same extent as under the GDPR. In addition to the risk of a successful cyber attack, which can result in even a small security gap, these will be punished dearly in the future even without a successful attack.

Need assistance?

As a cloud IAM provider with integrated multi-factor authentication and experts in the area of cybersecurity, we are happy to support you in implementing the required security measures and together ensure that you can look forward to the entry into force in October 2024 without worries. Regardless of whether required or not, at Bare.ID, we already act in accordance with the highest security and compliance standards in order to meet even heavily regulated industries.

‍