Cybersecurity Obligations for Businesses: The NIS 2 Directive

Cybersecurity Obligations for Businesses: What the NIS 2 Directive Requires

The threat landscape in cyberspace is continuously intensifying. Ransomware attacks, supply chain attacks, and state-sponsored cyber operations affect businesses of all sizes. The European legislator has created a comprehensive regulatory framework with the NIS 2 Directive (EU) 2022/2555, which significantly tightens cybersecurity requirements for businesses. The national implementation through the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) affects considerably more businesses than the predecessor regulation and introduces severe penalties for non-compliance.

Who Is Affected by the NIS 2 Directive?

Essential and Important Entities

The NIS 2 Directive distinguishes between essential entities and important entities. This categorisation determines the extent of supervision and the level of potential fines.

Essential entities include, among others:

• Energy (electricity, gas, oil, district heating, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructures
• Healthcare
• Drinking water and wastewater
• Digital infrastructure (DNS, TLD, cloud, data centres)
• Public administration
• Space

Important entities include, among others:

• Postal and courier services
• Waste management
• Chemicals and food
• Manufacturing (medical devices, machinery, vehicles, electronics)
• Digital services (online marketplaces, search engines, social networks)
• Research

Thresholds

Whether an entity is affected depends on company size and sector:

• Medium-sized enterprises: From 50 employees or from 10 million euros in annual turnover and balance sheet total
• Large enterprises: From 250 employees or from 50 million euros in annual turnover

Certain entities are affected regardless of size, such as DNS service providers, TLD registries, qualified trust services, and operators of critical infrastructure.

Risk Management Obligations

Minimum Cybersecurity Requirements

Affected businesses must implement appropriate and proportionate technical, operational, and organisational measures to manage the risks to the security of their network and information systems. The measures must cover at least the following areas:

• Risk analysis and security policies for information systems
• Incident handling (Incident Response)
• Business continuity management including backup management and recovery
• Supply chain security and security aspects in supplier relationships
• Security in the acquisition, development, and maintenance of IT systems, including vulnerability management
• Policies and procedures for assessing the effectiveness of security measures
• Cyber hygiene and training in cybersecurity
• Cryptography and encryption
• Human resources security, access control, and asset management
• Multi-factor authentication and secured communications

Documentation Obligations

All measures and their implementation must be comprehensively documented. This includes:

• Risk analyses and their regular updates
• Security policies and concepts
• Incident response plans
• Training records
• Results of audits and penetration tests
• Supplier assessments regarding cybersecurity

Reporting Obligations for Security Incidents

The NIS 2 Directive introduces a graduated reporting system for significant security incidents:

Three-Stage Reporting Procedure

1. Early warning within 24 hours: Upon becoming aware of a significant security incident, an initial notification must be submitted to the BSI (Bundesamt für Sicherheit in der Informationstechnik). This must indicate whether the incident is presumably attributable to unlawful or malicious acts and whether cross-border impacts are possible.

2. Incident notification within 72 hours: An updated notification with an initial assessment of the incident, including severity, impact, and -- where available -- indicators of compromise.

3. Final report within one month: A detailed report describing the incident, the nature of the threat, countermeasures taken, and cross-border impacts.

What Constitutes a Significant Security Incident?

A security incident is deemed significant if it:

• has caused or may cause severe operational disruption or financial losses
• has affected or may affect other natural or legal persons by causing considerable material or immaterial damage

Supply Chain Security

A particular focus of the NIS 2 Directive lies on supply chain security. Businesses must:

• Consider the specific vulnerabilities of their direct suppliers and service providers
• Assess the overall quality of products and cybersecurity practices of their suppliers
• Establish contractual arrangements regarding security requirements with suppliers
• Conduct regular reviews of supply chain security

This has significant implications for contract design: Existing supplier contracts must be supplemented with cybersecurity clauses.

Managing Director Liability

Personal Responsibility of Management

The NIS 2 Directive establishes personal liability of management for compliance with cybersecurity obligations. Management bodies must:

• Approve and oversee the implementation of risk management measures
• Participate in cybersecurity training
• Offer all employees regular training

In the event of culpable breach of these duties, managing directors and board members are personally liable to the company. A waiver by the company of claims for damages or a settlement is not possible under the German implementation draft.

The BSI as Supervisory Authority

The Bundesamt für Sicherheit in der Informationstechnik (BSI) becomes the central supervisory authority. Its powers include:

• Audits and inspections (for essential entities also proactively)
• Orders to remedy deficiencies
• Requiring evidence of the implementation of security measures
• Warnings to the public about affected entities
• For essential entities: Appointment of a monitoring officer
• Temporary prohibition of management functions in the event of repeated violations

Fines and Sanctions

The fine framework is modelled on the GDPR:

• Essential entities: Up to 10 million euros or 2% of global annual turnover
• Important entities: Up to 7 million euros or 1.4% of global annual turnover

Overlaps with the GDPR

NIS 2 and the GDPR pursue different protective objectives but overlap considerably in practice:

• Technical and organisational measures under Art. 32 GDPR partially coincide with NIS 2 requirements
• Reporting obligations for data breaches (72 hours under the GDPR) complement the NIS 2 reporting obligations
• An integrated compliance management approach is recommended to avoid duplicate structures

Important: Compliance with NIS 2 requirements does not replace GDPR compliance, and vice versa. Both regulatory frameworks coexist.

Practical Implementation Roadmap

Phase 1: Impact Assessment (immediately)

• Determine whether your business is to be classified as an essential or important entity
• Identify all relevant network and information systems
• Determine the responsible persons at management level

Phase 2: Gap Analysis (1--3 months)

• Assess the current state of your cybersecurity measures
• Compare with the NIS 2 minimum requirements
• Identify areas requiring action and prioritise measures

Phase 3: Implementation (3--12 months)

• Establish an information security management system (ISMS)
• Implement incident response processes and reporting structures
• Train management and employees
• Review and supplement supplier contracts
• Document all measures comprehensively

Phase 4: Continuous Improvement (ongoing)

• Regular audits and penetration tests
• Updates to risk analyses
• Adaptation to new threat landscapes and regulatory developments

Conclusion

The NIS 2 Directive marks a paradigm shift in cybersecurity regulation. The significantly expanded scope, personal managing director liability, and severe fines make early and structured implementation indispensable. Businesses that already have a functioning ISMS have an advantage -- but even they must adapt their processes to the specific NIS 2 requirements.

compleneo provides comprehensive advice on implementing the NIS 2 requirements -- from the impact assessment through the implementation of technical and organisational measures to contract design with suppliers. Together with our interdisciplinary team spanning data protection, IT law, and compliance, we ensure that your business meets the new requirements.