NIS 2.0 – what’s in store for us?
In the summer of 2022, the Council and the European Parliament agreed on a new cybersecurity regulation: the so-called NIS-2 Directive (Directive on measures for a high common level of cybersecurity across the Union). This is due to be finally adopted in December 2022. What does this mean for affected companies and what can we expect? CIS expert and Head of Audit Services, Robert Jamnik, has the answers:
At the end of 2018, the Austrian Network and Information Security Act (NISG) – based on the EU’s NIS Directive – was converted into national law. The aim was to regulate the cyber security of critical infrastructures, such as those in the energy, healthcare and drinking water supply sectors.
A second, updated directive was published in May 2022. This pursues the goal of a standardised European cybersecurity regulation and aims to increase resilience across the entire infrastructure. The directive is expected to be adopted in December 2022. There will then be a national implementation period of 21 months. It can therefore be assumed that this directive will be transposed into Austrian law in autumn 2024 – however, a significant additional effort for companies can already be assumed today.
Who is affected?
The scope of application has been extended from the current eight sectors to 16 in future. New additions to the NIS 2 Directive include important organisations such as postal and courier services, waste management, chemicals and B2B ICT management. With a few exceptions, all companies in these sectors with at least 50 employees and a turnover of more than 10 million euros are affected. According to estimates, this includes around 3,000 companies across Austria and as many as 100,000 organisations across the EU.
In addition, a distinction will be made in future between operators of essential services and operators of important services. The requirements are essentially the same, but important services will be scrutinised even more strictly in future and therefore scrutinised even more closely.
What is in store for the affected companies?
We have summarised the most important changes for you here:
- Duty to report security incidents
with a significant impact on operations or a significant financial or material impact on its own essential service and on third parties is being tightened. In future, not only actual incidents must be reported, but also those that could potentially occur.
- Reporting obligation of affected companies to ENISA (European Union Agency for Cybersecurity) and the establishment of a vulnerability register at ENISA.
Both operators of essential or important services and manufacturers must therefore submit reports to ENISA.
- Expanded powers of the authority
are to check and verify compliance with certain requirements. Here, too, there is a difference to important services: the authority can take action if there are indications or evidence that certain requirements are not being met (e.g. risk-oriented scans can be carried out retrospectively as a result of convictions by data protection authorities).
- Managing bodies are held more accountable
and must therefore approve risk management measures and oversee their implementation. They are also accountable for deviations and must complete mandatory regular training in cybersecurity and risk management to acquire sufficient knowledge to recognise and assess risks and management practices. This will lead to an increase in quality over the years as overall expertise will ultimately increase.
- At the same time, operators of essential or important services must pay much more attention to the supply chain,
by identifying specific weak points when selecting products. This makes the overall quality of products and cyber security practices more important. In this context, certifications and evidence are also becoming increasingly relevant, as certain cybersecurity practices, for example, can be presented transparently and clearly. The development process will also be assessed by buyers (of products, services or services) in the future.
More news
