01.09.2023
NIS-2 What does your company need to implement and when?
*Update July 2024: 17 October is the deadline for transposing the EU NIS 2 Directive into national law as the NIS 2 Act. The first of June 2025 is the entry into force date for the requirements defined in the NIS-2 Act. When the NIS-2 Act actually comes into force depends on the outcome of the parliamentary legislative process.
With the new cyber security directive known as “NIS 2”, mandatory security measures and security incident reporting obligations will apply to many companies in certain sectors from October 2024*.
- Which companies are affected?
- Does this include your company?
- What are the consequences if you do not comply with the regulation?
We have summarised all this and much more for you in this article.
What is NIS 2?
NIS 2 stands for the security of network and information systems. The NIS Directive from 2016 currently applies, which was implemented in Austria by the NIS Act. This regulation already specifies requirements for the
cybersecurity in sectors that are important to society.
The Directive of the European Parliament and of the Council concerning measures for a high common level of cybersecurity across the Union (NIS 2 Directive) is the successor to the Directive of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) and will replace it definitively on 18 October 2024.
What should be considered?
Risk management measures must be taken and reporting obligations must be observed. The management bodies (managing director in the case of a GmbH, board of directors in the case of a stock corporation) monitor implementation and are liable in the event of violations.
In contrast to the existing directives, in which the companies affected by the regulation were classified as “essential services” by official decision, under NIS 2 the companies themselves are responsible for checking whether they fall under the NIS 2 Directive.
When do the new regulations apply?
The new regulations will apply from 18 October 2024 at the latest.
The current regulations came into force on 16 January 2023 and replaced the Network and Information System Security Directive (NIS Directive). The directive must be implemented by the member states by 17 October 2024.
Which companies are affected
Large and medium-sized companies are affected from the high-criticality sectors and other critical sectors.
| Size class | Employment | Annual turnover | Annual balance sheet total |
|---|---|---|---|
| Small enterprise (KU) | <50 and | ≤ 10 million euros or | ≤ 10 million euros |
Essential services
Sectors with high criticality
Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, management of B2B ICT services, public administration, space
Important services
Other critical sectors
Postal and courier services, waste management, chemicals, food, processing/manufacturing, digital service providers, research (optional)
Exceptions
Small companies that either have an annual turnover of no more than €10 million or an annual balance sheet total of no more than €10 million are not covered by NIS 2.
However, there are a few exceptions that fall within the scope regardless of their size:
- Trust service providers
- Providers of public electronic communications networks or providers of publicly available electronic communications services
- TLD name registries and DNS service providers, excluding operators of root name servers
- Companies that are the sole provider of a service in a Member State that is essential for the maintenance of critical societal or economic activities
What are the minimum measures required in terms of risk management?
- Concept risk analysis and security for information systems
- Management of security incidents
- Business continuity and crisis management
- Supply chain security
- Security measures for the acquisition/development/maintenance of ICT
- Concepts and procedures for evaluating the effectiveness of risk management measures
- Cyber hygiene and cyber security training
- Cryptography and encryption where applicable
- Personnel security, concepts for access control
- Multi-factor authentication
What reporting obligations need to be observed
In the event of cyber security incidents, the authority must be roughly informed within 24 hours, a detailed assessment must be submitted to the authority within 3 days and a final report must be submitted after one month.
Are there any consequences for your company if you do not comply with the regulations?
Non-compliance may result in penalties of up to €10 million or 2% of the Group’s total annual turnover for essential entities or €7 million or 1.4% of the Group’s total annual turnover for significant entities.
Management bodies (managing directors and the Executive Board) are liable for violations if essential risk assessments are neglected or ignored.
How do you best organise the implementation?
- Clarify who is affected
- Planning resources: Plan budget and personnel resources for implementation
- Clarify responsibility: Designate a person in the company who is operationally (primarily) responsible for implementing the regulations.Find competent external partners in good time to support you with implementation.The management bodies must approve the measures, monitor their implementation and are personally liable for violations.
- Risk analysis and gaps in relation to NIS 2
- Determine measures
- Implement measures
- Ensure business continuity
- Continuous review
We can help you with specific topics. Feel free to contact us with your questions:
Further information
More news
