NIS 2 – What Does It Mean for Companies? Are they prepared?

Cyber attacks remain a serious threat. To increase resilience against such attacks, the EU's NIS2 Directive came into force in January.

Feb 14, 2023 12:00:00 PM - 3 min.
Picture of: Sonja Spaccarotella
Sonja Spaccarotella

Zurich, January 2023 – Cyberattacks continue to pose a serious threat. In order to build resilience against such attacks, particularly in systemically important organisations and facilities and against the backdrop of current geopolitical developments, the European Union’s NIS2 Directive entered into force in mid-January 2023. Nevis, the Swiss company specialising in customer identity and access management solutions, explains what this means for companies and offers an assessment of the situation.

In 2016, the EU approved a directive concerning measures for a high common level of security of network and information systems (NIS). In so doing, it established a standardised legal framework for the first time in order to strengthen co-operation between EU member states in the area of cybersecurity. NIS has now been replaced by NIS2. The takeaway for companies is that member countries now have a period of 21 months from its entry into force on 16 January 2023 during which they must transpose NIS2 into national legislation. The new directive sees the EU take another step towards improving the management of cyber risks. The objective in this case is to further strengthen the protection of network and information systems against cyberattacks and to introduce minimum requirements that will harmonise directives across the 27 member states of the EU. In this context, the fines that can be imposed on operators of critical infrastructure that fail to meet the requirements will be increased. The relevant national authorities are also required to monitor compliance more strictly. 

New sectors and new obligations

The introduction of NIS2 also increases the number of sectors covered compared with NIS. As a result, there are now seven essential sectors and eleven important entities – these at present only partially correspond to Germany’s ‘KRITIS’ or critical sectors and the UBI category (companies in the special public interest). Consequently, amendments to German legislation can be anticipated. Essential sectors include companies from the areas of energy, transport, banking, financial markets, healthcare, drinking water, wastewater and digital infrastructure, public administration and space travel. Important entities include providers in the areas of postal and courier services, waste management, chemicals, nutrition, industry, digital services and research. 

The operators of entities that provide critical services must meet stricter cybersecurity requirements in the sectors mentioned. To protect IT systems and networks, they must now implement a range of measures that include incident management systems, secure authentication processes such as multi-factor authentication and single sign-on or emergency communication systems. They must also respond to security incidents promptly and send an initial notification to the responsible authorities within 24 hours. In addition to the above, companies must also consider the draconian fines that can be imposed for infringements of the obligations and requirements set out in the directive. In the case of essential sectors, the maximum amount is at least ten million euros or, in the case of a legal person, two per cent of the total worldwide annual turnover of the preceding financial year. For important entities, the maximum penalty is at least seven million euros or 1.4 per cent of total annual turnover.

Companies are poorly prepared

The NIS2 Directive will force many companies to scrutinise their current routines for detecting and defending against cyberattacks and get ready for the new requirements. Although there is still time before these become mandatory in European member states, security managers would be well advised to take appropriate precautions now. After all, cybercriminals are already very well equipped.

In light of this, the security situation in many companies is extremely alarming, as the Nevis Security Barometer shows. To research this issue, the customer identity and access management (CIAM) specialist joined forces last summer with the opinion research companies Civey and mo’web research to conduct a survey of 500 German IT decision-makers and 1,000 German consumers. Just as it did in 2021, this survey also revealed that the IT security of company data could be improved in many cases and that large numbers of IT decision-makers are not up to speed with the latest know-how. The most frequently cited security measures include prescribed minimum password lengths (65 per cent) and a requirement to change passwords on a regular basis (41 per cent). Just 34 per cent currently use two-factor authentication using SMS, while a mere 21 per cent use the more secure biometric two-factor authentication. The fact that some ten per cent of the IT managers surveyed said that they do not take any measures to improve IT security shows just how serious the situation is. What’s more, half (47 per cent) of these specialists are unfamiliar with cybersecurity standards, such as FIDO, OAuth or WebAuthn, which offer reliable guidelines for data protection.

Modern solutions help security teams

Another factor to consider is that many security teams are currently preoccupied with maintaining their existing technologies as a means of optimising threat detection. This leaves them with little time to consider measures to automate their responses to attacks. To rectify this while at the same time preparing themselves for NIS2 and the ongoing critical threat environment, companies should deploy modern solutions to minimize security risks. Systems for detecting attacks or CIAM, backed by multi-factor authentication and single sign-on, will help them meet the requirements of NIS2. What’s more, this is a cost-efficient way for companies to free up their security teams to focus their capacities on responding proactively to cyber threats.

###

About Nevis

Nevis develops security solutions for the digital world of tomorrow. Its portfolio encompasses passwordless logins, which are intuitive to use and offer optimal protection for user data. Nevis is the market leader for Identity and Access Management in Switzerland and secures over 80 percent of all online banking transactions. Public authorities, leading service providers, and industrial enterprises worldwide rely on Nevis solutions. The authentication specialist has locations in Switzerland, Germany, UK and Hungary. 

Press Contact

LEWIS Communications GmbH
Mareike Funke, nevis-security@teamlewis.com