Europe’s cybersecurity landscape is undergoing a tectonic shift. With the NIS2 directive, the EU is introducing the most comprehensive cybersecurity regime in its history – placing thousands of companies under regulatory supervision for the first time. The clock is ticking: As of October 2024, affected organizations must meet strict requirements.

The regulatory tsunami is rolling in

The NIS2 Directive (Network and Information Security 2) significantly expands the scope of the original NIS directive. The number of regulated companies in the EU has increased to over 160,000 – including many mid-sized companies across nearly all critical sectors.

Does it affect your company? The likelihood is high! NIS2 covers organizations across 18 sectors, including:

• Energy and utilities
• Transportation and logistics
• Banking and financial market infrastructures
• Healthcare
• Drinking water supply
• Digital infrastructure and services
• Public administration
• Space
• Waste management
• Chemical industry
• Food production
• And many more

The 6 revolutionary requirements of NIS2

The NIS2 directive brings fundamental changes:

1. Management accountability: Company leadership is personally responsible for cybersecurity measures and can be held liable for violations.
2. Risk-based approach: Companies must implement systematic risk management and take appropriate protective measures.
3. Strict reporting obligations: Early warnings within 24 hours and detailed incident reports within 72 hours are mandatory.
4. Supply chain security: Security of the entire supply chain must be ensured and monitored.
5. Encryption and cryptography: Adequate encryption measures become a mandatory component of the security architecture.
6. Harmonized enforcement: EU-wide sanctions of up to €10 million or 2% of global annual turnover can be imposed for violations.

Economic consequences of delayed implementation

The consequences of inadequate NIS2 preparation are far-reaching:

• Massive financial penalties with potentially existential impact
• Personal liability for executives and board members
• Reputational damage from public exposure of violations
• Increased vulnerability to successful cyberattacks
• Competitive disadvantages compared to compliant companies

Worrying reality: According to current information, many EU member states have not yet fully transposed the NIS2 directive into national law, even though the deadline expires on October 17, 2024. The EU Commission has initiated infringement proceedings against 23 member states.

Implementation status across Europe

Implementation varies widely between EU countries:

• Already implemented: Belgium, Italy, Croatia, Lithuania, and recently Greece, Latvia, Romania, Slovakia, and Hungary
• Expected in 2025:
  • Finland, Poland, Slovenia, and Cyprus (Q1/Q2 2025)
  • Denmark, Estonia, Netherlands, Austria, Sweden, and Czech Republic (Summer/Fall 2025)
• Delayed beyond 2025: Bulgaria, France, Ireland, Luxembourg, Malta, Portugal, and Spain

Practical steps to achieve NIS2 compliance

Despite delays in national implementation, companies should act now:

1. Check applicability: Determine whether your company falls under the scope and which departments are affected
2. Conduct a risk analysis: Perform a comprehensive cybersecurity risk assessment to identify vulnerabilities
3. Develop a cybersecurity strategy: Create a comprehensive action plan based on risk assessment and NIS2 requirements
4. Implement security measures: Apply technical and organizational measures according to identified risks
5. Establish an incident response plan: Set up processes for detecting, reporting, and responding to security incidents

Benefits of ISO 27001 certification

Companies with existing ISO 27001 certification have a significant advantage in implementing NIS2.
This certification already covers many of the required measures, including:

• Cyber hygiene
• Incident management
• Supply chain security
• Cryptography

For these companies, implementing NIS2 requirements is less labor- and cost-intensive8.

Consequences of non-compliance

Penalties for violations of the NIS2 directive are severe:

• Fines of up to €10 million or 2% of global annual revenue – whichever is higher
  
  
• Personal liability of company leadership
• Potential reputational damage and loss of trust

Conclusion: Act now despite delayed implementation

Even though full EU-wide implementation is still pending, affected companies should use the time to prepare thoroughly. The complexity of the requirements demands significant adjustments in IT security, risk management, and compliance.

Companies that begin implementation early can not only avoid fines and liability risks, but also gain a competitive advantage in an increasingly cyber-threatened business environment.