The new NIS 2 Regulation

Companies and authorities need to upgrade their cybersecurity systems

New guideline NIS2 (from November 2022) also requires medium-sized companies with 50 employees or more to tighten their cyber security guidelines. Failure to comply could result in high penalties.  

Numerous companies, organizations and authorities will have to improve their IT security within the next 21 months 

The latest hacker attacks show that cybersecurity is becoming increasingly important. Therefore, in 2016, the EU issued the so-called Network and Information Security Directive (NIS) for those authorities, organizations or companies that ensure the critical infrastructure in the individual countries. Now the policy has been extended to NIS 2. In the future, even small companies will be obliged to strengthen their IT security. 

By autumn 2024 at the latest, companies in 18 sectors with more than 50 employees and a turnover of EUR 10 million should implement many cyber security obligations. 

NIS vs. NIS 2

Sectors

Critical Essential sectors increase to seven, Important Entities sectors increase to eleven — for a total of eighteen NIS2 sectors. 

Operators

Medium and large enterprises from 50 employees/EUR 10 million turnover are affected, without system thresholds or similar methodology. Some operators should be regulated regardless of size – parts of the digital infrastructure and public administration

Cyber Security

The demands on operators and member states are increasing, and cyber security must also be considered in supply chains. 

Cooperation

The supervision and cooperation in the EU between authorities and operators will be intensified, European jurisdiction will be tightened.

Sanctions

Penalties and enforcement actions will be significantly expanded – to maximum penalties of at least EUR 7 or 10 million, depending on the sector. 

 

The impact is determined in NIS 2 according to uniform criteria – medium-sized and large companies in the eighteen sectors are regulated according to size according to 2003/361/EC: 

Who is affected?

Medium sized companies

50-250 employees, EUR 10-50 million turnover, < EUR 43 million balance sheet 

Large sized companies

more than 250 employees, › EUR 50 million turnover, › EUR 43 million balance sheet 

Irrespective of the size, the following can be regulated: 

  • Digital infrastructure from critical sectors* is regulated regardless of size: Providers of electronic communications, trust service providers and TLD registries and domain registrars
  • Special cases in critical* and important* sectors are regulated regardless of size, including national monopolies (sole providers), special importance, cross-border dependencies, etc.
  • Public administration, central government and risk-oriented regional government

Who is probably not affected?

Small companies

‹ 49 employees and ‹ EUR 10 million turnover/balance sheet

Smallest (micro) companies

‹ 9 employees and ‹ EUR 2 million turnover/balance sheet

Measures for cyber security

Operators in the EU must implement at least the following cyber security measures to protect the IT and networks of their critical services:  

✅ Automatically supported by C4SAM

✔️Can be implemented by using C4SAM

➕Can be delivered through our partners

Policies

Guidelines for Risk & Compliance

Incident Management

Prevention, detection and management of cyber incidents

Business Continuity

BCM with backup management, DR, crisis management

✔️

Supply Chain

Security in the procurement of IT and network systems

✔️

Purchasing

Security in the supply chain - up to secure development at suppliers

✔️

Effectiveness

Specifications for measuring cyber and risk measures

Training

Training and cyber security hygiene

Cryptography

Provisions for cryptography and, where possible, encryption

✔️

Human Resources

Human Resources Security

✔️

Access Control

Control Access

✔️

Asset Management

Management of Assets

Authentication

Use of multi-factor authentication and SSO

✔️

Communication

Use of secure voice, video and text communication

✔️

Emergency communication

Use of secure emergency communication systems

✔️

Secure you IT infrastructure with C4SAM with only one solution – easy and affordable. Contact us for more information. 

More Information More Information

*

Critical sectors: 

  • Energy 
  • Transport 
  • Banks 
  • Financial market infrastructure 
  • Health 
  • Drinking water 
  • Waste water 
  • Digital infrastructure 
  • ICT service management 
  • Public administration 
  • Space 

Important sectors: 

  • Postal and courier services 
  • Waste management
  • Chemicals Food
  • Manufacturing 
  • Digital providers
  • Research 

Secure you IT infrastructure with C4SAM with only one solution – easy and affordable. Contact us for more information. 

More Information More Information

Other blog posts

Close