Which categories of economic sectors does NIS2 affect?
“Essential/essential” (very critical) sectors and “important/important” (other critical) sectors.
Sectors such as energy, transport, finance, healthcare, digital infrastructure and public administration fall into the first category, while the second category includes manufacturing, postal services, chemicals and more.
Which companies within these sectors are covered by the directive is determined by each country’s laws.
For affected companies, the NIS-2 directive brings new responsibilities. They must report cybersecurity incidents to authorities based on certain criteria:
- Early warning: notification within 24 hours of an incident.
- Incident notification: Notification within 72 hours of an incident.
- Interim Report / Intermediate Report.
- Incident progress report / Progress Report: in case of unresolved incidents, one month after incident notification.
- Final Report: within one month of incident notification or one month after completed incident treatment.
- Voluntary reporting is an option.
Companies must also actively manage risk and comply with standards for network and system security, incident handling, crisis management, secure supply chains and asset management. The protection mechanisms and technologies used must be up to date. Countries could even introduce certification requirements to demonstrate compliance.
In Germany, the NIS-2 directive will lead to adjustments in the existing IT Security Act 2.0 or a possible new law. German CRITIS operators with an established information security management system (ISMS) and reliable cybersecurity technology are well prepared and likely need only minor adjustments. This directive sets the stage for a more robust cybersecurity landscape across all industries.