Deutschland: Wach Auf and Get Ready for NIS2

17. October 2024 was the goal date that landmark legislation, known as the Network and Information Security Directive (NIS2), should have been implemented for member states; but in a plot twist of German "efficiency", the Germans failed to execute on time - it will actually take a new German government to do this…  

So given this extra time, the question remains — why haven't you taken steps to become compliant yet? The fact of the matter is the cybersecurity landscape is changing and it will have rippling effects on companies whether or not they are legally compelled to comply. 

Let's take a look at some of these effects and how you can play catch-up to become a model German business.

Excuses are Like Cabooses — Everyone's Got One

"It doesn't apply to us"
"We don't have the money"
"We'll do it later"
"Cybersecurity, schmybersecurity"‍‍
‍-Poor excuses we commonly hear

We've heard it all before, but excuses for noncompliance are…well, inexcusable. Even if you believe that you aren't obligated to comply, ignorance is not a defense; proactivity is the only way to avoid frivolous legal fines and penalties. 

"...What? What is NIS2?"

Oh boy. If you haven't heard of it by now, you should know that NIS2 is a new directive from the EU that establishes new legal frameworks surrounding member states' cybersecurity measures. It is an update to NIS1, which functioned similarly, but NIS2 widens the scope significantly (meaning it affects more industries and types of companies), provides clearer rules, and implements new accountability measures (i.e., tougher/higher fines).

While NIS1 covered core sectors such as energy, healthcare, finance, water management, and others, NIS2 casts a wider net — see below for more details.

"NIS2 compliance is too expensive"

You know what's more expensive? The consequences of noncompliance. It's understandable that smaller companies may not have the resources to upgrade their cybersecurity infrastructure and that staff training is time consuming and costly. However, considering that the average cost of a data breach for German companies is EUR 5.13 Million, and on top of that legal fines can easily amount to EUR 10 Million or more, chances are infrastructure upgrades are far less of a hassle than the alternative. Additionally, MDs can be held personally liable for any data breaches that occur — one of the more significant updates from NIS1 to NIS2.

On top of that, in the event that a cyberattack does happen on your watch, indirect costs such as operational disruptions, reputational damage, and other financial losses have long-term consequences you may not even anticipate. 

But try not to worry. If you truly do not have the resources to reach state-mandated compliance requirements, Germany offers helpful resources that help small- to mid-sized businesses improve security measures and lean into a more digital infrastructure.

"We don't have the time."

We get it. Day-to-day operations take up enough time as it is and compliance efforts may not necessarily be your top priority. However, this excuse is flimsy at best and flat-out wrong at worst for three key reasons:

• Cybersecurity incidents can halt your operations, sending you scrambling and costing far more time and money than you would have spent on a compliance program.
• Gradual changes over time are much easier to implement than an all-at-once approach.
• Outsourcing to a third-party expert can reduce your internal teams' burden.

"We don't care about cybersecurity."

Well, cybersecurity cares about you. Downplaying its significance, even for smaller companies, is playing with fire. Sure, we hear about large-scale data breaches in news headlines and commentary pieces, but the majority of cyber attacks actually happen to smaller organizations that are less prone to prioritize security. For bad actors, medium-sized businesses are low-hanging fruit because they minimize security and are out of the public eye.

The efficacy of your security infrastructure could also very well be the deciding factor on who wants to work with you. NIS2 actually emphasizes supply chain security for good reason; it's because third-party vulnerabilities are one of the major sources of cyber risk. Noncompliance has as much potential to cost you new business as it does to cost your bottom line.

NIS2 aims not only to protect your and your customers' data, it also protects your reputation — something you probably rely on.

"It doesn't even apply to me."

Even if you weren't obligated to comply with NIS1, NIS2 has a more expansive scope that covers more sectors than previously. But considering this is the excuse we hear most frequently, let's break it down a little further.

Yes, It Probably Applies to You Too. Or it Will Eventually.

The new list of industries affected by NIS2 includes:

• Energy: Electricity, oil, gas, and others
• Transportation: Logistics providers (including postal/courier services), as well as air, rail, water, and road transit companies
• Banking: Any financial service or credit institution
• Healthcare: Care providers, labs, and hospitals
• Essential services: Companies that handle potable water, waste treatment/disposal, data centers, domain service providers, government entities at both regional and national levels, and more.
• Food production: Any company that processes or distributes food products.
• Manufacturing: Any manufacturer that deals with chemicals, medical devices, or pharmaceuticals.
• Digital services: This is extremely broad and far-reaching. It includes social networks, cloud services, online marketplaces, search engines, and any other service that is offered digitally.

NIS2 also categorizes companies into Essential and Important, according to industry and size. You can read more about the designations here.

This new scope is estimated to affect 30,000 companies in Germany alone, and 100,000 EU-wide.

Companies with 50 or more employees and that have an annual turnover exceeding EUR 10 Million will wind up being subject to compliance regulations. So if you plan on growing your business in the future, you should start planning for NIS2 sooner than later. 

Last but not least, your customers might be impacted by NIS2 and will want their suppliers to be compliant too. We actually see this a lot in the industry… 

We said it before and we'll say it again: Noncompliance can cost you potential business if other companies require it of their vendors or supply chain. That's why we say yes, it probably applies to you too, or at least it will eventually.

NIS1 vs. NIS2: What's Changed

NIS2 is an upgrade of the existing NIS, which implements stricter requirements, a wider scope of companies affected, and heavier penalties for noncompliance. Some of the new requirements include, but are not limited to:

• Tighter incident reporting timelines: Cyber incidents must be reported within 24 hours with follow-up reports after 72 hours. 
• Business continuity and crisis management plans: Now required for applicable businesses.
• Supply chain security and third-party risks: Companies are obligated to actively assess and address cybersecurity measures within their vendors.
• Zero-trust: More frequent user verification processes to heavily control technology access.

And don't you worry, in addition to new, hefty fines, NIS2 also mandates personal liability for management bodies like executives and company boards — a major change that should surely get leadership on board with compliance updates!

NIS2 Steps You Should've Taken Yesterday. But There's Still Time.

This entire process could take up to a year, so the sooner you start, the better!

1. Governance and Risk Management

• Appoint a responsible person (or team) for NIS2 compliance.
• Conduct regular risk assessments to identify vulnerabilities and threats.
• Develop a cybersecurity strategy aligned with identified risks.

2. Incident Reporting

• Implement mechanisms for detecting and responding to security incidents.
• Report significant incidents to the relevant authorities within 24 hours of detection (initial notification) and a detailed report within 72 hours.

3. Supply Chain Security

• Ensure that third-party suppliers and partners meet your cybersecurity standards.
• Evaluate and mitigate risks associated with supply chain dependencies.

4. Technical and Organizational Measures

• Use industry best practices for network and system security (e.g., encryption, firewalls, endpoint security).
• Regularly update and patch systems to minimize vulnerabilities.
• Conduct employee training to build awareness and reduce human-related risks (e.g., phishing).

5. Business Continuity and Disaster Recovery

• Establish and test a business continuity plan (BCP) and disaster recovery strategy.
• Ensure critical systems can quickly resume operation in the event of disruption.

6. Access Management

• Implement strict access control policies to limit data access to authorized personnel only.
• Use multi-factor authentication (MFA) for sensitive systems.

7. Monitoring and Auditing

• Regularly monitor networks for suspicious activity.
• Conduct periodic audits and penetration testing to identify weaknesses.

8. Compliance with Reporting and Cooperation Requirements

• Maintain clear documentation of compliance activities.
• Cooperate with national authorities, sectoral CSIRTs (Computer Security Incident Response Teams), and the EU Cybersecurity Agency (ENISA).

9. Sector-Specific Compliance

• Tailor your security measures to meet the specific requirements of your sector, as the NIS2 directive applies differently to essential and important entities.

Helpful NIS2 Resources to Get You Back on Track

• Current NIS2 Status and Affected Sectors
• Digital Jetzt
• NIS2 History & Timeline

Turn NIS2 Compliance into a Cakewalk

Cakewalk is the new standard in access management, designed to get you up-to-speed on NIS2 and other cybersecurity requirements. 

We eliminate shadow IT, facilitate self-service access, automate on- and offboarding, help you run access reviews, and more. To learn more about how you can enhance access management in order to stay compliant with new legislation, get in touch today.

What have you done to prepare for NIS 2? What are your thoughts? Join the conversation on LinkedIn or get in touch to share!

‍