NIS2 - What you need to consider


NIS2 - What you need to consider

Back in 2016, the EU established the NIS (Network and Information Security) cybersecurity directive. Because the directive was very abstract, was not implemented uniformly in the EU countries and, in addition, the Corona pandemic acted as an additional amplifier of cyberattacks, the European Commission decided to revise the directive. Since mid-January, the revised version NIS2 is now available; it replaces NIS and defines new EU minimum standards for cybersecurity of critical infrastructure. The obligations of the directive are to be implemented in national law by the end of 2024.

What's new about NIS2?

The revised NIS2 directive significantly expands the sectors that are classified as critical services. While there were only eight in NIS, NIS2 expands the sectors to 18, distinguishing between essential ("essential") and important ("important"). Here is a comparison of the scope of NIS and NIS2:

Scope of NIS

  • Energy (electricity, oil, gas, heat)
  • Health (utilities, pharmaceuticals)
  • Transportation (air, rail, water, road)
  • Banks and financial markets
  • Water (water)
  • Digital (Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, ICT service management)
  • Industry (technology and engineering)
  • Digital services (online marketplaces, online search engines, social networks)

Scope of NIS2: Essential ("Essential")

  • Energy (electricity, oil, gas, heat, hydrogen)
  • Health (utilities, laboratories, pharmaceuticals)
  • Transportation (air, rail, water, road)
  • Banking and financial markets
  • Water and wastewater
  • Digital (Internet Exchange Point (IXP) providers, DNS service providers, TLD name registries, data center service providers, cloud computing service providers, content delivery network providers, trust service providers)
  • ICT service management, space, public administration

Scope of NIS2: Important ("Important")

  • Postal and courier
  • Waste management
  • Chemicals
  • food
  • Industry (technology and engineering)
  • Digital services (online marketplaces, online search engines, social networks)
  • Research

NIS2 thus affects more companies, prescribes an improved risk management approach, and provides for more obligations and stricter sanctions. It now clearly sets out the procedures, content and deadlines for reporting security incidents, as well as transposition into national law and enforcement. Other new measures in the directive include:

  • the establishment of national computer emergency response teams
  • the creation of an incident response plan coordinated with member states' plans
  • improving cooperation between private and public entities
  • a cross-sector security culture that is critical to the economy and society and relies heavily on ICTs such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.

The directive sets thresholds of at least 50 employees and 10 million euros in annual revenue. But beware: some companies, regardless of size, count as critical services affected by NIS2 if they are the sole provider of a service in a country that contributes significantly to the maintenance of critical activities of society or the economy.

Implementing NIS2 - act now

The federal government in Germany plans to convert NIS2 into national law by October 2024. Those who are now newly covered by the directive should act quickly. Because consulting, the selection of suitable technologies and their implementation take time. With proactive security solutions from Rohde & Schwarz Cybersecurity, you can meet the requirements of NIS2, choose the best possible protection for your sensitive data and increase your digital sovereignty.

We would be happy to advise and support you in implementing the NIS2 directive - feel free to contact us.

Contact Us

Do you have questions or need additional information? Simply fill out this form and we will get right back to you.

Marketing permission

I want to receive information from Rohde & Schwarz via

I want to receive marketing or advertising information (e.g. on special offers and discount promotions) from Rohde & Schwarz GmbH & Co. KG and the Rohde & Schwarz entity or subsidiary company mentioned in the Imprint of this website via Email or Post. Further details on the use of personal data and the withdrawal procedure are set out in the Statement of Privacy and the Marketing Permission.

Your request has been sent successfully. We will contact you shortly.
An error has occurred, please try again later.