Clarity on cyber risk starts here.
In just 30 minutes, you’ll receive a complete, business-relevant view of your cyber risks — automatically generated, easy to understand, and action-oriented. Get started now and experience SEQiFY live.
Was Unternehmen in Österreich über NIS 2 wissen müssen
In today’s digital world, where everything is interconnected, cybersecurity is becoming an increasingly important issue. Because of this high level of interconnectivity, damage in one area can quickly affect others—and a high level of cyber resilience within a country or region can only be achieved through security measures implemented by all stakeholders.
In this context, the European Union (EU) introduced the Directive on measures to ensure a high common level of security of network and information systems (NIS Directive). The regulatory landscape and attack vectors are constantly changing—therefore, further development and strengthening of these regulations became necessary: The NIS 2 Directive was drafted. NIS 2 was adopted in January 2023 and defines minimum cybersecurity requirements for companies—particularly those operating in “critical infrastructure.”
In this blog post, we will take a closer look at what companies need to know about NIS 2 and how it may impact their cybersecurity strategy.
NIS 2 is the successor to NIS 1 (in force since 2016). The main difference lies in the expansion of the scope to include additional business sectors, and higher minimum requirements have also been agreed upon. Although the directive was adopted at the EU level as early as the beginning of 2023, member states still have until October 2024 to transpose the directive into national law. By that time at the latest, however, the directive is also to take effect at the national level.
NIS2 applies to companies that, as operators of “critical infrastructure” (a term we’ve been familiar with since the pandemic, if not before), play a vital role in serving the public and whose failure would have far-reaching consequences. In addition to “traditional” sectors such as energy, transportation, healthcare, and finance, it is digital service providers that make a significant contribution to network and information security, either as service providers or through the operation of communication networks or data centers. A total of 11 sectors are classified as “essential” and 8 additional sectors as “important.”
Under the size cap rule, companies with fewer than 50 employees and/or less than €10 million in revenue are not affected—unless they fall under one of the exceptions (e.g., operators of digital infrastructure such as Qualified Trust Service Providers, TLD registries, or domain registrars are classified as “critical” regardless of their size).
Anyone familiarizing themselves with the requirements of NIS2 will quickly realize: it depends. What may initially sound like a vague regulation makes sense upon closer examination. NIS2 takes a risk-based approach: organizations must implement security measures based on their individual security situation. Central to NIS2 is the risk analysis, in which potential risks are identified and assessed. NIS2 does not prescribe which specific security measures must be implemented, but rather relies on companies to establish robust risk management practices that enable a rapid response to various threats.
Minimum requirements for measures are nevertheless included in NIS2: To avoid jeopardizing business continuity (i.e., the rapid resumption of business operations despite a cyber incident), emergency and backup plans must be developed in case of an incident. Under the heading “cyber hygiene,” there are requirements that are recommended as standard practice for every company anyway: vulnerability management, access control, firewalls, systematic data backup, and employee training.
These cybersecurity measures must also be applied to suppliers in the interest of supply chain security. On the one hand, this involves taking precautions against the potential failure of a supplier in order to maintain a stable supply chain; on the other hand, suppliers themselves are also required to implement appropriate security measures.
According to NIS2, operators of critical infrastructure are required to report security incidents in the event of a cyber incident, unlike non-system-relevant companies; as a result, cooperation with national authorities and, where appropriate, with other companies should help ensure that a specific cyberattack does not pose a threat to the country’s infrastructure and supply.
Risk Analysis: Risk management, identification and assessment of potential risks
Business Continuity: Contingency plans, incident management, backup plans
Documentation requirements: Prompt reporting and documentation
Cyber hygiene guidelines: Vulnerability management, systematic data backup, access control, employee training
Supply chain protection strategies: Extension of these strategies to suppliers
As with any topic, there are also points of criticism regarding the NIS2 Directive.
Implementing these enhanced security measures entails costs for companies, and the return on investment does not appear to be immediate. Especially for companies that are not backed by a large corporate group, these costs can represent a disproportionately heavy burden. However, when viewed from a long-term perspective, successful risk management allows companies to safeguard not only public infrastructure but also their own economic success by preventing incidents and reducing damage costs in worst-case scenarios.
Another point of criticism is that, despite intensive efforts, the implementation of the EU directive is a matter for individual member states, and as a result, details are sometimes interpreted differently in national law—this concerns, for example, the definition of companies that fall under the directive. The severity of penalties for violations is also regulated by national law and can create different incentives depending on the expected penalty amount.
Penalties for violations of the regulation may vary under national law, but the EU sets a maximum limit. For “essential” companies, fines of up to €10 million or 2% of total annual turnover may apply; for “important” companies, the fines are up to €7 million or 1.4% of total annual turnover.
A new feature of NIS2 is that company management (managing directors or other governing bodies) is held personally liable. Management is being held more accountable for overseeing the implementation of cyber risk management and security measures and for not shifting responsibility to a team. Even managing directors who are not experts in this field would be well advised to establish structures that enable transparent and understandable reporting.
NIS 2 presents companies with a promising opportunity to take their cybersecurity to a new level. By complying with the minimum requirements and implementing a risk-based approach, companies can strengthen their resilience against cyberattacks and proactively identify and assess potential risks. Developing emergency and backup plans, as well as implementing best practices for cyber hygiene, not only improve business continuity but also build trust among customers and partners. By complying with NIS 2 regulations and collaborating closely with national authorities and other companies, businesses can help build a robust network that ensures the collective security of network and information systems. NIS 2 is thus not only an obligation but also an opportunity for companies to strengthen their digital resilience and position themselves as responsible actors in the digitalized world.
The risk-based approach of NIS 2 promises a high degree of efficiency: measures should be implemented where and to the extent that the risk warrants. The prerequisite for this is having an up-to-date and meaningful picture of one’s cyber risks: comprehensively identifying risks and evaluating them using reliable metrics.
This stance will inevitably soften over the next few years. Since NIS2 companies will also have to hold their suppliers more accountable, the circle of “affected” companies will steadily expand. On the one hand, this may pose a challenge for suppliers; on the other hand, it is precisely in line with the common goal of enhancing cybersecurity in the EU. Suppliers also benefit from higher cybersecurity in their operations and ensure business continuity in the long term.
In many places, NIS 2 is portrayed as a bogeyman, but it doesn’t have to be. With tools like SEQiFY, you can get a clear picture of your company’s risks and take action based on constantly updated data.
