NIS2 - Security of Network and Information Systems 2

NIS2 – Security of Network and Information Systems 2.0 for more cybersecurity in the EU

At the end of 2020, the EU Commission presented a draft for the Security of Network and Information Systems (NIS) 2.0 directive. This is intended to replace the NIS Directive, which became the first EU-wide cybersecurity law to come into force in August 2016. The new draft makes further demands on companies with regard to cybersecurity.

EU cybersecurity strategy

The NIS Directive is part of the EU’s cybersecurity strategy. The declared aim of the NIS Directive is a high common level of cybersecurity within the EU.

As part of the EU cybersecurity strategy, ENISA (European Union Agency for Cybersecurity) established the EU-CyCLONe (European cyber crisis liaison organization network) together with the member states in autumn 2020. The network is intended to support the coordination of precautions and countermeasures against major cross-border security incidents within the EU.

Evaluation of the NIS guideline

The NIS guideline was examined in the second half of 2020. On the basis of the consultations carried out, the draft for the reform by NIS2 was submitted. This takes into account both the new requirements due to the further digitization of the internal market as well as the challenges and changing cybersecurity threats made visible by the corona pandemic.

More cooperation in the field of cybersecurity

The new draft is intended to take further measures to achieve this goal. It affects the cybersecurity of public and private institutions as well as critical infrastructures. The knowledge and knowledge of the authorities of individual member states should be usable for all member states. In addition, the Commission hopes that the draft will identify and address problems that arise in one sector or country and which could affect other areas or countries, and that synergies will be used. In addition, there should be more European cooperation in dealing with crises and measures should be taken jointly and more effectively.

Extension of the scope through NIS2 guideline

To this end, the Commission also proposes extending the scope. In addition, essential facilities for wastewater and public administration are to be added. The distinction between providers of digital services and operators of essential services should be abandoned.

Furthermore, the requirements for the nationally competent authorities are increasing. Member States should develop national security strategies and do more for crisis management. This also includes the compulsory establishment of “Computer Security Incidence Response Teams” (CSIRT) by the member states, which are to cooperate across the EU. In addition, official control competencies are to be expanded.

More precaution and reporting in cybersecurity and crisis management

The requirements go hand in hand with comprehensive precautionary and reporting obligations. Another component of the draft is intended to institutionalize the cooperation with the data protection supervisory authorities.

As soon as the NIS2 directive comes into force, the EU member states have to transpose it into national law.

Companies should always keep an eye on developments in the legal situation and prepare for necessary changes at an early stage. If you are unsure whether you are also affected by the changes in the law, please contact us. We support you with individual solutions for your company!

Simply use our contact form. You can also call us at the headquarters in Hutthurm on +49 (0) 8505 91 927 – 0 or in our Munich branch on +49 (0) 89 413 2943 – 0.

This post is also available in: German