The European Union published the NIS2 Directive in its Official Journal in December 2022. The directive came into force in January 2023. Member states must transpose the directive into national law within 21 months, i.e., by mid-2024. A lot could change for companies, comments Ingolf Rauh, Head of Product and Innovation Management at Swisscom Trust Services:
The NIS 2 Directive by the European Union will regulate the companies that fall under critical infrastructure (CRITIS). Stricter regulations may result in a significant increase in the number of companies belonging to this sector in the future. In Germany, the largest European economy, there are currently around 4,000 companies in this sector alone. The new directive could now increase this number by a factor of 10. This statement will also apply to other EU member states. Most of them probably have yet to be made aware of this. Nevertheless, there is only one year left to prepare.
You may have thought that companies in the water or energy industry are considered part of CRITIS. It may also include companies from sectors such as postal and courier services, waste management, or food processing. The directive's annex also mentions the very broad term 'digital service provider.' To ensure cyber security, companies in the 18 listed sectors with over 50 employees or annual sales exceeding ten million euros must implement mandatory measures. Importantly, providers of digital infrastructure and trust services will also be regulated.
The biggest challenges for the affected companies will be upgrading their operational infrastructure, appointing cyber security officers, implementing or expanding a risk management system, and forming IT security emergency response teams with reporting capabilities. This is a challenging task with an already depleted market for IT specialists. In addition, companies will have to pay even more attention to selecting their partners than they have in the past. Those responsible must ensure the selection of the right service providers that fulfill the regulation and have the appropriate certificates. To be included in reporting systems, these partners must undergo regular audits. Therefore, working with companies with experience in a highly regulated environment is recommended.
However, simply being NIS2-regulated is not sufficient. Companies that fall under this regulation must find ways to comply with the updated IT security requirements, even amidst a shortage of skilled workers. It's important not to underestimate the new regulations since they risk significant penalties, much like those associated with GDPR. In addition, management becomes directly liable in case of violations of this directive.
Companies must determine if the new directive impacts them and meets the strict requirements by 2024. If so, they should begin making strategic decisions, such as considering whether to build or buy, creating roadmaps, and implementing necessary measures immediately. Failure to do so could result in unpleasant surprises in the summer of 2024.