Are you “critical”? Then you need to take action on NIS2

In this article you will read,

• why companies need to address the European security directive NIS2 now,
• how the cloud can simplify compliance with NIS2 requirements
• and why, with the Open Telekom Cloud, you don’t need to worry about NIS2 or other security-related regulations.

Another European compliance directive is set to come into force on October 18: NIS2, focusing on Network and Information Security (cyber resilience). NIS2 aims to enhance the overall level of cybersecurity across the EU, extending its requirements to more companies and organizations in critical sectors. Many more businesses will now be classified as “critical,” compared to previous definitions like those under the Federal Government’s CRITIS Regulation. Companies newly designated as critical should act immediately.

“Insufficient cyber resilience” is a common justification by EU bodies for introducing new directives, which member states are then required to incorporate into national law. This was the case with EU regulation DORA (Digital Operational Resilience Act), which came into effect in 2023 and will be applied starting January 2025. The current NIS2 initiative, focused on network and information security, also stems from concerns over weak cyber resilience among companies. NIS2 is essentially a “DORA for all,” targeting various critical industries and businesses.

NIS2 builds on a legacy: In 2016, the EU introduced the first NIS Directive to create a higher standard of network and information system security for businesses across Europe. It was the first EU-wide, uniform framework for cybersecurity. Now, with NIS2, the directive is being revisited and reinforced, with stricter requirements and more severe penalties expected.

NIS2 does not introduce entirely new concepts. Instead, it extends existing regulations for critical infrastructures (CRITIS) to include new sectors and smaller companies. It mandates that businesses implement current IT security best practices, establish robust access controls, manage systems and service resilience, handle security incidents professionally, secure supply chains, utilize encryption, and engage in active IT risk management.

NIS2 introduces new sanctions (similar to the EU GDPR, fines can be based on annual turnover) and personal liability for managers. The most significant change is in how sectors are classified as critical. A total of 18 sectors are now considered “important” or “essential,” with new inclusions such as research, public administration, and ICT service providers.

To fall under NIS2, companies in these sectors must have more than 50 employees or an annual turnover exceeding 10 million euros – at least, that’s the general rule. However, smaller businesses or those with lower revenue aren’t automatically exempt. Any company performing a “critical” activity, where failure could have a “substantial” impact, may still be subject to NIS2 regulations. A common benchmark is that a service failure affects around half a million people, which could quickly apply to top-level domain registrars or trust providers. As a result, NIS2 covers significantly more companies than previous CRITIS regulations, e.g., KRITIS in Germany. The BSI offers a non-binding NIS2 impact assessment on its website.

NIS2 is scheduled to take effect in Germany on October 18, 2024, although the corresponding implementation law (NIS2UmsuCG) is still under discussion. Even if implementation is delayed by a few weeks or months, companies should assess now whether they are subject to the directive and how they will meet its extensive requirements. Being classified as a “NIS2 company” brings significant responsibilities and obligations. For companies newly identified as NIS2-relevant, this means taking on additional tasks to ensure they can continue delivering their services.

Experts recommend certification, such as ISO 27001, as a way to ensure compliance with NIS2. However, achieving ISO certification is resource-intensive and time-consuming, making it unlikely to be feasible by October 18 – or even the end of 2024. An alternative solution could be to outsource part of the certification and compliance workload to a service provider by migrating IT services to a platform that already meets these compliance standards.

This is where solutions like the Open Telekom Cloud come into play. The Open Telekom Cloud has been meeting key security requirements for many years. By moving workloads to this platform, companies benefit from comprehensive certifications and advanced information security and risk management practices that exceed ISO 27001 standards. This also includes the KRITIS certification for critical infrastructure.

Switching to a secure, European cloud is a smart way to quickly achieve NIS2 compliance with minimal effort – or at least make significant progress in meeting NIS2 requirements.