Cyber Security - how companies benefit from NIS2

The European “Network and Information Security Directive” (NIS2) is intended to help strengthen the cyber security and resilience of companies. Which organisations will benefit from the new regulations?

Cyber threats and attacks on companies and public institutions are part of the daily routine today. In Germany, every fifth company has already been the victim of a cyber attack. The damage caused by cyber attacks amounts to 203 million euros per year, reports Bitkom. To counter these threats, the Network and Information Security Directive (NIS2) was issued on 27 December 2022 at European level to strengthen cyber security and resilience in companies.

What is NIS2?

NIS2 is a directive and not a regulation. This means that all EU states must transpose this directive into national law by 18 October 2024. The aim is for organisations to be able to demonstrate a minimum security standard. This is defined in the law and ranges from guidelines for risks and information security to the prevention, detection and management of security incidents.

An important point and increasing attack vector is supply chain management. The supply chain is a popular target for attackers, as suppliers or partners often have access to the IT systems of the companies they supply. Therefore, it is important that partners or suppliers are also subject to and implement the NIS2 requirements. By expanding the scope, more organisations and sectors – including small businesses and digital platforms – are subject to NIS2.

NIS2 is an effort driver

Realistically, the implementation of security measures cannot be adhered to. A study by Cisco from 2023 reveals that only eleven percent of German companies have implemented adequate protection against modern security risks. The challenge of catching up is made much greater by the ubiquitous shortage of skilled workers. In a Bitkom study, 72 percent of respondents stated that the shortage of skilled workers poses a threat to their own company. Even companies that place the highest priority on implementing their IT security strategy often fail due to the availability of security technology. Hardware components currently have a delivery time of up to twelve months. All these reasons make implementation by autumn 2024 a major challenge.

Benefits of the EU-wide directive

The NIS2 directive brings not only additional work but also benefits. Member states will work more closely together, ensuring a more direct exchange of information, methods and best practices. At the same time, they will invest in the protection of their systems and international standards will be promoted. Through NIS2, cyber security will be strengthened across Europe to reduce the impact of cyber attacks and increase the level of cyber security. Manufacturers will also be driven by the legislation to further expand their portfolios with innovative products, from which companies will benefit.

When is the best time to do it?

Cyber criminals tend to attack the weakest links in the chain because that is where their chances are greatest. Those who address NIS2 early can strengthen themselves and their IT technically as well as organisationally. By standardising security measures, they reduce the likelihood of being compromised by cybercriminals as their next victim.

However, given the current shortage of skilled workers, implementing the NIS2 directive is becoming a challenge for many companies. Therefore, it is important to address the issue early on and develop a strategy for implementation – especially for suppliers whose customers demand compliance.

For more information on the requirements, see also this article from Cisco.