NIS 2 Directive for Businesses

The Network and Information Security Directive (NIS 2) is expected to significantly improve cybersecurity across the European Union from October 2024. For businesses, this essentially means tightening up their IT security. From now on, companies will have to carry out systematic risk assessments of their IT infrastructure and software and implement appropriate security measures according to the results. Particular attention is paid to the responsibility of management: The Directive requires top management to be actively involved in monitoring and implementing security controls. In addition, managers can now be held personally liable for security breaches. This regulation shows how seriously the EU takes the threat of cyber-attacks. But more than that, it underlines the need for cybersecurity to be a core management responsibility.

 

What is the NIS 2 Directive?

The NIS 2 Directive is a further development of the European Union’s original NIS Directive of 2016. Some of the main changes to NIS 2 compared to the first directive is the extension of its scope. In detail, this means that the NIS 2 Directive now covers a much wider range of sectors and companies:

  • Broadening the sectors concerned: While the original NIS Directive mainly covered critical infrastructure such as energy, transport, healthcare and financial services, the NIS 2 Directive goes beyond that. It now also includes sectors such as digital service providers (e.g. cloud service providers and online marketplaces), postal and courier services, public administrations and even waste management.
  • Categorisation of companies: NIS 2 distinguishes between “essential” and “important” companies. “Essential” companies are those that provide critical services, the failure of which would have a significant societal or economic impact. “Important” companies are those whose failure would also have significant, but somewhat less critical consequences.
  • Increased requirements and reporting obligations: Compared to the original directive, all affected companies must now implement more detailed and faster cybersecurity measures. This includes the obligation to report cyberattacks or hacker attacks within 24 hours and to submit comprehensive reporting within 72 hours.

Extended state supervision under the NIS 2 Directive

The NIS 2 Directive also places a strong focus on increased state supervision, especially in critical infrastructures. This supervision is to monitor the consistent implementation of the directive. Therefore, all companies covered by NIS 2 are obliged to register with the competent authorities. In Germany, this task is carried out by the Federal Office for Information Security (BSI).

Another central component of extended state supervision is the obligation for companies to provide evidence of compliance with safety requirements. This evidence can be provided through internal and external audits, test reports and other documentation.

In addition, the powers of the state supervisory authorities will be expanded. From now on, the BSI and other responsible authorities have the right to carry out unannounced inspections, request evidence and information, and investigate security incidents.

At the same time, the NIS 2 Directive promotes cooperation between national authorities within the EU. This cooperation is crucial for uniform enforcement of the Directive and cross-border combating of cyber threats.

 

Which companies are affected by the NIS 2 Directive?

The affected companies can be divided into three main categories:

  1. Operators of critical infrastructures (KRITIS)
  2. Particularly important facilities
  3. Important facilities
  4. Federal institutions

1. Operators of critical infrastructures (KRITIS)

These companies play a central role in the national infrastructure. Their failure would have serious social and economic consequences. Critical infrastructure includes:

  • Energy suppliers: Companies that provide electricity, gas or oil and supply at least 500,000 people.
  • Healthcare providers: Hospitals and other healthcare facilities.
  • Transport services: operators of airports, railways and ports.
  • Water management: Companies responsible for the supply of drinking water and the disposal of wastewater.

 

2. Particularly important facilities

These facilities are classified as particularly important due to their size and importance. They must either exceed a certain number of employees or reach a certain economic threshold:

  • Large companies: Companies with more than 250 employees or an annual turnover of more than 50 million euros and a balance sheet total of more than 43 million euros.
  • Special cases: These include trust service providers, top-level domain registrars (TLDs), domain name system (DNS) providers and telecommunications providers who provide special services.

3. Important facilities

This includes all companies that play a key role in the economy but do not reach the size or importance of the “most important institutions”:

  1. Medium-sized companies: Companies with more than 50 employees or an annual turnover of more than 10 million euros and a balance sheet total of more than 10 million euros.
  2. Trust services: These include providers of services that ensure trust in digital transactions, such as electronic signatures.

4. Federal institutions

In addition to private and commercial companies, certain government institutions are also covered by the NIS 2 Directive. These institutions are responsible for the provision of essential state services and must therefore also meet stricter security requirements from now on.

 

How does NIS 2 have to be implemented?

To meet the requirements of NIS 2, the companies concerned must:

  1. Conduct a thorough risk assessment of IT systems and data. This is intended to identify potential threats and vulnerabilities. The risk assessment must be updated regularly.
  2. Develop and implement security policies: Based on the results of the risk assessment, specific security policies must be developed. These policies should include technical measures such as encryption technologies to secure sensitive data and the introduction of multi-factor authentication (MFA) to prevent unauthorized access.
  3. Set up technical measures:
  • Data encryption
  • Multi-factor authentication
  • Regular security updates
  1. Develop organisational measures:
  • Regular training of employees and awareness-raising.
  • Incident Management Logs
  1. Establish an incident management system to quickly detect, report, and resolve security incidents. This also includes the obligation to report events to the competent authorities within certain deadlines.
  1. Provide evidence of compliance with safety requirements. Operators of critical facilities or infrastructures (KRITIS) are subject to an inspection obligation every three years, while other facilities are subject to documentation and random inspections by authorities.

Importance of the NIS 2 policy for companies with Teamviewer

In general, the NIS 2 Directive poses new challenges for all companies that work with software and personal data – but especially for software manufacturers. Finally, the directive requires companies to focus their software development and use more strongly on security aspects to do justice to the issue of cybersecurity. But what if remote access to other computers is granted with other software? Companies that use TeamViewer for this purpose must now ensure that the use of the tool fully complies with the requirements of NIS 2.

In concrete terms, this means:

  • Only authorized users are allowed access to critical systems.
  • This requires multi-factor authentication (MFA) and encrypted sessions to be set up.
  • All accesses and remote sessions must be accurately logged.
  • An incident management system must be set up in order to be able to quickly detect and report security incidents.

How TeamViewer helps with NIS 2 compliance

TeamViewer has already taken precautions to ensure that this succeeds. The software contains numerous functions that are directly geared towards compliance with the NIS 2 Directive TeamViewer can play a significant role in helping organisations comply with the NIS 2 Directive, which is aimed at strengthening cybersecurity across the European Union. Here’s how TeamViewer can contribute:

  1. Enhanced Security and Compliance
  • Remote Access Control: TeamViewer provides robust remote access solutions that can be configured to align with the security requirements of NIS 2. This includes features like multi-factor authentication (MFA), encrypted sessions, and granular access controls, ensuring that only authorized personnel can access critical systems.
  • Audit and Monitoring: The platform offers detailed logging and monitoring capabilities, which are essential for maintaining records of remote access sessions. This can help organizations demonstrate compliance with the directive by providing evidence of secure and controlled access to critical systems.
  1. Incident Response and Management
  • Rapid Response: In the event of a cybersecurity incident, TeamViewer enables swift remote response. IT teams can quickly access affected systems to diagnose issues, implement fixes, and mitigate risks. This ability to respond rapidly is crucial for minimizing the impact of incidents, as required under NIS 2.
  • Collaboration Tools: The platform’s collaboration features allow multiple experts to work together in real-time to resolve issues, which can be vital in complex incident scenarios.
  1. Resilience and Continuity
  • Remote Support for Critical Infrastructure: TeamViewer can be used to support the continuity of critical services by providing remote maintenance and troubleshooting for essential systems, ensuring they remain operational even when on-site access is not possible.
  • Business Continuity Planning: As part of a broader business continuity strategy, TeamViewer ensures that remote work and support are seamless, helping organizations maintain operational resilience, a key aspect of NIS 2 compliance.
  1. Training and Awareness
  • Secure Remote Training: TeamViewer’s capabilities can be used to conduct remote training sessions for employees, particularly on cybersecurity best practices and NIS 2 compliance requirements. This helps raise awareness and ensures that all staff are equipped to support the organization’s cybersecurity objectives.

By integrating TeamViewer into your IT and cybersecurity strategy, you can bolster your organisation’s compliance with NIS 2, ensuring that you not only meet regulatory requirements but also enhance your overall cybersecurity posture.

 

 

Contact

Get ready for the NIS 2 Directive! Learn how to secure your business and stay compliant with the new regulations. Discover how TeamViewer can help you enhance your cybersecurity. Contact our product manager Greg Clarke today for a personalized consultation!