On December 27, 2022, the European Union published the long-awaited new European Directive (EU) 2022/2555 (NIS 2 Directive) in its Official Journal ( we reported ). On March 22, 2023, Bremen-based Professor Dr. Dennis-Kenji Kipker gave a lecture on this topic at Bremen University of Applied Sciences as part of the Academy of the Free Institute for IT Security (IFIT) , presenting the regulations in the updated Network and Information Security (NIS) Directive. We would like to summarize the key findings from the lecture in this article cybersecurity directive bring.
After a brief introduction to the new law, Prof. Dr. Kipker first addressed the complex regulations, particularly the expanded scope of application. He then placed NIS-2 as a component of the European cybersecurity regulatory framework and, in particular, distinguished it from the draft EU Cyber Resilience Act , which addresses the cybersecurity of products throughout their entire life cycle.
New requirements for organizations cybersecurity directive bring
NIS-2 is intended to encourage smaller companies to implement additional information security measures. In this regard, it is important for companies to know whether they are affected by this new law. The law generally applies to both private and public organizations, ireland business fax list although there are numerous exceptions for public institutions. Regarding the scope of application, NIS-2 differentiates between high-criticality sectors (Annex I) and other critical sectors (Annex II).
Annex I with high criticality includes, among others, companies from the following sectors:
- Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space
New categorization of organizations
Another innovation is the allocation of companies into two categories: “essential” and “important” entities . “Essential entities” include companies in Annex I that exceed the European thresholds for medium-sized enterprises and companies classified as essential entities according to NIS-1 or by the Member State. “Important entities” include companies in NIS-2 Annex I and II that are not consider “essential entities” or that have been classifias “important entities” by the Member State. Member States must draw up a list of these entities by April 17, 2025.
Obligations of the Member States
Prof. Dr. Kipker then explain the obligations of the member states with regard to the new law. According to this law, member states must, among other things, develop a national cybersecurity strategy, when your phone number becomes someone else’s marketing tool including a governance framework for NIS-2, and – in light of various incidents, such as the coronavirus pandemic and the Russian invasion of Ukraine – increasingly incorporate supply chain protection into it. Furthermore, the legislation requires that the coordinat disclosure of vulnerabilities be addresse.
Obligations of the organizations
Prof. Dr. Kipker then illustrated the obligations of companies with regard to the new law. Accordingly, the management bodies of “essential” and “important” companies must not only approve cybersecurity measures but also continuously monitor their implementation. The law, like NIS-1, requires companies to implement all appropriate technical and organizational measures . Accordance with the state of the art and individual risk exposure as part of cybersecurity prevention. The law contains a catalog of TOMs. Including, for example, united states business directory crisis management, cyber hygiene, cryptography, personnel security, authentication technologies, and emergency communications. Furthermore, companies must not only consider digital protection in their measures, but also assume a hybrid threat situation and integrate a physical infrastructure of IT systems. Reference to international norms and standards is to be expect.
Higher penalties for violations
At the end of his presentation, Prof. Dr. Kipker outlined the regulatory powers under the law. For effective and risk-based supervision, the respective Member State must distinguish between essential and important entities. In the event of a breach of the law, the state must take effective, proportionate, and dissuasive measures.