NIS 2 Directive for companies
The NIS 2 Directive (Network and Information Security Directive) is intended to significantly improve cyber security throughout the European Union from October 2024.
For companies, this essentially means tightening up their IT security.
From now on, companies will have to carry out systematic risk assessments of their IT infrastructure and software and implement suitable security measures based on the results.
Particular attention is paid to the responsibility of management: the directive requires top management to be actively involved in the monitoring and implementation of security controls.
In addition, managers can now be held personally liable in the event of security breaches.
This regulation shows how seriously the EU takes the threat of cyber attacks.
Not only that: it underlines the need to consider cyber security as a central task of corporate management.
What is the NIS 2 directive?
The NIS 2 Directive is a further development of the European Union’s original NIS Directive from 2016.
Some of the main changes in NIS 2 compared to the first directive is the expansion of the scope of application.
In detail, this means that the NIS 2 Directive now covers a much wider range of sectors and companies:
- Expansion of the sectors affected: While the original NIS Directive mainly covered critical infrastructures such as energy, transportation, healthcare and financial services, the NIS 2 Directive goes beyond this.
It now also includes sectors such as digital service providers (e.g. cloud service providers and online marketplaces), postal and courier services, public administrations and even waste management. - Categorization of companies: The NIS 2 distinguishes between “essential” and “important” companies.
“Essential” companies are those that provide critical services whose failure would have a significant social or economic impact.
“Important” companies are those whose failure would also have significant but somewhat less critical consequences. - Increased requirements and reporting obligations: Compared to the original directive, all affected companies must now implement more detailed and faster cyber security measures.
This includes the obligation to report cyberattacks or hacker attacks within 24 hours and to submit a comprehensive report within 72 hours.
Extended state supervision under the NIS 2 Directive
The NIS 2 Directive also places a strong focus on increased state supervision, particularly in critical infrastructures.
This supervision is intended to monitor the consistent implementation of the directive.
For this reason, all companies that fall under NIS 2 are obliged to register with the relevant authorities.
In Germany, this task is carried out by the Federal Office for Information Security (BSI).
Another key component of extended state supervision is the obligation for companies to provide evidence of compliance with safety requirements.
This evidence can be provided in the form of internal and external audits, test reports and other documentation.
The powers of the state supervisory authorities will also be extended.
From now on, the BSI and other competent authorities will have the right to carry out unannounced inspections, request evidence and information and investigate security incidents.
At the same time, the NIS 2 Directive promotes cooperation between national authorities within the EU.
This cooperation is crucial for uniform enforcement of the directive and cross-border combating of cyber threats.
Which companies are affected by the NIS 2 Directive?
In Germany, the companies concerned can be divided into four main categories:
- Operators of critical facilities (KRITIS)
- Particularly important facilities
- Important facilities
- Federal institutions
1. operators of critical facilities (KRITIS)
These companies play a central role in the national infrastructure.
Their failure would have serious social and economic consequences.
KRITIS includes:
- Energy suppliers: Companies that provide electricity, gas or oil and supply at least 500,000 people.
- Healthcare providers: Hospitals and other healthcare facilities.
- Transportation services: Operators of airports, railroads and ports.
- Water management: Companies that are responsible for the supply of drinking water and the disposal of wastewater.
2. particularly important facilities
These facilities are classified as particularly important due to their size and importance.
They must either exceed a certain number of employees or reach a certain economic threshold:
- Large companies: Companies with more than 250 employees or an annual turnover of more than 50 million euros and a balance sheet total of more than 43 million euros.
- Special cases: These include providers of trust services, top-level domain registrars (TLDs), domain name system (DNS) providers and telecommunications providers that provide special services.
3. important facilities
This includes all companies that play a key role in the economy but do not reach the size or significance of “particularly important institutions”:
- Medium-sized companies: Companies with more than 50 employees or an annual turnover of more than 10 million euros and a balance sheet total of more than 10 million euros.
- Trust services: These include providers of services that ensure trust in digital transactions, such as electronic signatures.
4. federal institutions
In addition to private and commercial companies, certain government institutions are also covered by the NIS 2 Directive.
These institutions are responsible for the provision of essential government services and must therefore also meet stricter security requirements from now on.
How must NIS 2 be implemented?
In order to meet the requirements of NIS 2, the companies concerned must:
- Carry out a thorough risk assessment of their IT systems and data.
This should identify potential threats and vulnerabilities.
The risk assessment must be updated regularly. - Develop and implement security guidelines: Based on the results of the risk assessment , specific security policies need to be developed.
These policies should include technical measures such as encryption technologies to secure sensitive data and the introduction of multi-factor authentication (MFA) to prevent unauthorized access. - Set up technical measures.
These include :
- Data encryption
- Multi-factor authentication
- Regular security updates
- Develop organizational measures.
These include
- Regular employee training and awareness-raising.
- Protocols for incident management
- Set up an incident management system to quickly identify, report and resolve security incidents.
This also includes the obligation to report incidents to the relevant authorities within certain deadlines.
- provide evidence of compliance with the security requirements.
Operators of critical facilities or infrastructures (KRITIS) are subject to mandatory audits every three years, while other facilities are subject to mandatory documentation and random inspections by the authorities.
Significance of the NIS 2 directive for companies with Teamviewer
In general, the NIS 2 Directive poses new challenges for all companies that work with software and personal data – especially software manufacturers.
After all, the directive requires companies to focus their software development and use more strongly on security aspects in order to do justice to the issue of cybersecurity.
But what happens when other software is used to grant remote access to other people’s computers?
Companies that use TeamViewer for this purpose must now ensure that the use of the tool fully complies with the requirements of NIS 2.
In concrete terms, this means
- Only authorized users may have access to critical systems.
- Multi-factor authentication (MFA) and encrypted sessions must be set up for this.
- All access and remote sessions must be logged precisely.
- An incident management system must be in place to quickly detect and report security incidents.
How TeamViewer helps with NIS 2 compliance
TeamViewer has already made provisions for this.
The software contains numerous functions that are directly geared towards compliance with the NIS 2 directive.
These are
Increased security and compliance
- Remote Access Control: TeamViewer can be configured to meet the security requirements of NIS 2.
This includes features such as multi-factor authentication (MFA), encrypted sessions and granular access controls.
This means that only authorized persons have access to critical systems. - Audit and monitoring: All remote sessions are accurately recorded and logged.
Incident Response and Management
- Rapid response: In the event of a cyberattack, TeamViewer allows you to respond quickly from a distance.
IT teams can immediately access affected systems, diagnose damage, make corrections and take security measures.
The faster you react, the less damage is caused. - Collaboration tools: Teamviewer’s collaboration functions allow several experts to work together in real time on a problem and solve it.
Resilience and continuity
- Remote support for critical infrastructures: TeamViewer can also be used to maintain critical services.
- Business continuity planning: As part of a wider business continuity strategy, TeamViewer ensures that remote working and support runs seamlessly to keep the business running – another key point of NIS 2 compliance.
Training and awareness
- Secure remote training: The functions of TeamViewer can be used for remote training of employees – especially to train the contents of the NIS 2 directive.
All these functions make TeamViewer a useful tool for companies that want to bring their IT security in line with the requirements of the NIS 2 directive.
And who also want to ensure that their remote access will continue to be secure and controlled in the future.
Contact
Get ready for the NIS 2 Directive! Learn how to secure your business and stay compliant with the new regulations. Discover how TeamViewer can help you enhance your cybersecurity. Contact our product manager Greg Clarke today for a personalized consultation!