Your expert for questions
André Glenzer
Partner, Cyber Security & Privacy at PwC Germany
Tel: +49 160 94470376
Email
The Network and Information Security Directive, or NIS2, was published in the Official Journal of the European Union on December 27, 2022, and came into force on January 16, 2023. NIS2 governs the issue of cybersecurity and information security at businesses and institutions. EU member states have time until October 2024 to transpose the directive into national law. In July, September and December 2023, Germany’s Federal Ministry of the Interior and Community drafted a bill known as the NIS2 Implementation and Cybersecurity Strengthening Act (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz, NIS-2UmsuCG).
The NIS2 Directive expands cybersecurity standards and penalties with the aim of harmonizing and improving the level of security in member states. It also outlines stricter requirements for various sectors. Businesses and organizations need to consider the issues of cyber risk management, control, and monitoring, as well as how to deal with incidents and business continuity. In addition, the directive increases the number of organizations covered, with stricter liability provisions in place for the management of those organizations affected.
“In Germany, the legislation pertaining to critical infrastructure, or KRITIS, has so far mainly affected larger institutions. But now NIS2 is making cybersecurity and resilience a major issue for an even wider range of businesses in Europe and Germany.”
We work with you to assess whether you are affected by the NIS2 Directive and gauge your NIS2 readiness.
Once the groundwork has been laid, we identify shortcomings when it comes to meeting requirements under the directive.
In partnership with you, we identify the measures needed to comply with the directive.
You need a strong cybersecurity framework in the event of a cyber incident.
We develop procedures to ensure that incidents are properly reported to the authorities.
We develop constant checks to safeguard the measures you have developed.
The NIS2 Directive is an EU-wide act of network and information security legislation that came into force on January 16, 2023. Member states have until October 17, 2024, to transpose it into national law. Germany’s Federal Ministry of the Interior and Community has already published a draft bill implementing the NIS2 Directive (NIS-2UmsuCG). The new directive will increase the number of affected businesses dramatically. Due to higher potential penalties and management liability provisions, the businesses affected also face higher standards and greater pressure to take the proper steps.
Use our fast impact analysis tool to find out whether the NIS2 Directive affects your business.
The NIS2 Directive differentiates between “essential” and “important” entities. The main difference is that important entities face lower fines and are subject to reactive supervision by the authorities, whereas essential entities will be subject to proactive supervision. The German drafts differ in the terminology by naming the entities “very important” and “important”.
Instead of a minimum threshold, as in the past, the EU will use “uniform criteria” to determine what kind of entities are affected. The regulations are expected to apply to medium and large enterprises:
As a result, the number of affected businesses in Germany is expected to increase substantially.
Essential entities may face fines of up to 10 million euros or 2 percent of their annual turnover, whichever is higher. Important may face fines of up to 7 million euros or 1.4 percent of their annual turnover, whichever is higher.
The businesses and organizations affected must take appropriate measures in areas such as cyber risk management, supply chain security, business continuity management, encryption, access restrictions, reporting to authorities, and mitigation.
Please note: Under the draft put forward by the Federal Ministry of the Interior and Community, company executives may be held personally liable for compliance with risk management measures. In this case, liability is capped at the equivalent of 2 percent of the company’s global annual turnover.
It’s clear: The scope of application goes well beyond the already familiar types of critical infrastructure. In the energy sector, for instance, the scope of the NIS has so far always been limited to companies that generate, provide, or regulate energy in the electricity and gas sector. We expect NIS2 to extend the requirements to include the supply chain as well, such as the manufacturers of wind turbines and the operators of charging stations for electric vehicles.
Provision, distribution, transmission, and sale of electricity, gas, oil, heating/cooling, hydrogen; operators of charging stations for electric vehicles
Healthcare providers, research laboratories, pharmaceuticals, manufacturing of medical devices
How will NIS2 affect public administration? What aspects of the federal government are subject to NIS2? We take a closer look at the requirements NIS2 places on information security management, as well as the duties and risk of penalties.
Including shipping companies and port facilities
Drinking water suppliers and wastewater disposal providers
Operators of ground-based infrastructure
Loans, trading, market and infrastructure; Update: draft version of the NIS-2UmsuCG also covers the insurance sector
DNS service providers and TLD registries
Production, processing, and distribution
Production and distribution
Waste collection, transport, treatment, and disposal
Cyber incidents in waste disposal and recycling can have a significant impact on public life. That is why the sector has been considered critical infrastructure since January 2024 and requires a particular degree of protection. NIS2 will apply to such businesses from October 2024 onward, even if they do not exceed the KRITIS thresholds.
Medical/diagnostic devices, computers, electronics, optical products, machinery, motor vehicles, trailers, semitrailers, other transport equipment
Production, manufacturing, and trade
Online marketplaces, search engines, social networking platforms
PwC has established a combined NIS2 capability, developed through our communities of Cybersecurity, risk management, incident response, governance, compliance and legal specialists.
These communities have been brought together to form a team of over 150 specialists across EMEA, focussed on supporting our clients with the NIS2 Directive. We are supporting our clients in understanding the relevance of the NIS2 Directive to their organisation; their own ability to meet the requirements or identify where gaps exist, along with supporting them in achieving compliance with the regulatory requirements both local and at EU-level in a proportionate and cost effective manner.
“NIS2 is set to be a real game changer and alter cyber regulation in Europe for good.”
André Glenzer, Partner at PwC GermanyUse our fast impact analysis tool to find out whether the NIS2 Directive affects your business.
Check out our white paper to learn more about the directive and who will be affected. You will also get exclusive access to our checklist to help you prepare for NIS2.
