The new European standard for cybersecurity goes by a cumbersome name – the second EU Directive on Network and Information Security (NIS 2). The transposition into German national law, which was on the Federal Cabinet's agenda at the end of July, is even more cumbersome. The NIS 2 Implementation and Cybersecurity Strengthening Act is progressing. But the NIS 2 Directive was supposed to be incorporated into national law across Europe by mid-October. This will likely not be achieved in several countries, including Germany.

This delay complicates preparations for businesses. „National regulations can sometimes exceed the requirements of the EU Directive“, explains James Blake, head of Global Cyber Resiliency Strategy at the data security specialist Cohesity. The previous directive, NIS 1, was implemented more stringently in Germany compared to other countries. Nevertheless, Blake, who advises clients on building protection systems and responding to cyberattacks, recommends starting basic preparations now.

The scope of companies required to meet certain minimum security measures under NIS 2 has expanded from seven to 18 sectors, compared to the previous regulation. This includes businesses with at least 50 employees and an annual turnover and balance sheet total exceeding 10 million euros.

It is estimated that this could affect around 30,000 companies in Germany. Other firms will be indirectly impacted as suppliers and business partners. Companies subject to the directive must also account for cybersecurity risks across their supply chains.

The digital industry association in Germany, Bitkom, is critical of the fact that companies currently lack the urgently needed legal certainty, due to delays in departmental coordination. They hope for the law to come into effect by early 2025.

The threat to companies from IT attacks is omnipresent. Battery manufacturer Varta, which is undergoing a restructuring process, had to delay its financial report following a cyberattack. Teamviewer also experienced an IT attack recently, which, while not affecting the product environment, led to a significant reaction on the stock market. The attack was carried out through a compromised employee access.

The NIS 2 Directive aims to improve „resilience and response capabilities“, according to the EU's objectives. However, Blake cautions that defending against an attack is only part of the equation, saying that "companies should focus more on managing cyberattacks.“ This starts with risk assessment. „Often, only 1% of the time is spent analysing potential risks, while 99% is spent developing defence strategies“, he reports. „But if the initial analysis is incorrect, then the resulting solutions will be flawed.“

Resilience involves keeping systems up to date, securing data through backups, and developing detailed response plans to mitigate the negative effects of a successful cyberattack. Attention to detail is crucial: „In an emergency, computers might not boot up, messaging systems might remain silent, and electronic access cards might not open doors“, he notes. Companies need to prepare for such scenarios and the potential chaos they could cause.

Although details on national implementation are still pending, it is already known that violations of NIS 2 can result in fines of up to 2% of global annual revenue for companies in critical sectors. Executives and board members will also face increased liability, including mandatory IT security training. Whether managers can insure themselves against liability claims remains unclear. Cyber insurance is hard to come by, often expensive, and typically involves high deductibles. Additionally, details are crucial for calculating policies. „Insurers will likely wait for the final version of national legislation before introducing their products,“ Blake predicts.

The potential for variations in national NIS 2 laws poses a question for many international corporations: Which variant is crucial for them? Blake identifies two approaches: „One can opt for the strictest requirement“, he explains, though this might apply to a country representing only a fraction of the corporate revenue. A simpler approach might be to consider the national laws collectively and draw a cross-section. In this case, companies must document and justify their chosen interpretation to regulatory authorities. Historically, regulators have not imposed additional hurdles, according to Blake. „The regulators I have worked with have generally been very pragmatic.“