Full text
up-to-date-link (EU will update in case of updated version):
Who is affected?
article 2
NIS 2 regulates companies based on their size and sector.
medium-sized or larger public and private entities
from sectors referred to in Annex I or II
which provide their services / carry out their activities in EU
article 2 (2.)
Some sectors are affected regardless of their size:
providers of public electronic communication networks and services
trust providers
top-level domain name registries / service providers
article 2 (2.) establishes additional criteria that determine when a company is subject to regulation, regardless of its size.
Sectors that are critical for society (green = added compared to NIS / KRITIS)
Chemicals
Digital infrastructure
Digital providers
Water supply
Energy
Finance
Food
Health
Manufacturing
Postal services
Public Administration
Research
Space
Transport
Waste Management
New limits per sector compared to NIS
Penalties
Up to 10 Mio. € or 2% of annual revenue
personal liability of CEO and senior management ("leitende Angestellte")
Status
Deadline for national laws: đź“… October 2024
Germany: NIS2UmsuCG
no transition period
no proactive controls before October 2027
latest draft: 29.11.2024
currently on hold due to elections in February 2025
Obligations
Risk Management & handling
incl. supply chain / procurement
Incident Management
Requirements for cryptography usage and encryption
Business Continuity Management (BCM)
including: Secured emergency communication system
Assess effectiveness of measures
Human Resources Security
Training of employees
Access control
Asset management
Multi Factor Authentication and SSO
Use of secure communication (voice, video, text)
Reporting obligation to national cyber security authority
Registration
Obligations differ between middle sized companies / large enterprises
Operators of critical systems (“Betreiber kritischer Anlagen”) have to use IDS
need to provide evidence (KRITIS-PrĂĽfungen)
