NIS-2 poses new challenges for German SMEs

The EU Cybersecurity Directive NIS-2 must be transposed into national law by the member states of the European Union by October 17, 2024. A draft bill to transpose it into German law is available, although it remains to be seen whether the legislative process will be completed by October 17 and the so-called NIS-2 Implementation and Cybersecurity Strengthening Act will come into force on time. According to estimates, between 25,000 and 40,000 companies in Germany fall within the scope of application. The companies affected are no longer just operators of so-called critical infrastructures. Rather, they also include postal and courier services, companies in the waste management and chemical industries (production, manufacture and trade in chemical substances), manufacturers of medical products or data processing devices, electronic equipment, mechanical engineering and vehicle construction. With its far-reaching effects, NIS-2 is aimed in particular at German SMEs.

SMEs, the backbone of the German economy, in particular will have to adapt to significant technical and organizational changes in order to meet the requirements of the new directive.

Increased security requirements

The present draft for the implementation of NIS-2 aims to ensure that the in scope entities take appropriate and proportionate technical, operational and organizational cybersecurity measures. Appropriateness is assessed on the basis of a risk assessment: How likely is a security incident to occur and its severity? The measures include concepts for risk analysis and security for information systems, handling security incidents, business continuity (backup management, disaster recovery) and crisis management. Companies must also ensure the IT security of the supply chain, take security measures in the acquisition, development and maintenance of network and information systems and, above all, establish concepts and procedures to evaluate the effectiveness of risk management measures in the area of cyber security. Finally, the institutions and companies concerned must develop concepts and procedures for the use of cryptography and encryption as well as the use of multi-factor authentication solutions. Last but not least, companies must provide training for employees to raise their awareness of cyber security issues and potential threats.

Cost, investments, know-how

The implementation of NIS-2 will require financial and human resources. Medium-sized companies in particular will face major challenges: Investments in technology are required to implement new security solutions and IT infrastructure. In addition to these investment costs, the necessary know-how must be built up or made available within the company, whether through the qualification and training of existing employees or the recruitment of new employees. In many cases, this will mean that additional IT staff will have to be recruited, especially where the necessary know-how should be available within the company on a long-term basis. External security experts can provide support in implementing the NIS-2 requirements. In both cases, however, companies are faced with increased costs. This is a particular challenge given the general shortage of skilled workers in the information technology sector, especially in the area of security.

Reporting obligations and reporting system

In addition to the technical requirements, companies must also be able to meet the strict reporting obligations for security incidents from an organizational and procedural perspective. Companies must report serious security incidents within a certain timeframe, which requires a rapid response and well-established communication channels. Companies also face organizational challenges with regard to documentation requirements. All cyber security measures and incidents must be comprehensively documented, which increases the administrative burden. As part of internal organizational and process analyses, companies are required to scrutinize their governance structures and adapt them to the requirements of NIS-2.

Sanctions and liability

Finally, NIS-2 provides for sanctions in the event of non-compliance with the regulatory provisions: Companies that fail to meet the requirements risk significant fines. They run the risk of suffering reputational damage in the event of non-compliance with NIS-2 requirements and successful cyberattacks as a result, because the trust of customers and partners is impaired. Furthermore, non-compliance with NIS-2 requirements can lead to the liability of the board of directors and management if NIS-2 is not observed as a compliance regulation.

Competitive advantages and opportunities

Despite all these considerable challenges, NIS-2 also offers opportunities for German SMEs: IT and cyber security creates trust among customers and business partners and represents a competitive advantage. This is because sensitivity in dealing with data and trade secrets - i.e. the question of how business contacts handle external data and information - is increasing. Last but not least, the new regulation also opens up potential for innovation. This is because investments in cyber security measures open up technical, organizational and procedural potential in companies, which can promote the necessary innovations and accelerate measures for digital transformation.

Cooperation and support

It should also be noted that German SMEs can draw on various support measures to meet the requirements of NIS-2. Government and European funding programs can provide financial support for investments in cybersecurity. Industry associations and networks offer cooperation. The exchange of best practices within industry associations and networks can strengthen SMEs. External consulting can help to identify and close gaps in cyber security, especially in times of skills shortages.

Conclusion: companies must take proactive measures

The EU Cyber Security Directive NIS-2 poses considerable challenges for German SMEs, but also offers opportunities to improve IT security and competitiveness. Companies must take proactive measures to meet the new requirements and can count on government support and cooperation within their industries. By strengthening cybersecurity measures, SMEs can not only meet legal requirements, but also strengthen the trust of their customers and business partners and secure their position in the market in the long term.