The second EU Directive on the security of network and information systems (NIS-2) has been in force since January 2023 and will apply from 18 October 2024. The member states must have transposed it into national law by this deadline at the latest. From the perspective of the addressees, however, there is still a considerable need for clarification. In a series of lectures on 29 April 2024, the IHK Frankfurt am Main addressed key aspects of the NIS 2 application.

The start of secure networking

In the atrium of the IHK, experts from companies and associations outlined what NIS-2 will mean for Europe’s economy and then answered questions from the audience from the podium. Consileon’s cyber security expert Andreas Grau was on hand to answer the guests’ questions.

Strengthening cyber defence

The arms race between attackers and guardians of state or commercial IT systems is becoming ever more widespread, faster and tougher. Politically or ideologically motivated actors such as secret services and their unofficial henchmen, who seek to gain unfair strategic advantages for governments and corporations in their own camp, are contributing to this. Arbitrarily scalable computing power and artificial intelligence facilitate brute force attacks at high speed on a broad front. In view of such risks, the EU legislator is imposing stricter security rules on companies in the EU with NIS-2 along the entire supply chain. Even small businesses categorised as essential must contribute to the protection of the overall system.

However, because one hundred percent protection remains an illusion in such an expansive, changeable environment, companies are required to plan and practice well-established emergency management processes that seal off their IT systems in an emergency in order to minimise the overall damage. Comprehensive reporting obligations help to warn other potential victims and contain the threat before it spreads to other companies, sectors or the entire EU internal market.

Andreas Grau answers questions from the audience; in the discussion round, many guests recognise the need for action.

NIS-2: what matters now

NIS-2 obliges companies in numerous sectors to take cyber security seriously. It is worthwhile not to dismiss the directive as ‘bureaucratic harassment’, but to see it as an opportunity. If all legitimate players contribute to minimising the overall risk, a lot will have been gained. Digital security is more than just a service to society, which initially only seems to incur costs. Ultimately, the existence of your own company is at stake.

So what can and must your company do to protect itself and others from cyberattacks in accordance with NIS-2? Good advice doesn’t have to be expensive. Before we ramp up your company’s hacker defences, we check which provisions of the directive apply to your industry and your business model. We will find the right economic and technical approach for every company size and use case. For rapidly expanding companies, we recommend solutions that grow with the business.