Cybersecurity requirements are becoming significantly stricter for many companies, including organizations that were previously not classified as critical. At the heart of this change is Germany’s NIS2 Implementation Act, which transposes the European NIS2 Directive into national law.
When people talk about cybersecurity, they often think of critical infrastructure such as energy suppliers, hospitals or financial institutions. But the Second EU Directive on Network and Information Security (NIS2) goes much further, as it affects many other areas, including food production companies. With NIS2, cybersecurity has become a board-level priority. Non-compliance can lead not only to penalties, but in certain cases also to personal liability.
NIS2: What companies need to know
The NIS2 Directive aims to establish a unified level of security for network and information systems within the EU, laying down binding requirements for businesses and public authorities. In Germany alone, around 30,000 companies are expected to fall within its scope – a major challenge as it includes the demonstrable implementation of a whole range of technical and organizational measures to manage cyber risks effectively.
“Important” and “essential” entities
The NIS2 Directive classifies companies in so-called “sectors”, taking into account their sales volume and the number of employees. Businesses with 50 or more employees, or with annual revenue and total assets exceeding 10 million euros, that operate in a sector covered by NIS2 (such as the food sector) are already considered important entities.
Where a company has more than 250 employees and an annual turnover of 50 million euros, it is classified as an essential entity. In addition, many organizations are part of the critical infrastructure, based on thresholds such as the number of people they supply. These companies are subject to specific legal requirements for risk management, cybersecurity measures, and the equally necessary business continuity management.