To the page content

The impact of the new NIS 2 Directive on critical infrastructure: What the public sector needs to know

Digital city under a protective dome, with a NIS2 notice.

NIS-2: Cybersecurity as the foundation of social stability

In a digitalised world where cyberattacks are a daily occurrence, cybersecurity is no longer merely an IT issue, but a societal necessity. In this regard, the European Union has published the Network and Information Security (NIS) 2 Directive, which sets out new standards for cybersecurity and data protection that must be transposed into national law by 17 October 2024. This not only paves the way for more secure management of data and services, but also directly impacts the safety of citizens and the stability of society as a whole. A hacked hospital that can no longer guarantee patient care, or an energy supplier that is no longer able to guarantee the electricity supply, are just two examples that would already have catastrophic consequences.

What is the NIS 2 Directive?

The NIS 2 Directive (Network and Information Security) is a revision of the original NIS Directive of 2016. It aims to ensure a high common level of cybersecurity across the EU. The Directive introduces enhanced requirements for a wide range of sectors and strengthens Member States’ capacity to deal with cyber threats.

The main elements include:

  • Stricter requirements for risk management and assessment
  • Extended reporting requirements for security incidents
  • Stricter penalties for non-compliance

Who is affected by the NIS 2 Directive?

Firstly, it is important to note that the NIS 2 Directive applies to significantly more sectors than the first NIS Directive. New sectors have been added, including other critical sectors such as waste management, postal and courier services, research, and several others. The sectors of high criticality largely overlap with those already covered by KRITIS in Germany. Examples of sectors of high criticality include energy suppliers, the healthcare sector, public administration and several others.

In summary, the public sector is affected to an even greater extent than under the first NIS Directive.

Find out more now

Simply fill in the contact form – we’ll get back to you as soon as possible.

Impact on public sector organisations

The NIS 2 Directive will be followed by the new IT Security Act (NIS2UmsuCG). The IT Security Act represents the next stage in the development of critical infrastructure management in Germany. The new provisions of the NIS 2 Directive are expected to have the following implications:

  • Extended scope: Organisations and institutions that were not previously classified as operators of critical infrastructure (KRITIS) now fall within the scope of the NIS 2 Directive and, consequently, the NIS2UmsuCG. This means that a large number of new stakeholders must urgently review and adapt their cybersecurity measures.
  • Stricter compliance requirements: The NIS 2 Directive expands compliance requirements, particularly with regard to the reporting of security incidents and the conduct of risk assessments. For public authorities, this means that existing processes and technologies must be reviewed and updated.
  • Sanctions and penalties: The NIS 2 Directive provides for stricter sanctions in the event of non-compliance, which increases the risk profile for public authorities. In the event of a breach, there may be significant financial and legal consequences. Furthermore, negligence in failing to enforce the NIS Directive could be made public, which would cause significant reputational damage to the organisation. Public administrations in particular cannot afford such reputational damage, as it would cast the state in a very poor light if it fails to enforce its own guidelines.

Recommendations for public administration

Firstly, a comprehensive risk assessment should be carried out to determine the extent to which the new regulations will affect the organisation. As a second step, the IT infrastructure and security measures must then be updated in line with the new requirements. Following this, staff should be trained to ensure they develop a better understanding of the new regulations and the associated risks. We then recommend implementing mechanisms for the timely detection and reporting of security incidents to ensure effective reporting and monitoring.
Finally, legal advice should be sought to ensure that all activities comply with the new regulations.

Conclusion

The NIS 2 Directive is not only a challenge but, above all, an opportunity to place the issue of cyber security in public administration and in KRITIS sectors on a new, solid footing. NIS2UmsuCG is significantly affected by these regulations, and public administration must act proactively to ensure both compliance and a high level of cyber security. Time is of the essence and the need for immediate action is clear. In the KRITIS sector, one can and should be able to rely on a stable network and high-performance IT, but this trust must be underpinned by continuous efforts in the field of cybersecurity.
Here at Telekom, we not only provide consultancy services to help implement the NIS 2 Directive, but are also affected by the Directive ourselves. We have therefore experienced KRITIS audits first-hand.

Furthermore, Telekom is the largest IT service provider for the public sector in Germany. Over the past few years, we have gained extensive experience in the digitalisation of public administration through hundreds of projects.
Through our close collaboration with the BSI and our own projects, we have built up in-depth knowledge of all aspects relating to KRITIS. We are happy to share this knowledge and the experience we have gained from implementing KRITIS guidelines.
For decision-makers, the implementation of the NIS 2 requirements offers an opportunity to strengthen the cyber resilience of their organisations and thereby make a valuable contribution to societal security. Measures should be taken as quickly as possible, as time is of the essence. The NIS 2 Directive must be transposed into national law by 17 October 2024.

Author's profile picture

Marco Klatt

Success through security – Telekom Security

“I’ve always been passionate about simplifying and optimising things. At Telekom, our job is to support customers on their journey towards fast digital processes and to ensure that these are secure and protected – so that the state remains secure and functional.”

Curious? Click here to find out more: