Compliance Requirements
With the introduction of EU Directive 2022/2555, commonly referred to as NIS 2, the compliance requirements for companies have increased significantly. NIS 2 is the EU’s response to the growing threat of cyberattacks. The directive regulates the cybersecurity and information security of companies and institutions. Cyberattacks are now considered one of the greatest business risks worldwide.
NIS 2 replaces EU Directive 2016/1148 (NIS 1) and is intended to improve cybersecurity across the European Union and provide stronger protection for companies. As a result, the implementation of the NIS 2 directive imposes more stringent requirements on risk management and compliance structures within many businesses. Failure to implement the necessary measures may lead to sanctions, according to the commercial law firm MTR Legal Rechtsanwälte.
The EU adopted the NIS 2 directive in 2023, and by 2025, member states must transpose it into national law. Whether a company is affected by the directive largely depends on the nature of its business activities. The scope of the directive has been expanded to include additional companies classified as “essential” and “important,” significantly increasing the number of organizations that are now legally obligated to comply with requirements from the Federal Office for Information Security (BSI).
Critical Infrastructure in Focus
In addition to sectors already covered under the original NIS 1 directive—such as energy, transport, healthcare, finance, water management, and digital infrastructure—NIS 2 extends its reach to further sectors. These include public electronic communications services, other digital services such as social platforms, wastewater and waste management, postal and courier services, public administration, and manufacturers of critical products. Estimates suggest that around 29,000 companies across various sectors in Germany will be affected by the implementation of NIS 2. Primarily, medium-sized and large companies in these critical sectors will be required to implement appropriate cybersecurity measures and establish efficient compliance systems. They are also obligated to report security incidents involving significant disruption or damage to the relevant authorities.
The NIS 2 directive also contains provisions for supervision, enforcement, and voluntary peer reviews to enhance mutual trust and improve cybersecurity throughout the European Union. This means that company management can be held personally accountable if cybersecurity risk management measures are not properly implemented.
Responding to Cybersecurity Incidents
NIS 2 also provides for the establishment of a network of Computer Security Incident Response Teams to facilitate information sharing on threats and ensure adequate responses to incidents. Furthermore, a European network of cyber crisis liaison organizations will be set up to support the regular exchange of information among member states and EU bodies, enabling coordinated responses to large-scale incidents and crises.
Exactly how NIS 2 will be transposed into German national law is still unclear, as early federal elections have caused delays in the legislative process. What is certain, however, is that cybersecurity will become a priority issue for many medium-sized enterprises as a result of the implementation.
Companies Must Implement Security Measures
Companies affected by NIS 2 face the challenge of implementing necessary security measures to protect data and critical infrastructure from potential cyberattacks. This includes both technical and organizational measures. If a company falls victim to a cyberattack, it must have plans in place to contain the damage and restore systems without delay. Competent authorities must also be informed. In addition, companies must regularly conduct testing to identify and eliminate vulnerabilities. Cybersecurity must also be ensured throughout the supply chain, requiring proactive risk management in this area as well.
Implementing the NIS 2 directive poses significant challenges to maintaining effective compliance, particularly as members of executive and management bodies may be held personally liable if required security measures are not implemented.
MTR Legal Rechtsanwälte supports companies in establishing effective compliance systems and ensures that statutory requirements are met. As a commercial law firm, MTR Legal advises on compliance and other aspects of corporate criminal law.
Feel free to contact us!
