TÜV NORD GROUP recommends that companies meet new EU cyber resilience criteria at an early stage

The European Union wants to increase the cyber resilience of essential and important companies in its member states. The new IT security directive NIS2 is intended to ensure this. It will affect significantly more companies than its predecessor NIS from 2016 - including small and medium-sized enterprises. The new EU directive will come into force on October 17, 2024. The experts at TÜVIT, a subsidiary of the TÜV NORD GROUP, recommend that companies get to grips with the innovations and changes now.

"The new EU directive is also an opportunity for companies to rethink and improve their cyber security measures. Those who comply with the requirements will also strengthen customer confidence and protect themselves more effectively against cyber attacks," says Jacques Kruse Brandao, Global Head of Advocacy at TÜVIT and expert on the new EU NIS2 Directive.

It is estimated that between 25,000 and 40,000 companies in Germany are affected by the NIS2 directive and will have to tighten up their cyber security measures. This no longer only includes operators of previously known critical infrastructures (KRITIS). The new EU directive also applies to food producers and retailers, online marketplaces, companies from the waste disposal sector, manufacturers of machinery and electronic equipment or hydrogen producers and traders. In addition, affected companies will also demand many of these cybersecurity requirements from their suppliers in order not to jeopardize their own cybersecurity, which will significantly increase the number of companies affected.

The challenge: Companies are obliged to determine for themselves whether they fall within the scope of NIS2. Two criteria are decisive for this: the size of the company and the sector. If companies employ more than 50 people and generate a turnover of more than ten million euros per year, they are affected by NIS2 if they operate in a corresponding sector. The EU directive defines 18 business sectors. Eleven of these are considered to be highly critical and seven are other critical sectors. If affected companies do not comply with the requirements by mid-October 2024, they face heavy fines. In future, they will also be obliged to register as an affected company and report disruptions and cyber attacks immediately.

TÜVIT supports companies with regard to the implementation of suitable risk management measures, including for partners within their supply chain. By implementing an information security management system (ISMS) certified by TÜVIT in accordance with ISO/IEC 27001, §8a or IT-Grundschutz and other organizational and technical measures, as well as revising their purchasing guidelines, companies are then prepared for the new legal regulations and better protected against cyber attacks.

Founded over 150 years ago, we stand for security and trust worldwide. As a knowledge company, we have our sights firmly set on the digital future. Whether engineers, IT security experts or specialists for the mobility of the future: in more than 100 countries, we ensure that our customers become even more successful in the networked world.