Extended scope of NIS2: What affected organizations need to know

The NIS2 Directive marks an important milestone in the European legal framework for cybersecurity.
The extended version of this directive covers a wider range of sectors and digital service providers.
For companies and organizations, this means that they will have to adapt to stricter cybersecurity requirements.
This is part of the European Union’s efforts to strengthen Europe’s digital resilience in an increasingly interconnected world.
The NIS2 Directive replaces the original NIS Directive of 2016, which defined the framework for network and information security at the time.
The new version broadens the scope and focuses on specific sectors that are essential to the functioning of our modern society.
The following highlights some of the key sectors that now fall under the extended scope of NIS2.

Energy: protecting critical infrastructure

Energy suppliers are the backbone of every modern economy.
Power plants, electricity grids and renewable energies form the foundation of a functioning society.
The extended scope of NIS2 now focuses on all aspects of the energy infrastructure.
This includes not only power plants, but also the entire electricity distribution and supply.
Protection against cyber attacks is of particular importance here, as a successful attack on the power grid can have far-reaching consequences for public life.
A power outage or an attack on the energy supply could paralyze large parts of the economy and affect important public services.
Companies in this sector need to ensure that their IT systems are robust enough to withstand potential threats.
This requires not only advanced technologies, but also regular training for employees in dealing with cyber security threats.

Traffic: Safe and smooth travel

Another focus of the NIS2 Directive is on the transportation sector.
This includes rail networks, airports, air navigation services and shipping.
A well-functioning transportation system is crucial for international trade and the mobility of people and goods.
A cyberattack on critical transportation infrastructure could not only cause economic damage, but also put people’s lives at risk.
Digital networking in transportation, for example through automated rail systems or air traffic control, poses an increasing risk of cyberattacks.
Companies in this sector must ensure that their systems are secure and that threats can be detected and averted in good time.
At the same time, they must be able to react quickly in the event of an attack in order to maintain operations.

Health: Protection of patient data and healthcare services

With increasing digitalization in the healthcare sector, the attack surface for cybercrime is also growing.
Hospitals, clinics and healthcare systems store and process a large amount of sensitive patient data.
A successful attack could not only disrupt operations, but also jeopardize patient safety.
The NIS2 directive requires healthcare facilities to take stricter measures to defend against cyber threats.
These include ensuring that all IT systems are regularly updated and secured.
In addition, employees in the healthcare sector must receive more training in dealing with cyber security risks in order to minimize human error.

Water supply: securing the basis of life

Water supply is another critical element of infrastructure that now falls within the scope of NIS2.
Water treatment plants and distribution networks are vital to the population.
An attack on the water supply could have serious consequences for public health and well-being.
Organizations in this sector must ensure that they have the necessary security measures in place to protect their systems against cyber attacks.
This includes carrying out regular security checks and implementing contingency plans so that they can act quickly in the event of an attack.

Digital infrastructure: protecting the digital backbone

With the growing importance of digital services in almost all areas of life, digital infrastructure is now an essential element for the functioning of our economy and society.
Internet service providers, data centers and cloud services are at the heart of the NIS2 Directive.
Their security is of crucial importance as they form the backbone of digital communication and data exchange.
The increasing interconnectedness and reliance on cloud services and digital platforms makes them an attractive target for cybercriminals.
Companies operating in this area must ensure that their services are highly secured and resistant to attacks.
This includes not only protecting against data loss, but also ensuring the availability of services.

Financial market infrastructures: protection against cyber financial crime

Banks, stock exchanges and payment systems have traditionally been a preferred target for cyber criminals.
The new NIS2 directive obliges financial service providers to take additional measures to protect their infrastructures.
This includes not only protection against cyber attacks, but also ensuring business continuity in the event of an attack.
Financial market infrastructures are of central importance for economic stability and public confidence in the financial system.
An attack on a bank or payment system could not only cause financial losses for the organizations affected, but also have far-reaching effects on the economy as a whole.

Conclusion: What does NIS2 mean for affected organizations?

The expansion of the scope of NIS2 highlights the growing importance of cybersecurity for almost all major sectors.
Companies and organizations operating in the affected areas need to rethink and strengthen their cybersecurity strategies.
This includes implementing advanced security technologies, regularly training employees and conducting security audits to identify and fix vulnerabilities early on.
For many companies, this also means working closely with government agencies to ensure they are compliant with legal requirements and can respond effectively in the event of a cyberattack.
Organizations that are unsure whether they are affected by the new regulations should take advantage of the Federal Office for Information Security’s (BSI) test to check their compliance.