Expert commentary by Andre Schindler, General Manager EMEA and SVP Global Sales at NinjaOne

For many companies, 2024 has been a challenging year in terms of cybersecurity: according to the report by the German Federal Office for Information Security (BSI), the aggressiveness and sophistication with which cybercriminals operate has increased significantly. The frequency and complexity of ransomware attacks has risen sharply. In order to increase the overall level of cyber security within the EU in the face of these threats, the EU has adopted the NIS 2 Directive.

In Germany alone, the NIS-2 directive will affect approximately 30,000 companies. Not only companies and organisations that belong to or are connected to critical infrastructures (KRITIS) fall within the scope of NIS-2, but also those classified as ‘particularly important’ and ‘important’ are affected by the directive. Whether a company is considered ‘particularly important’ or ‘important’ depends on key figures and thresholds relating to annual turnover or the number of employees.

The NIS-2 directive places new and stricter requirements on companies in areas such as access control and data protection. For example, users must be authenticated and electronically stored or transmitted data must be better protected against actions such as unauthorised access, modification or deletion.

Improving network and system security is also part of NIS-2. Organisations should minimise the attack surface of their network and information systems and ensure that the operation of the systems is not compromised by the exploitation of a single vulnerability.

Non-compliance with the NIS-2 directive is subject to sanctions. The minimum fine is 10 million or 2% of global annual revenue if the organisation is a ‘particularly important’ entity. However, the severe fines should not be the only motivation for companies to raise their cyber security to a high level. For example, there have been more and more attacks by ransomware for several years. These attacks have caused enormous damage across all sectors in Germany and have thus impressively demonstrated the importance of a proactive approach to cyber security – regardless of cyber protection guidelines.

Good techniques for preventing these types of attacks include regularly backing up data to an external drive or cloud service. This enables a company to restore its data without giving in to the attacker’s demands if it is affected by ransomware.

Other important protective measures include regular patch management and updates: systems must always be up to date to avoid vulnerabilities that hackers can exploit. IT departments should have automated patch management systems in place to distribute updates as soon as they are released.

In response to the ever-changing cyberthreat landscape, cyber protection guidelines will be updated frequently in the future. However, organisations that think proactively about cyber protection and continuously implement best practices for cyber protection will find it easier to comply with these guidelines. NIS-2 is an important step in the right direction in making critical infrastructure in the EU more resilient.