NIS 2 Directive: The Role of Secure Communication Systems and Affected Companies

An Overview of the EU’s NIS 2 Directive to Strengthen Cybersecurity

What Is the NIS-2 Directive?

With increasing digitalization and ever-growing cyberattacks, the European Union has recognized the need to strengthen its cybersecurity strategy. The NIS 2 Directive (Network and Information Systems Directive) is a decisive further development of the original NIS Directive from 2016 and aims to improve cybersecurity throughout the EU. It requires companies and organizations considered critical infrastructure operators to implement more comprehensive security measures to increase their cyberattack resilience.

NIS2 extends the scope of the regulations to a larger number of sectors and tightens the requirements for information security, including the introduction of secure communication systems.

Which Companies Are Affected by the NIS 2 Directive?

The NIS 2 Directive considerably expands the scope of application and covers both public authorities and private companies. Companies and authorities with 50 or more employees and an annual turnover of ten million euros or more are affected.

Operators of critical infrastructures that are active in areas considered essential for the functioning of society and the economy are particularly affected. These include sectors such as:

• Energy and water management
• Traffic and transportation
• Healthcare
• Finances
• Public administration
• Security authorities
• Digital infrastructure (e.g., cloud service providers, data centers, etc.)
• Food supply
• Chemical industry
• Postal and courier services

The upstream supply chains, in particular, the providers of information and communication technologies (ICT), are also covered by the new regulations. This means that both medium-sized and large companies operating in these critical sectors are subject to the supervision of the NIS 2 Directive and must take appropriate measures to meet the new requirements.

Key Requirements of the NIS 2 Directive for Companies

Affected companies must meet strict cybersecurity requirements, including the implementation of robust security strategies, the use of secure communication systems, and the reporting of security incidents to the relevant authorities. The primary objective is to take appropriate technical, operational, and organizational measures to minimize the risks posed by potential security incidents to network and information systems.

The official NIS2-guideline contains the following requirements in particular:

1. Concepts related to risk analysis and security for information systems
2. Management of security incidents
3. Business continuity, such as backup management, disaster recovery, and crisis management
4. Supply chain security, including security-related aspects of relationships between individual entities and their direct vendors or service providers
5. Security measures in the acquisition, development, and maintenance of network and information systems, including management and disclosure of vulnerabilities
6. Concepts and procedures for assessing the effectiveness of cybersecurity risk management measures
7. Basic cyber hygiene procedures and cybersecurity training
8. Concepts and procedures for the use of cryptography and, where appropriate, encryption;
9. Personnel security, access control concepts, and asset management
10. Use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communications, and, where appropriate, secure emergency communications systems within the facility

In addition, companies must immediately report security incidents to the relevant authorities: Within 24 hours of becoming aware of a disruption or cyber-attack on their systems, companies must send an early warning to the competent national authority. Companies should also be prepared to analyze and assess the incident in more detail within 72 hours – in particular, to narrow down the incident and prevent further attacks.

The Importance of Secure Communication Under the NIS 2 Directive

A key element of the NIS 2 Directive is ensuring end-to-end secure communication. In the face of increasing threats from cyberattacks, companies need to implement advanced communication systems such as a secure business messenger that ensures both the protection of sensitive data and the integrity of information transmission. The requirements of the NIS 2 Directive about secure communication cover several key aspects.

Secure Voice, Video, and Text Communication

Companies are required not only to secure their IT systems but also to comprehensively protect the communication channels for voice, video, and text messages against cyberattacks. Secure communication here means that all information and data exchanged during a call, video conference, or text chat is protected against unauthorized access and manipulation. In other words, it must be ensured that only authorized parties can access content.

Conventional consumer messengers such as WhatsApp, Signal, etc. do not meet the associated requirement for centralized control and administration of the communication system at all.

Especially in areas where sensitive or business-critical information is exchanged, such as healthcare or the financial sector, communication platforms such as VoIP services, video conferencing systems, and messaging services must meet the highest security and compliance standards.

You can find out what a secure communication alternative looks like in our white paper “100% on the safe side”.

Strong Encryption of Communication

Companies are obliged to use secure systems to encrypt their communications and ensure confidentiality. This applies to both internal communication processes and interaction with external partners, customers, and authorities. A secure communication system must protect against eavesdropping attempts and ensure that the integrity of the transmitted information is maintained. In addition, exchanged information and associated data on the end devices and in the infrastructure must be protected against unauthorized access through strong encryption.

Fail-Safe Communication System

The communication infrastructure should remain fully functional even in the event of technical faults, cyberattacks, or emergencies. Companies must ensure that their communication systems are protected by redundancies and backup mechanisms.

This includes setting up alternative communication channels that can be activated in the event of a failure. Secure business messengers such as Teamwire with alerting and emergency functions are ideal for such cases. They can also be used quickly and easily as an alternative or supplement to US cloud providers if solutions such as Microsoft Teams or Zoom fail.

A stable and resilient communication system is essential to ensure the continuous operation of critical infrastructures even in times of crisis and to maintain the availability of communication at all times.

Significant Sanctions and Liability of Executives

The potential penalties for violating the requirements of NIS2 should not be underestimated. The fines can go up to EUR 10 million or 2 percent of global turnover. Another new feature is the personal liability of managers, who can be held responsible for breaches of the directive.

Conclusion

The NIS 2 Directive marks a significant step towards a more secure digital Europe. With its extension to other sectors and stricter requirements, it presents companies with new challenges, but at the same time offers the opportunity to raise cybersecurity to a new level. Secure communication systems play a central role here: they not only protect sensitive data but also ensure the integrity and availability of information.

Implementing the NIS2 requirements requires precise planning and implementation of technical, organizational, and operational measures. Companies must be prepared not only to secure their IT infrastructure, but also to use robust communication solutions that meet the highest security standards.

Given the potential sanctions and personal liability of executives, rapid and comprehensive adaptation is essential. Teamwire is at your side as a reliable partner to help you master these challenges efficiently and safeguard your communication in the long term.