Preparing for the national transposition deadline of the NIS2 Directive

As the implementation deadline for the revised Network and Information Systems Directive (NIS2) approaches, companies across the EU need to take action to ensure compliance with the directive. NIS2, which came into force on January 16, 2023, replaces the original NIS1 Directive and aims to harmonize and improve cybersecurity across member states. With its broader scope, risk-based approach and focus on supply chain security, NIS2 recognizes the growing cyber threats and the critical importance of protecting essential services and digital infrastructures.

Companies have until October 17, 2024 to adapt national laws to NIS2. To prepare effectively, organizations need to understand its applicability, the specific requirements and potential impacts, including how the directive affects the use of open source software and technology.

Scope of NIS2

1. NIS2 significantly expands the scope of its predecessor, NIS1, to cover a wider range of sectors and services that are critical to societal and economic stability. The Directive applies to key sectors such as energy, transport, banking, healthcare, digital infrastructure and public administration, as well as important sectors such as postal services, waste management, food production and digital service providers such as cloud computing, online marketplaces and search engines.

2. Companies operating in these sectors must take stringent cybersecurity measures, conduct regular risk assessments and report significant incidents to national authorities. The expanded scope reflects the increasing interconnectedness of critical infrastructure and the need for robust cybersecurity practices across all sectors of society. However, companies with fewer than 50 employees or an annual turnover or balance sheet of less than 10 million euros are exempt from this regulation. There are exceptions to this exemption if these smaller companies are essential for critical infrastructure or operate in specific high-risk sectors.

3. application to non-EU companies: The NIS2 also applies to non-EU companies under certain conditions. If a non-EU company operates in a sector covered by NIS2 and provides services within the EU, it must comply with the Directive. This includes companies that provide services to EU citizens or within the EU market. Such non-EU companies must appoint a representative in the EU to ensure compliance with the NIS2 obligations. This representative acts as a liaison with EU regulators and is responsible for the company's compliance with the Directive.

Impact on open source software and technology

NIS2 places great emphasis on supply chain security and mandates strict cybersecurity standards for organizations that are classified as essential or important. The commercial components can usually be easily identified: Using the list of suppliers, the commercial components are quickly located. This is more difficult with the open source components. This has a direct impact on the use of open source software:

Increased security requirements: Organizations must ensure that open source technologies meet NIS2 cybersecurity standards. This includes regular updates, vulnerability assessments, and timely patch management to minimize the risks associated with open source components.
Supply chain security: The policy requires organizations to assess the security practices of their open source software suppliers. This includes evaluating the origin and maintenance of open source projects to ensure that they do not introduce vulnerabilities into critical systems. This also includes evaluating all transitively dependent open source packages. The integration of such packages is often not immediately obvious, even to developers. All software components, the software bill of materials (SBOM), must be documented. This is usually carried out by specialized companies.
Regular testing of all open source packages used for vulnerabilities. New vulnerabilities are discovered every day; according to BSI, around 70 per day (https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html). All components of the SBOM must be regularly checked against newly discovered vulnerabilities.
Incident reporting and liability: The NIS2 requires organizations to report significant cybersecurity incidents, including those involving open source software, to national authorities (Three-phase reporting obligations for major incidents - 24 hours early warning, 72 hours incident reporting, one month final report).
Management may also be held responsible for ensuring that the use of open source technology does not compromise the company's cybersecurity, which increases legal and operational risks.

Under NIS2, companies that fail to comply with the directive can face significant fines, with penalties reaching up to 10 million euros or 2% of global turnover, whichever is higher. Management may also be held personally liable for non-compliance, facing potential legal action, including fines or disqualification, for failing to ensure their organization's adherence to the directive. Additionally, companies may be subject to claims for damages from affected parties if their non-compliance leads to a security incident causing harm.

In light of these requirements, organizations must carefully manage their use of open source software to comply with NIS2 regulations and protect their systems from new threats. Managers need to be able to demonstrate that they have fulfilled their fiduciary duties to avoid personal liability and protect their Company from fines, penalties or lawsuits.

Checklist For Companies: Important preparatory steps for compliance To adapt to NIS2 and manage the associated risks, organizations should:

Conduct risk assessments: Identify all software components in use (SBOM) and known vulnerabilities, including those related to open source software, and implement customized risk management strategies.
Develop an incident response plan: Create a comprehensive plan for detecting, reporting, and remediating cybersecurity incidents.
Ensure supply chain security: Evaluate and secure the cybersecurity practices of suppliers, including those providing open source software.
Regularly test for new vulnerabilities. Given the high number of components and vulnerabilities, this should be automated.
Implement security by design: Integrate cybersecurity measures into the design and development of products and services.
Train employees: Educate your employees on cybersecurity best practices and highlight the particular risks of open source software.
Stay up to date: Keep up to date with developments in the implementation of NIS2 and participate in consultations where possible.

By taking these steps, organizations can better prepare for the NIS2 obligations and improve their overall cybersecurity posture.

Frequently asked questions regarding NIS2

NIS2, or the revised Network and Information Systems Directive, is an EU directive designed to improve cybersecurity across the European Union. It came into force on January 16, 2023, replacing the original NIS Directive (NIS1). The NIS2 expands the scope of regulated entities, takes a risk-based approach and focuses on supply chain security. It is crucial for improving the resilience of essential services and digital infrastructures to evolving cybersecurity threats.

NIS2 has a significant impact on organizations that use open source software. The directive requires that open source technologies meet strict cybersecurity standards, including regular updates, vulnerability assessments, and patch management. It also requires organizations to assess the security practices of their open source suppliers and ensure that these technologies do not introduce vulnerabilities into critical systems. Failure to comply with these regulations may result in incident reporting requirements and increased management liability.

NIS2 applies to a wide range of essential and important sectors, including energy, transportation, healthcare, digital infrastructure, and more. The directive also applies to non-EU companies operating in these sectors and providing services within the EU. Non-EU companies must appoint a representative in the EU to ensure compliance with NIS2 and act as a point of contact for EU regulators.

Organizations subject to NIS2 must:

Conduct risk assessments to identify and remediate cybersecurity vulnerabilities, including in open source software.
Develop and implement an incident response plan to promptly detect, report, and remediate cybersecurity incidents.
Secure your supply chain by ensuring that suppliers, including open source projects, comply with required security standards.
Integrate cybersecurity measures into the design and development of products and services ("security by design").
Report significant cybersecurity incidents, including those involving open source software, to the competent national authority.

The penalties for non-compliance with NIS2 can be severe and vary by country, as each EU Member State transposes the Directive into national law. Companies can face fines, legal action, and reputational damage. In addition, company management can be held personally liable for non-compliance with cybersecurity obligations, especially if open source software has vulnerabilities, leading to further sanctions.

Latest news about Data Protection, GDPR, AI Legislation and more

european government strassbourg wittmann legal services

The European Data Act and its Consequences for your Company

The European Data Act will be implemented in September 2025 and will affect the use and access of non-personal, user-generated data across all industries. Companies should start preparing now to ensure compliance with the new legislation. Find a comprehensive checklist and key takeaways to help you and your company navigate data access, sharing, and protection requirements.

Generative AI and the GDPR - a complete guide

A comprehensive guide to companies using generative AI tools to ensure compliance, transparency, and address potential challenges such as bias and security issues as well as processing data under GDPR in relation to generative AI.