Whether transport, energy, health or finance – many areas of our daily life are increasingly dependent on digital technologies. Digitization offers enormous opportunities and solutions for many challenges – from hybrid education and hybrid work in times of pandemics to virtual family doctor visits. But also for civil law matters such as applying for a passport and parental allowance or for complex control processes in the value chain and logistics. In short: the Internet is no longer just for surfing. Digital infrastructure and data traffic form the indispensable basis for the functioning of society and the economy and are indispensable for many state services today.

At the same time, the number of cyber attacks in Europe is steadily increasing. Hospitals, schools and public institutions are also regularly targeted by cybercriminals, sometimes with serious consequences. And as more devices connect to the internet, the risk is greater than ever. This trend will intensify in the future – especially given the geopolitical tensions.

The fact that the EU now wants to make European cyberspace more secure with uniform standards is a logical step. The NIS2 Directive, which came into force on January 16, 2023, goes far beyond the network and information security regulations, NIS for short, that have been in force since 2016. In the future, many more sectors and entities will be considered “essential” or “important” to the economy and society, including public entities. In addition, companies with more than 50 employees and an annual turnover of more than 10 million euros should also be subject to the regulation if they are of crucial importance.

From October 2024 – when the directive has to be fully transposed into national law – all “essential companies” must meet certain minimum cybersecurity requirements for their systems. This includes concepts for risk analysis, IT security and access control as well as measures to reduce security incidents and to ensure business operations, including documentation and reporting obligations. The most important change is the possibility to impose sanctions. Failure to do so could result in managers and executives being held personally liable. There are fines of up to 10 million euros or 2 percent of global annual sales.

The EU therefore gives cybersecurity top priority. And rightly so, because the stakes are high: digital infrastructure is critical. Secure and reliable information systems are a key factor for the economic and strategic independence of the EU. Ultimately, it is also about strengthening Europe’s sovereignty by creating a secure digital basis.

However, meeting the stricter cybersecurity requirements will not be easy, especially for companies that are not yet regulated. Smaller companies in particular often lack sufficient personnel and professional competence. The same applies to certain authorities. It will hardly be possible for them to meet the new requirements in time on their own.

Nevertheless, the EU is sending the right signal with NIS2: In view of the increasing geopolitical uncertainties and the vital importance of a well-functioning IT infrastructure for our society, its security must have top priority. The pioneering role that the EU is now taking in drawing up plans that apply across the Union is more than welcome.

This is an article by Ralf Koenzen, founder and managing director of LANCOM Systems. For more information on the company’s solutions, follow this link.