====== NIS2 Directive ======

Implementation of EU Directive 2022/2555 (NIS2) for network and information security with post-quantum cryptography.

----

===== Overview =====

The NIS2 Directive((EUR-Lex NIS2: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555)) is the revised EU directive for cybersecurity of critical infrastructure. It entered into force on January 16, 2023, and must be transposed into national law by **October 17, 2024**.

<mermaid>
flowchart TB
    subgraph NIS2["NIS2 Directive (EU) 2022/2555"]
        A21["Article 21<br/>Risk Management"]
        A23["Article 23<br/>Reporting Obligations"]
        A32["Article 32<br/>Supervision"]
    end

    subgraph A21D["Art. 21(2) - Minimum Measures"]
        A21a["(a) Risk Analysis"]
        A21d["(d) Supply Chain"]
        A21e["(e) Procurement"]
        A21h["(h) Cryptography"]
        A21j["(j) MFA/Access"]
    end

    subgraph WVDS["WvdS Implementation"]
        RISK["Risk Documentation"]
        SUPPLY["OpenSSL 3.6<br/>(Open Source)"]
        CERT["NIST FIPS<br/>203/204"]
        CRYPTO["ML-DSA<br/>ML-KEM"]
        MFA["mTLS<br/>Client Certs"]
    end

    A21 --> A21D
    A21a --> RISK
    A21d --> SUPPLY
    A21e --> CERT
    A21h --> CRYPTO
    A21j --> MFA

    style CRYPTO fill:#4caf50,color:#fff
    style MFA fill:#4caf50,color:#fff
</mermaid>

----

===== Affected Sectors =====

NIS2 expands the scope to more sectors:

==== Essential Entities ====

^  Sector  ^  Examples  ^  WvdS Relevance  ^
| Energy | Power grids, wind farms, oil/gas | [[en:int:pqcrypt:szenarien:branchen:energie:start|Energy Scenarios]] |
| Transport | Rail, aviation, shipping | Transport certificates |
| Banking | Credit institutions | Transaction security |
| Healthcare | Hospitals, laboratories | [[en:int:pqcrypt:szenarien:branchen:healthcare:start|Healthcare Scenarios]] |
| Drinking Water | Water supply | SCADA communication |
| Digital Infrastructure | DNS, TLD, cloud | PKI, TLS |

==== Important Entities ====

^  Sector  ^  Examples  ^  WvdS Relevance  ^
| Postal/Courier | Logistics | Authentication |
| Waste Management | Disposal | OT security |
| Chemicals | Production | [[en:int:pqcrypt:szenarien:branchen:industrie:start|Industry Scenarios]] |
| Food | Production, retail | Supply chain |
| Manufacturing | Machinery, vehicles | [[en:int:pqcrypt:szenarien:branchen:automotive:start|Automotive Scenarios]] |
| Digital Services | Marketplaces, search engines | API security |

----

===== Article 21(2) - Risk Management Measures =====

The directive requires specific minimum measures in Article 21(2)((NIS2 Directive Art. 21 Para. 2: "Cybersecurity risk management measures", EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555#d1e3507-80-1)):

==== (a) Risk Analysis and Information System Security ====

^  Requirement  ^  WvdS Evidence  ^
| Risk identification | [[en:int:pqcrypt:business:risiko|Risk Documentation]] |
| Quantum threat analyzed | Harvest-Now-Decrypt-Later scenario |
| Protection requirements determined | Data classification by lifespan |

==== (d) Supply Chain Security ====

^  Requirement  ^  WvdS Evidence  ^
| Evaluate suppliers | OpenSSL 3.6 = open source, auditable |
| Minimize dependencies | Only OpenSSL + .NET runtime |
| Ensure updates | NuGet package, automatic updates |

==== (e) Security in Acquisition, Development and Maintenance ====

^  Requirement  ^  WvdS Evidence  ^
| Secure development | Code review, tests |
| Vulnerability management | GitHub Security Advisories |
| Patch management | Semantic versioning |

==== (h) Cryptography Policies ====

<WRAP important>
**Core Requirement for WvdS:**
</WRAP>

^  Requirement  ^  WvdS Implementation  ^  Status  ^
| Appropriate cryptography | NIST FIPS 203/204 algorithms | Completed |
| State of the art | Post-quantum since NIST 2024 | Completed |
| Encryption where required | Hybrid cryptography | Completed |
| Key management | HKDF, PBKDF2, Argon2id | Completed |

<code csharp>
// NIS2-compliant cryptography configuration
CryptoConfig.DefaultMode = CryptoMode.Hybrid;

// Hybrid certificates: classical + post-quantum
var cert = request.CreateSelfSigned(
    notBefore, notAfter,
    CryptoMode.Hybrid  // ECDSA + ML-DSA
);
</code>

==== (j) Multi-Factor Authentication ====

^  Requirement  ^  WvdS Implementation  ^  Status  ^
| MFA or continuous authentication | mTLS with client certificates | Completed |
| Secure communication | TLS 1.3 with PQ algorithms | Completed |
| Identity management | X.509 certificates | Completed |

----

===== Article 23 - Reporting Obligations =====

Strict reporting obligations apply to security incidents((NIS2 Directive Art. 23: "Reporting obligations", EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555#d1e3835-80-1)):

^  Deadline  ^  Report  ^  WvdS Support  ^
| 24 hours | Early warning | Audit logging for forensics |
| 72 hours | Incident notification | Detailed logs available |
| 1 month | Final report | Complete documentation |

<WRAP tip>
**Recommendation:** Enable audit logging for all cryptographic operations to document incidents traceably.
</WRAP>

----

===== Implementation Timeline =====

<mermaid>
timeline
    title NIS2 Implementation
    section 2023
        Jan 16 : NIS2 in force
        Inventory : Check applicability
    section 2024
        Oct 17 : Transposition deadline
        Gap Analysis : Identify measures
    section 2025
        Reporting : Fully active
        Supervision : Controls begin
    section 2026+
        Sanctions : Fines possible
        Audits : Regular reviews
</mermaid>

**Sanctions for Violations:**((NIS2 Directive Art. 34: "Administrative sanctions", EUR-Lex: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555#d1e4802-80-1))
  * Essential entities: up to EUR 10 million or 2% annual turnover (Art. 34(4))
  * Important entities: up to EUR 7 million or 1.4% annual turnover (Art. 34(5))

----

===== Checklist for NIS2 Compliance =====

| # | Checkpoint | WvdS Evidence | Status |
|---|-----------|---------------|---|
| 1 | Risk analysis documented | [[en:int:pqcrypt:business:risiko|Risk]] | [ ] |
| 2 | Cryptography "state of the art" | NIST FIPS 203/204 (2024) | [ ] |
| 3 | Hybrid cryptography active | CryptoMode.Hybrid | [ ] |
| 4 | Key management documented | [[en:int:pqcrypt:api:keyderivation:start|KeyDerivation]] | [ ] |
| 5 | Supply chain transparent | OpenSSL 3.6 open source | [ ] |
| 6 | MFA implemented | mTLS with client certificates | [ ] |
| 7 | Audit logging active | Crypto events logged | [ ] |
| 8 | Reporting process defined | Incident response plan | [ ] |

----

===== German Implementation: NIS2UmsuCG =====

The NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)((BMI NIS2UmsuCG: https://www.bmi.bund.de/DE/themen/it-und-digitalpolitik/it-sicherheit/nis2-umsetzung/nis2-umsetzung-node.html)) transposes NIS2 into German law:

^  NIS2  ^  German Law  ^  Responsible Authority  ^
| Essential entities | Sections 28-29 BSIG-new | BSI |
| Important entities | Sections 30-31 BSIG-new | BSI |
| Reporting obligations | Section 32 BSIG-new | BSI |
| Sanctions | Section 60 BSIG-new | BNetzA, BSI |

----

===== Further Reading =====

  * [[.:start|Compliance Overview]]
  * [[.:bsi-grundschutz|BSI IT-Grundschutz]]
  * [[.:kritis-verordnung|KRITIS Regulation]]
  * [[https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555|NIS2 Full Text (EUR-Lex)]]
  * [[https://www.bsi.bund.de/DE/Themen/KRITIS-und-regulierte-Unternehmen/Kritische-Infrastrukturen/NIS2/nis2_node.html|BSI NIS2 Information]]

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>nis2 eu compliance kritis article-21}}