Many companies are affected
Medium sized: >50 Employees and >10 millionen euros in revenue
Large: >250 Employees and >50 millionen euros in revenue
To whom does the directive apply?
A total of 18 sectors are affected, including digital infrastructure, public administration and the manufacturing industry
Very high penalties
Major companies: 10 Million euros or 2% of global revenue
Important companies: 7 Million euros or 1.4% of global revenue
Stricter reporting obligations
Security incidents must be reported after 24 hours (early warning) and 72 hours (assessment)
High demands on IT security
Much stricter requirements for e.g., risk management, BCM, suppliers and IT systems
Monitoring by authorities
Establishment of Computer Security Incident Response Teams in EU member states, regular checks and reporting to the EU authority