NIS-2
Is Your Company Affected by the EU Directive?
The NIS-2 Directive
Are we affected? What requirements do we have to implement? How much time do we have to do this?
The NIS-2 Directive (Network and Information Security 2, NIS-2) is currently causing question marks for many companies in Europe. This is because with the new directive, the EU is focusing its cyber security offensive on other "essential and important facilities" in addition to critical infrastructures.
The EU directive should have transposed the requirements into national law by October 2024. According to current information, the NIS-2 Implementation Act is expected to be in force in Germany in March 2025 and will then be binding for affected companies. We can provide you with advice and support in preparing for and implementing the requirements.
Requirements
Companies affected by NIS-2 are obliged to operate a verifiable information security management system (ISMS). Based on this, they must take appropriate technical, operational and organizational measures to control cyber security risks, prevent security incidents and minimize potential impacts. The requirements of NIS-2 apply to the entire company, not just to individual systems or services classified as critical.
Scope
The NIS-2 Directive covers 13 sectors that are of crucial importance to the economy and society. It applies to companies with 50 or more employees or an annual turnover and an annual balance sheet total of 10 million euros:
- Energy
- Transport
- Finance
- Public health
- Water
- Digital infrastructure
- Space
- Waste management
- Production, manufacture and trade in chemical substances
- Production, processing and distribution of food
- Manufacturing/production of goods
- Digital service providers
- Research and development
How to prepare
After determining that your company is affected by NIS-2, start your preparations for NIS-2 with a Gap Analysis in your company. Regardless of whether you are already having KRITIS audits carried out on the basis of the IT Security Act or are only coming within the scope of NIS-2: With the help of a Gap Analysis, you can uncover specific deviations in your company's security organization. This allows you to plan and implement suitable implementation projects in good time.
We are at your side
We are here for you. Following the Gap Analysis, we will of course be on hand to advise you and support you in implementing the NIS-2 requirements.
Are you currently planning to set up an ISMS in accordance with ISO 27001 or are you already in the process? If so, we recommend combining your ISMS project with a closer look at the NIS-2 requirements. We will be happy to help.
A NIS-2 implementation project usually involves extensive human and financial resources. We therefore advise you to make the most of the time remaining. Together with our experienced consultants and security auditors, take an early look at the requirements of NIS-2 and identify any deviations in your company.
More Insights on NIS-2
NIS-2 and DORA: Why Two Pieces of EU Cybersecurity Legislation?
Ready for NIS-2? How to Prepare Your Company