For many years, we have been supporting our clients from the private and public sector with their introduction of information security management systems (ISMS) and the implementation of related regulations. NIS2 is the current evolution of well-known regulatory approaches.
Based on our experience, we can help your company to efficiently implement NIS2 requirements. We offer pragmatic solutions that address all regulatory stipulations while equally adding internal value.
Background
To address the growing cyber threat landscape and to ensure the continuity of activities deemed particularly important, the EU Network and Information Security Directive (NIS Directive) has been revised. The NIS2 Directive came into force in January 2023 and should have been implemented into national law by 24 October 2024. However, in Germany and many other member states, national implementation is delayed and expected to be adopted in 2025.
Who is affected by NIS2
In simple terms, NIS2 requirements apply to all at least medium-sized companies in critical sectors.
| High Criticality Sectors | Other Critical Sectors |
|---|---|
| Energy | Postal and Courier Services |
| Transport | Waste Management |
| Banking | Production, Manufacturing, and Commerce with Chemicals |
| Financial Market Infrastructures | Food Production, Processing, and Distribution |
| Healthcare | Manufacturing / Goods Production |
| Drinking Water | Digital Service Providers |
| Wastewater | Research |
| Digital Infrastructure | |
| ICT Service Management (B2B) | |
| Public Administration | |
| Space | |
| Table: Which sectors are affected by NIS2 |
Depending on sector and size, NIS2 distinguishes between essential and important entities. Additionally, critical infrastructures are considered essential entities. Regardless of size, providers of certain digital infrastructure services, federal and state administration entities, and providers of public electronic communications networks and services are in scope of NIS2.
Though the same requirements apply for essential and important entities, the supervisory regime differs. Essential entities can expect a more active oversight and harsher penalties.
What NIS2 Involves
Preparedness and effectiveness are central measures for affected companies to strengthen their cyber resilience. The risk management measures already required under the original NIS directive have been clarified in NIS2 and extended to cover the supply chain. A multi-stage regime is established for reporting security incidents. Affected companies must report predefined content at three distinct points in time to the respective CSIRT or competent authority. Upon request, an additional interim report has to be provided.
Implementation Needs
The implementation needs for affected companies strongly depend on their current risk management setup. Undertakings who have already established a management system or even possess a relevant certification (e.g., ISO 27001) have a solid foundation for their implementation and only need to supplement existing structures. Otherwise, higher efforts are to be expected.
Our experts are happy to analyse your company’s status quo, identify needs for action, and support a tailored implementation.
Contact us to arrange a non-binding consultation appointment about NIS2:
![[Translate to English:]](/fileadmin/_processed_/6/9/csm_df_expertise_header_technology_d303c6b8c3.jpg "[Translate to English:]")
