NIS2aaS - Comprehensive support for NIS2 implementation
NIS2 is here – find out how you can master the new cyber security requirements easily and efficiently with NIS2 as a Service!
The German legislator has belatedly passed the NIS2 Implementation Act, which has been in force since December 6, 2025. It stipulates numerous cybersecurity requirements that now need to be implemented in a timely manner. However, there are some confusing terms floating around in the law: sectors with high criticality according to the NIS2 Directive are usually referred to in Germany as “particularly important facilities” (including the previous KRITIS facilities), but sometimes ‘only’ as “important facilities”. Other critical sectors are classified in the same way.
Some implementation regulations are still to be issued by ordinances of the Federal Ministry of the Interior (BMI), which are intended to formulate sector-specific requirements to be met, unless the European Commission itself sets corresponding requirements, as EU requirements always take precedence. This has already been done for IT service providers by the European Commission in Implementing Regulation 2024/2690. The Federal Office for Information Security (BSI) can prescribe obligations to provide evidence for particularly important facilities, but only for important facilities if there is evidence of inadequate implementation. For the latter, the principle of “just don't attract attention...” applies.
NIS2 Requirements to be implemented in Germany
Before you completely lose track, there are two reasons for hope:
The NIS2 requirements to be implemented within three years are comprehensible and in line with standard information security practice. With a NIS2 as a Service construct (NIS2aaS), you receive clarity and active support during implementation.
With NIS2aaS, “only” the relevant components for which external support is required need to be identified. The following elements should be addressed in-house or with a suitable NIS2aaS:
- Implementation of suitable, proportionate and effective state-of-the-art technical and organizational measures, taking into account European and international standards (e.g. ISO/IEC 27001), in order to avoid disruptions to the availability, integrity and confidentiality of information technology systems, components and processes and to minimize the impact of security incidents. This requires having identified relevant measures in the ISMS and regularly reviewing and, if necessary, further developing their maintenance.
- Use of only approved information and communication technology (ICT) products, services and processes that have a cyber security certification. The BMI has yet to issue a statutory order specifying the ICT products, services and processes for which this will be mandatory. The requirements for cyber security certification itself will in turn be determined by the BSI.
- Notification of significant security incidents to BSI and BBK: Initial notification within 24 hours of becoming aware with update and assessment (stating the indicators of compromise) within 72 hours! This reporting obligation already applies now!
- Participation in training and awareness-raising measures on security in information technology – especially by management. Management classified as “unreliable” by the BSI can be temporarily banned by the BSI from carrying out management activities at particularly important institutions.
- Performance of audits, inspections or certifications by independent bodies after three years following entry into force of the law, with submission of corresponding evidence to the BSI for particularly important facilities for which the BSI has ordered this due to the existing extent of risk exposure, the size of the facility and the probability of occurrence and severity of possible security incidents and their possible social and economic impact; also explicitly valid for operators of critical facilities. Experience shows that the BSI sets such requirements at very short notice, so that corresponding verification procedures must be initiated within one year to a maximum of two years.
Mandatory minimum measures for Risk Management
Measures to be implemented must include at least the following:
1. Documented concepts, e.g. in the form of a guideline, for risk analysis and security in information technology.
2. Procedures for dealing with security incidents, including the detection and handling of incidents that affect the availability, integrity or confidentiality of stored, transmitted or processed data offered or accessible via information technology systems, components and processes.
3. Maintaining operations through backup management and disaster recovery and by establishing crisis management.
4. Ensuring supply chain security, including security-related aspects of relationships with direct vendors or service providers.
5. Security measures in the acquisition, development and maintenance of information technology systems, components and processes, including management and disclosure of vulnerabilities.
6. Concepts and procedures for evaluating the effectiveness of risk management measures in the area of information technology security.
7. Implementation of basic training and awareness-raising measures in the field of information technology security.
8. Concepts and processes for the use of cryptographic procedures.
9. Concepts for personnel security, access control and the management of ICT systems, products and processes.
10. Usage of solutions for multi-factor authentication or “continuous” authentication, secure voice, video and text communication and secure emergency communication systems within the organization.
Typical NIS2aaS services for implementation
The following components of a NIS2aaS support you during implementation:
- Establishment of suitable cyber security-related risk management with annually updated risk analyses and vulnerability assessments in the form of penetration tests, in which the tester takes on the role of an attacker, or attack simulations (e.g. in the form of attack path management) and, if necessary, assuming the role of cyber risk manager.
- Establishment of a suitable and efficient ISMS, possibly with the assumption of the associated functions as (Chief) Information Security Officer, Internal Auditor and/or support in preparation for the provision of required evidence or obtaining the necessary certifications.
- Establishment of a Security Operation Center (SOC) that recognizes the occurrence of security incidents at an early stage, reacts quickly and supports compliance with reporting obligations.
- Recurring confirmation of sufficient resilience through disaster recovery checks, table top exercises and other emergency drills.
- Annual assessment of supply chain security and associated dependencies.
- Implementation of required awareness trainings for managers and employees.
SITS offers you the right NIS2aaS services. You can find out more on our NIS2 as a Service page. We have extensive experience in cyber security and will be happy to support you with the implementation.
