Perfectly equipped for the NIS2 directive
The new EU cyber security directive NIS2 (Network and Information Security Directive 2 (EU) 2022/2555) was adopted in October 2022 and must be transposed into law by October 2024. The German “NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG)” is only available as a draft so far; however, it is clear that it will have a significant impact on the IT and business structure.
This is because the NIS2 directive requires a series of new and increasingly stringent security measures and reporting obligations.
Organizations and companies in almost all sectors must therefore prepare now. Public and private companies and organizations in all sectors that provide critical services and resources to EU citizens fall within the scope of the directive – and the upcoming law. Does your company belong to one of the 18 categories listed below, employ more than 50 people and have an annual turnover of ten million euros or more? Then you need to act now.
Some key facts
- Many companies are still poorly informed and inadequately prepared – yet many now have to check their IT infrastructure for NIS2 compliance.
- It is not always clear whether a company belongs to the areas specified in the directive. Expert advice is frequently required here.
- The NIS2 Directive is flanked by the CER Directive, which concerns the “resilience of critical companies” and must also be transposed into German law by October 18.
- Another important legal provision for financial institutions is the DORA Regulation, which the industry must implement by January 17, 2025.
- Companies that do not comply with risk management measures, for example, face high financial penalties – up to tens of millions of euros (Article 34 of the NIS2 Directive).
- Business operations can be stopped by the supervisory authority if network security is at risk.
- For some companies, size is irrelevant. These include service providers with qualified signature management.
- Managing directors must monitor the implementation of NIS2 and are liable in the event of breaches.
- Security incidents must be reported to national authorities.
- The measures from the NIS2 directive help to defend against the constantly increasing number of cyber attacks.
Company managers are more responsible than ever. Risk analysis, data protection and crisis management urgently need to be brought up to date in the affected companies.
As a managing director, CISO or responsible manager, am I personally liable with my private assets? Does NIS2 affect my company? Where are there security risks? What do I have to do to be NIS2-compliant?
You should ask yourself these questions now. We will accompany you on the path to NIS2 compliance – from the initial check to the implementation of all measures.
With our NIS2 services, we offer you an all-round comprehensive package to determine your NIS2 status and inform you about potential vulnerabilities and challenges.
- Our NIS2 check identifies critical vulnerabilities.
- We offer in-depth advice on how to efficiently close all vulnerabilities.
- With our 360-degree portfolio, we offer a comprehensive solution for the overall protection of your company’s IT.
- Our solutions are tailor-made for companies in every affected industry.
- For Microsoft-focused customers, we offer additional support and assessments.
- All-round service from a single source without any friction losses
- Support from our experienced NIS2 team
- Support from day 1 – from assessment to 24/7 managed service
- Customized solutions tailored to your requirements
- Prevention and precaution – you are well prepared with our NIS2 package
The NIS1 was the first EU cyber security directive to improve the resilience of networks and information systems. Since then, the threat landscape has evolved and requires new approaches. Challenges include insufficient cyber resilience, a lack of understanding of threats and a lack of crisis management.
The NIS2 Directive is based on the three main pillars of the NIS1 Directive:
- Obligation for member states to implement a national cyber security strategy
- Obligation of each member state to establish a national CSIRT (cyber security authority)
- Obligation to set up a single point of contact (SPOC) for cross-border cooperation
- NIS2 establishes an EU vulnerability database, which is maintained by the EU Agency for Cyber Security (ENISA).
- The NIS2 Directive extends cyber security regulations to new networked sectors.
- It removes the distinction between operators and providers of critical services.
- It contains a concept for risk management and more precise rules for reporting incidents.
Affected companies must report security incidents according to a multi-stage approach. They must submit an early warning within 24 hours, an incident notification within 72 hours and a final report within one month. This is intended to reduce the workload for companies operating in several EU member states and strengthen cyber security.
The respective authorities are responsible for monitoring and enforcing the NIS2 rules. There is a minimum list of control measures, including
- Regular and targeted audits
- On-site and off-site inspections
- Request for information
- Access to documents and evidence
You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information