NIS2 - directive | SITS
NIS2: It's time to take action

The new EU cyber security directive NIS2 (Network and Information Security Directive 2 (EU) 2022/2555) was adopted in October 2022 and must be transposed into law  by October 2024. The German “NIS 2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG)” is only available as a draft so far; however, it is clear that it will have a significant impact on the IT and business structure.

This is because the NIS2 directive requires a series of new and increasingly stringent security measures and reporting obligations.

Organizations and companies in almost all sectors must therefore prepare now. Public and private companies and organizations in all sectors that provide critical services and resources to EU citizens fall within the scope of the directive – and the upcoming law. Does your company belong to one of the 18 categories listed below, employ more than 50 people and have an annual turnover of ten million euros or more? Then you need to act now.

Some key facts

  • Many companies are still poorly informed and inadequately prepared – yet many now have to check their IT infrastructure for NIS2 compliance.
  • It is not always clear whether a company belongs to the areas specified in the directive. Expert advice is frequently required here.
  • The NIS2 Directive is flanked by the CER Directive, which concerns the “resilience of critical companies” and must also be transposed into German law by October 18.
  • Another important legal provision for financial institutions is the DORA Regulation, which the industry must implement by January 17, 2025.
  • Companies that do not comply with risk management measures, for example, face high financial penalties – up to tens of millions of euros (Article 34 of the NIS2 Directive).
  • Business operations can be stopped by the supervisory authority if network security is at risk.
  • For some companies, size is irrelevant. These include service providers with qualified signature management.
  • Managing directors must monitor the implementation of NIS2 and are liable in the event of breaches.
  • Security incidents must be reported to national authorities.
  • The measures from the NIS2 directive help to defend against the constantly increasing number of cyber attacks.

There is enormous scope for improvement when it comes to adapting risk management and cyber security to the strict NIS2 requirements. More than twice as many areas as before are now classified as critical.

Company managers are more responsible than ever. Risk analysis, data protection and crisis management urgently need to be brought up to date in the affected companies.

Show more
Show less
NIS2: Legal obligation…
… turns into an economic opportunity
Cyber security is becoming a legal obligation: The NIS2 Directive sets stricter requirements for ensuring the security of network and information systems than its predecessor. This means for companies: Implement security monitoring, security assessments, penetration tests, managed extended detection & response, incident response management and other security measures.
icon
Risk Management in focus
Icon
Industry-specific NIS2 requirements: What you need to do now
The advantages of NIS2
BILD
Risk Management in focus
NIS2 is the revised version of the NIS1 directive on network and information security. It is estimated that between 25,000 and 40,000 companies in Germany alone will be affected by its implementation. The directive foresees strict sanctions for non-compliance, including fines. Even the dismissal of company management is part of the sanctions package.

Implementing the directive (or the corresponding law) in the structures of the companies affected is crucial in order to meet the growing threats and cyber security requirements in a networked economy, avoid sanctions and ensure competitiveness.

Reliable and effective risk management and comprehensive cyber security measures are essential for this. Compliance can only be achieved if the company is able to assess and avert technical and operational risks.

The following NIS2 rules apply to affected companies:

  • The NIS2 directive requires that companies use robust and comprehensive risk analysis concepts and practices.
  • Companies are required to evaluate the effectiveness of their risk measures.
  • Companies will also need to scrutinize and monitor the security measures of third-party providers whose solutions they use for critical services. IT service providers must also be prepared for supplier audits.
  • Companies need to have technologies and solutions in place to defend against security incidents.
  • They should implement a powerful and comprehensive information security management system.
  • They must have a well-defined strategy and measures in place in the event of security incidents and breaches. Crisis and business continuity management are required.
  • Companies have to include the procurement, development and maintenance of IT and network solutions in their risk management.
  • They must proactively report security incidents. Incidents can be identified and reported quickly and efficiently using an incident reporting system.
  • Companies have to provide continuous security training for employees.
  • Also ensure strong access controls, multi-factor authentication and continuous monitoring.

BILD
From finance to digital service providers
The NIS2 Directive affects companies and organizations in various industries, especially those that are considered part of the critical infrastructure or provide important services to society.

For ``essential`` organizations, the directive foresees financial sanctions of up to at least ten million euros. For ``important`` organizations, they amount to at least seven million euros. In the event of successful cyber attacks with an impact that restricts business due to inadequate risk management in particularly important facilities, the company management is directly liable.

The main sectors include:

  • Energy (electricity, oil, gas, district heating and cooling and hydrogen)
  • Transport (air, rail, water and road)
  • Healthcare
  • Water supply (drinking water, wastewater).
  • Digital infrastructure (telecommunications, DNS, TLD, cloud services, data centers, trust service providers)
  • Finance (banks, financial market infrastructure)
  • Public administration
  • Space

Important sectors include:

  • Digital providers (online markets, search engines, social networks)
  • Postal services
  • Waste management
  • Food and beverages
  • Manufacturing (medical devices, electronics, machinery, transportation)
  • Chemicals (production and distribution)
  • Research

Affected companies and organizations must now act quickly and implement critical measures relating to risk management, cyber security, reporting and notification obligations.

They should establish a structured security management system based on best practices and standards. This includes defining security policies, procedures and processes, promoting employee security awareness and behavior through training, and regularly reviewing and updating security policies.

The following areas especially require upgrading:

  • Effective prevention to identify and prevent security incidents
  • 24/7 monitoring of security and cyber hygiene
  • Access protection for accounts and data (identity and access management)
  • Risk management and assessments of the IT infrastructure
  • Comprehensive crisis and business continuity management
  • Constant evaluation of the measures taken
  • Staff training and awareness

Reporting of security incidents: An early warning to the responsible supervisory authority within 24 hours, a more detailed incident report after 72 hours and a final report within one month are required.

Push for security, trust and brand image
The NIS2 requirements demand a significant effort from affected companies in terms of risk management, security measures, employee training for example. At the same time, however, NIS2 is also a great opportunity to rethink and reorganize cyber security in a holistic way, to block cyber criminals, ward off costly outages and attacks and, last but not least, to protect company, customer and employee data.

 

According to a study by Cybersecurity Ventures, a cyber attack occurred every 39 seconds in 2023. That is equivalent to more than 2,200 attacks per day, and the trend is rising. Digitalization, networking, AI and other factors mean that the risk of becoming a target of an attack is constantly increasing.

NIS2 is therefore not just a question of compliance or another legal obligation: implementing the NIS2 requirements also offers you the opportunity to restructure your company in terms of cyber security and make it more competitive. This means:

  • Higher security standards and improved security level
  • More comprehensive protection
  • A more secure digital environment

With NIS2 compliance, your company demonstrates to customers and partners that you live data protection and are at the cutting edge of security technology. And the sooner you implement NIS2 compliance, the sooner you will strengthen your IT security and customer trust.

The key to this:

  • Improved Data Encryption
  • Penetration tests
  • Identity and Access Management
  • Network Security
  • Firewalls
  • Intrusion Detection
  • Security Training for Employees

NIS2 gives your company clear guidance and valuable advice on how to strengthen your cyber defenses. Our experienced NIS2 expert teams will show you the best way to achieve NIS2 compliance.

Achieving NIS2 compliance with SITS

As a managing director, CISO or responsible manager, am I personally liable with my private assets? Does NIS2 affect my company? Where are there security risks? What do I have to do to be NIS2-compliant?

You should ask yourself these questions now. We will accompany you on the path to NIS2 compliance – from the initial check to the implementation of all measures.

With our NIS2 services, we offer you an all-round comprehensive package to determine your NIS2 status and inform you about potential vulnerabilities and challenges.

  • Our NIS2 check identifies critical vulnerabilities.
  • We offer in-depth advice on how to efficiently close all vulnerabilities.
  • With our 360-degree portfolio, we offer a comprehensive solution for the overall protection of your company’s IT.
  • Our solutions are tailor-made for companies in every affected industry.
  • For Microsoft-focused customers, we offer additional support and assessments.

Security just one click away!
NIS2 compliance made easy! Get consulting from NIS2 experts to keep your organization secure and compliant. We manage all regulatory aspects so that you can focus on your core business.
Your Advantages
Our comprehensive advice and tailored optimization of your security in accordance with the NIS2 directive offers you the following advantages:
  • All-round service from a single source without any friction losses
  • Support from our experienced NIS2 team
  • Support from day 1 – from assessment to 24/7 managed service
  • Customized solutions tailored to your requirements
  • Prevention and precaution – you are well prepared with our NIS2 package

Three-Step NIS2 Compliance
Get your company NIS2 ready: With our NIS2 Quick Check you can quickly determine online whether your company is affected by the NIS2 Directive.in just a few minutes In our comprehensive on-site or remote 360° NIS2 Assessment, our team of experts performs a thorough examination of your compliance requirements and advises on necessary implementations. SITS also ensure the complete and ongoing execution of all measures as part of our Compliance Program on demand.
The NIS2 Quick Check: Test now
The NIS2 Assessment: The Audit
The NIS2 Compliance Program: Implementation
1
2
3
The NIS2 directive will affect more than 30,000 companies (in Germany) in the future. However, many companies are not sure whether they are affected by NIS2. If you are also uncertain about it, use our free NIS2 Quick Check to check whether your company is concerned.
The NIS2 directive will affect more than 30,000 companies (in Germany) in the future. However, many companies are not sure whether they are affected by NIS2. If you are also uncertain about it, use our free NIS2 Quick Check to check whether your company is concerned.
Following the completed NIS2 assessment and the review of your existing security measures, you will receive a detailed report. Based on this security roadmap, we offer you the implementation of all necessary security measures - from IAM and Security Operations Solutions to Cloud Security measures - tailored to your needs.
The Cyber Chronicle Newsroom
We keep you posted with the latest news, data & trend topics
Frequently Asked Questions
The most important questions about the NIS2 Directive

The NIS1 was the first EU cyber security directive to improve the resilience of networks and information systems. Since then, the threat landscape has evolved and requires new approaches. Challenges include insufficient cyber resilience, a lack of understanding of threats and a lack of crisis management.

The NIS2 Directive is based on the three main pillars of the NIS1 Directive:

  1. Obligation for member states to implement a national cyber security strategy
  2. Obligation of each member state to establish a national CSIRT (cyber security authority)
  3. Obligation to set up a single point of contact (SPOC) for cross-border cooperation

  • NIS2 establishes an EU vulnerability database, which is maintained by the EU Agency for Cyber Security (ENISA).
  • The NIS2 Directive extends cyber security regulations to new networked sectors.
  • It removes the distinction between operators and providers of critical services.
  • It contains a concept for risk management and more precise rules for reporting incidents.

Affected companies must report security incidents according to a multi-stage approach. They must submit an early warning within 24 hours, an incident notification within 72 hours and a final report within one month. This is intended to reduce the workload for companies operating in several EU member states and strengthen cyber security.

The respective authorities are responsible for monitoring and enforcing the NIS2 rules. There is a minimum list of control measures, including

  • Regular and targeted audits
  • On-site and off-site inspections
  • Request for information
  • Access to documents and evidence
A distinction is made in the obligations between essential and important companies.
Security starts here!
Contact us for immediate support on security requirements.

You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information