NIS-2 Compliance

The NIS 2 Directive is an EU piece of legislation aimed at improving cybersecurity in critical sectors. NIS stands for network and information security. It obliges companies to secure their networks and information systems against cyber risks and to report incidents. The first NIS Directive was adopted by the EU Parliament in 2016. Building on this, the second version of the Directive (NIS2) was introduced in 2022, which has already entered into force and must be transposed into national law by October 2024. In Germany, however, implementation will be delayed until the first quarter of 2025, and companies should familiarize themselves with the requirements now and start implementing them.

The NIS-2 applies to companies in sectors such as energy, health, transport, food supply, finance, digital infrastructure and public administration, both in the private and public sectors. There are no fixed thresholds in NIS-2 that clearly apply to all companies concerned. However, for some sectors, small and medium-sized enterprises (SMEs) are taken into account, which means that companies with fewer than 50 employees and an annual turnover of less than €10 million are usually not directly affected by NIS-2. However, despite their size, small companies operating in critical sectors such as healthcare or energy supply must meet certain minimum requirements, even if they are not fully covered by NIS-2. If you are unsure, please feel free to contact us – we will help you to correctly classify your impact on the NIS 2 requirements.

Companies must take a variety of measures to meet the requirements of NIS-2. The starting point for this is an ISMS. In addition, the following points in particular must be implemented:

Risk management and safety precautions: Companies must establish an effective risk management system based on the identification and minimization of cyber risks. Security precautions must be taken to protect sensitive data and systems from attacks.

Report cybersecurity incidents: In the event of an incident, companies are obliged to report it to the competent national authorities within 24 hours. A detailed report of the incident must be submitted within 72 hours of the initial report.

Monitoring and regular audits: Companies need to regularly review their security measures and ensure that they are up-to-date and effective. This includes conducting security audits and implementing improvement measures.

Companies that do not comply with the requirements of the NIS 2 Directive can be subject to significant penalties. These penalties can be as high as €10 million or 2% of the company’s annual global turnover, whichever is higher. In addition to the financial penalties, there may also be legal consequences and a loss of trust on the part of customers and partners, which can lead to long-term business damage. Therefore, it is crucial to meet the requirements in a timely manner to avoid these risks.

An ISMS (Information Security Management System) is a structured system for managing and improving information security in an organization. It includes processes, policies, tools, and procedures for identifying, assessing, and addressing security risks. An ISMS according to the ISO 27001 standard forms the basis for the implementation of the NIS-2 requirements. It helps businesses implement the necessary security measures, report incidents, and continuously improve their cybersecurity. The introduction of an ISMS ensures that all requirements of NIS-2 are taken into account in a systematic framework.