NIS 2

What is NIS2?

NIS2 is the European response to the increasing threat from cyber attacks on companies and institutions of the European Union.

In the form of a policy, NIS2 describes measures to better how organizations can better prepare for cyber threats and protect them against cyber attacks and strengthen their IT infrastructure.

Following the official publication at the end of 2022, Member States have reached the 17th of October to 17 October 2024 to implement the requirements of the directive in the national legislation.

Who is affected by NIS2?

The current version affects companies and organisations from 18 industries, which in turn are divided into two sectors. Namely in “Significant institutions” (11 sectors with high criticality) and “Important institutions” (7 other critical sectors). Compared to NIS1, significantly more companies are now subject to legal templates. Companies with 50 employees and 10 million employees and 10 million are affected. Euro turnover.

Essential institutions – sectors with high criticality:
· Transport
· Energy
· Banking
· Health care
· Drinking water
· Wastewater
· ICT Service Management
· Digital infrastructure
· Administration
· Space travel
· Financial market

Critical sectors:
· Waste management
· Post
· Digital services
· Industry
· Food trade
· Chemical plants
· Research

All facilities in these areas that are covered by the NIS2 requirements must comply with the legislation.

What does NIS2 demand?

The introduction of the NIS2 directive brings with it a variety of new obligations and requirements for companies. First of all, companies are required to classify themselves independently in the corresponding sectors ("Specify" institution or “important” institution) and to register with the Federal Office for Information Security (BSI). “Essential” institutions must also participate in the exchange of information via the BSI’s central platform.

The NIS2 Directive also places further demands on the cybersecurity of organizations and companies. For example, companies and organizations have to deal with the topics of cyber risk management, control and monitoring, as well as dealing with incidents and business continuity.

What does that mean in concrete terms?

A NIS2-compliant risk management for information security must be established.
Security incidents must be reported and treated appropriately.
The information security standard in the supply chain must be guaranteed.
Policies and policies for risk management and information security must be created.
Measures for a functioning business continuity management must be developed and implemented.
Key figures must be developed, introduced and monitored.
The ITC resilience (e.g. Cryptography, communication, authentication, ...) must be demonstrably increased.
Cyber awareness in the form of e.g. Employee training must be implemented.

The management of an organization or a company, i.e. managing directors or board members, is responsible for compliance with the NIS2 requirements. All organisations covered by the NIS2 directive must comply with their due diligence obligation. Stricter liability rules will apply to the management of the organisations concerned.

How can this be implemented? What do I have to do and what do I have to consider?

We have the answer to these questions!
Let us go this way together, we will help you!