NIS-2 – act now!

Home   >   Services   >   NIS-2

NIS-2

The NIS-2 Directive brings far-reaching requirements for many companies and should be implemented into national law by October 17, 2024. From October 18, 2024 it should be applied across Europe.

The German legislation has already been active and now there is a 4th official draft bill for an NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). The results of a consultation with associations have already been incorporated into this draft bill, revealing that the business-related regulations in particular are increasingly stabilizing and fewer and fewer changes are being made.

The German NIS2UmsuCG is an article law that amends the BSIG in particular. However, many other laws are also affected, such as the EnWG or the TKG. Many of the requirements are closely based on the NIS 2 Directive, and the German Federal Ministry of the Interior is aiming for an almost 1:1 transposition into German law. Accordingly, there will be particularly important facilities and important facilities that are considered in different sectors. These must implement extensive risk management measures. Accordingly, these institutions must take suitable, proportionate and effective technical and organizational measures to prevent disruptions to the availability, integrity and confidentiality of information technology systems, components and processes. The state of the art must be maintained.

The NIS2UmsuCG also defines far-reaching registration obligations, obligations to report security incidents and obligations to inform one’s own customers. The regulations on the obligations for managers are significant. Accordingly, management boards must implement and monitor risk management measures. If they fail to fulfil their obligations, they may face compensation claims, which may also include fines. In addition, they must regularly take part in cyber security trainings.

According to internal calculations, the BMI assumes that there will be around 8,250 particularly important facilities and a further 21,600 important facilities in Germany that fall under the NIS2UmsuCG. If we then consider the required supply chain security, a further large number of companies will be indirectly affected by the NIS2UmsuCG. This creates enormous pressure to act, requiring early precautions. It should be noted that neither the NIS-2 Directive nor the NIS2UmsuCG provide for implementation deadlines. As soon as the NIS2UmsuCG comes into force, it applies immediately. This has also been confirmed by the BMI on several occasions.

This means that action must be taken promptly! As not each company has sufficient expertise to meet these complex requirements, we offer a special service package to prepare for NIS-2.

Find out more in our data sheet and contact us!

Approach

Thanks to our broad expertise, especially with CRITIS companies, we are able to support you in all aspects of the preparation and successful implementation of NIS-2.

  • NIS-2 webinar, NIS-2 workshop
    o  Communication of the legal basis and raising awareness of the need for action in your company.
  • NIS-2 impact analysis
    o  Assessment of whether you respectively your organisation are affected by the NIS-2 Directive or the NIS2UmsuCG.
  • NIS-2 gap analysis, NIS-2 prioritisation of parts of the company
    o  Identification of gaps in relation to the requirements of NIS2UmsuCG.
  • NIS-2 board and management training
    o  Identification of the measures required to fulfil management obligations.
  • NIS-2 coaching, NIS-2 ISMS extension, NIS-2 ISMS development
    o  Sustainable realisation of the requirements. This includes in particular:

    • Generating a strong cyber security framework that includes organisational and technical measures.
    • Establishment of a sustainable reporting system.
    • Development and implementation of monitoring mechanisms to continuously review the effectiveness of the measures.

Your benefits

  • Fulfilment of legal requirements in accordance with the NIS-2 Implementation Act
  • Protection of your critical business processes
  • Overview of your IT risks and therefore the opportunity to introduce specific security measures
  • Avoidance of liability risks
  • Strategic use of investments
  • Increase of effectiveness, efficiency and sustainability of information security
  • Successful certification provides proof of quality and a decisive competitive advantage