IT security by IT-HAUS

Mastering the NIS2 directive - Increase your IT security & minimize compliance risks

Customized IT security solutions & expert knowledge for your NIS2 compliance

Prepare for NIS2 now!
Contact record
Act to strengthen cyber security

What is the NIS2UmsuCG?

The Network and Information Security Directive 2 (NIS2 Directive) was adopted at the end of 2022 in response to the increased threat situation with regard to cyber attacks and the associated increase in (also technical) requirements for the defense against such incidents. The directive will be binding from October 2024 at the latest.

In Germany, this will be done through the NIS2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG).

This directive defines EU-wide basic requirements for cyber security and obliges affected organizations to control the risks of their information systems.

Contact record
Facilities affected

Who is affected?

The NIS2 Directive extends the scope of application far beyond the previous definition of "critical infrastructures" within the meaning of the KRITIS legislation. The facilities concerned are defined on the basis of two key criteria: Company size and company sector.

 

1st criterion: Company size

Company with...

... at least 50 employees or

... an annual turnover / annual balance sheet of more than 10 million euros

can be regulated by NIS2 if they also fulfill criterion 2.

Important:

Irrespective of the size of the company, certain operators, particularly in the digital infrastructure and public administration sectors, are also to be regulated.
Criterion 2: Business sector

A distinction is made between "particularly important entities" and "important entities". This distinction largely determines the degree of government monitoring and the intensity of sanctions in the event of breaches of the rules.

The "Particularly important facilities" include operators from nine sectors as well as special cases and the "Important facilities" include eight sectors and medium-sized operators from all sectors.

Affected organizations belong to the following of the 17 sectors:
Cybersecurity & risk management

The core requirements of the NIS2 directive

NIS2 defines basic requirements for cyber security. The institutions concerned are obliged to control the risks that affect their information systems. In addition to various technical measures (including regular vulnerability scans/pentests, backups, attack detection, multi-factor authentication), this also includes organizational measures (including risk management, IT emergency manual, regular training for all employees on the topic of cyber security) and incident management.

As the responsible supervisory authority, the Federal Office for Information Security (BSI) will monitor compliance with the requirements. The BSI will also have the authority to oblige companies to inform affected customers, the public or data protection authorities in the event of significant security incidents.

In addition, the NIS2 Directive obliges the facilities concerned to submit a multi-stage report in the event of significant security incidents.

24h

$
  • Early first notification
  • Suspicion of unlawful acts

72h

$
  • Assessment of severity and impact
  • Indicators of compromise (IoC)

1 month

$
  • Detailed description
  • Underlying causes
  • Remedial measures taken
Consequences of violations

Sanctions and personal liability of the management

Fines may be imposed for violations of NIS2 requirements up to a maximum of

  • €10 million or 2% of global sales (particularly important facilities)
  • €7 million or 1.4% of global sales (major facilities)

The NIS2 Directive also imposes various obligations on management

  • Implementation of the risk management measures taken
  • Monitoring the implementation
  • Regular participation in cyber security training
  • Offer training for employees as part of the risk management measures

The management is personally liable for any damages incurred (fines, recourse claims from third parties). 

Contact record
The NIS2 implementation with IT-HAUS

Ready for NIS2 in just 5 steps

1st NIS2 - Readiness Workshop

1st NIS2 - Readiness Workshop

We support you with the impact and GAP analysis on your way to NIS2 compliance.

2nd NIS2 - Implementation project

2nd NIS2 - Implementation project

Start the implementation project to implement the measures.
3. registration with the BSI

3. registration with the BSI

You must register with the BSI within 3 months of becoming affected.

4. reporting of security incidents

4. reporting of security incidents

Prepare the necessary processes for reporting an incident and practise the procedure.

5. do you have an emergency plan?

5. do you have an emergency plan?

Ensure that your company remains capable of acting in the event of a security incident.
Are you ready for NIS2?

NIS2 Readiness Workshop

How well prepared are you for NIS2? Find out!

Using a preliminary questionnaire, we guide you through the key requirements of NIS2. In the subsequent joint workshop, we carry out a gap analysis and develop your individual roadmap to NIS2 readiness.

Comprehensive status check of your NIS2 compliance

GAP analysis on current NIS2 compliance

Recommendations for action with prioritization

On request: legally compliant impact analysis

Offer
NIS2 Readiness Workshop

from € 2.500,00*

* (net) plus statutory VAT

Status check

Comprehensive status check of your NIS2 compliance

 

Targeted investment planning

Gap analysis for next investments

 

Early action

Increasing IT security & recognizing necessary measures for NIS2 readiness

 

To the offer
Worth knowing

Information about NIS2

Podcast NIS2

Video podcast

IT-TALK #7: NIS2 - The new EU directive puts companies under pressure to act

With the revised Network and Information Security Directive (NIS2), the European Union is creating uniform EU-wide minimum standards for the resilience of companies and authorities against cyber attacks.

Learn more
NIS2 Webcast

Webcast

NIS2 - Cyber security becomes a top priority

The new EU Directive on Network and Information Security (NIS2) makes IT security a top priority and sets minimum standards for cyber security. Watch the webcast recording to find out what the new requirements mean for your company and how you can implement them in practice.

Watch recording
IT-TALK

Video podcast

IT-Talk #8: HACKED -
Insider perspective on hacker attack

The IT nightmare has come true! The company hacked, the systems out of control! In a special episode of our IT Talk, Frank Benke, Head of IT at HAHN Automation Group, reports on how he and his team experienced a hacker attack!

Learn more
FAQ

The most important information at a click

What does "NIS2" stand for?
The Network and Information Security Directive 2 (NIS2 Directive) was adopted at the end of 2022 in response to the increased threat situation with regard to cyber attacks and the associated increase in (also technical) requirements for the defense against such incidents.

It defines EU-wide basic requirements for cyber security and obliges affected institutions to control the risks of their information systems.

Is NIS2 now replacing the GDPR?
No, NIS2 does not replace the GDPR (General Data Protection Regulation). While NIS2 focuses on the security of network and information systems, the GDPR is primarily concerned with the protection of personal data. However, security incidents that fall under NIS2 can also have data protection consequences if personal data is involved. The two laws therefore complement each other: NIS2 strengthens IT security, while the GDPR regulates data protection. It is important to observe and implement both regulations in parallel.
What is special about NIS2?
Compared to its predecessor, NIS2 places more stringent requirements on cyber security and includes more companies.
Who is affected by NIS2?
NIS2 applies to organizations in specific sectors that have an annual turnover of at least 10 million euros and/or employ at least 50 people. It also applies to organizations that may be smaller but whose loss of service would have a significant impact on public safety or health.
Will I be informed if I am affected?
Companies are responsible for finding out for themselves whether they are affected by NIS2. There is no automatic notification.
How is compliance with the NIS2 requirements checked?
Compliance with the NIS2 requirements is monitored by the Federal Office for Information Security (BSI). The BSI also has the authority to oblige companies to provide information in the event of significant security incidents.
What do I need to consider in the event of security incidents?
Companies must report security incidents in several stages and, in certain cases, inform customers, the public or data protection authorities.
What are the consequences of non-implementation?
Violations of the NIS2 requirements can result in fines of up to €10 million or 2% of global turnover for "Particularly Important Entities" and up to €7 million or 1.4% of global turnover for "Important Entities". Of particular note is the direct liability of management and the more comprehensive reporting obligations in the event of security incidents.
How can IT-HAUS GmbH help me?
IT-HAUS GmbH offers a comprehensive NIS2 compliance service - starting with a NIS2 readiness workshop in which we work together to identify the necessary steps and develop a customized roadmap. While the workshop focuses on planning, IT-HAUS is then available for the practical implementation of the identified measures. This means that you receive all the services you need to become NIS2-compliant from a single source.

Which topics can our security experts support you with?

Contact us, we will support you on your way to a successful and secure digital future. Our contacts who specialize in your company's IT security will be happy to advise you.

Hans-Otto Mohr hmohr@it-haus.com 777620007

Head of Competence Center Security
+49 6502 9208-251