NIS2 - Challenges & Solutions

...

Objectives of NIS2

In today's digital landscape, cybersecurity is of paramount importance. The threat of cyberattacks is higher than ever before and continues to grow. It is safe to assume that companies that do not take adequate precautions will be affected sooner or later. With the NIS2 Directive, the European Union is setting new standards for security requirements in critical infrastructures (CRITIS) and essential entities. However, affected companies are not only legally obliged to comply with the requirements — they will also benefit from greater awareness of potential threats and more robust security management. According to estimates, approximately 29,000 additional companies are subject to the NIS2 Directive and are therefore under the supervision of the BSI.

The expanded security measures and reporting requirements under the NIS2 Directive are designed to better protect critical infrastructure and essential entities against cyberattacks. The directive strengthens the resilience of companies and public authorities, optimizes cooperation between member states, and establishes uniform minimum standards for cybersecurity measures. In addition, a strong security profile promotes customer trust and loyalty, as customers increasingly value effective data protection and higher security standards.

Timetable

Companies should clarify their level of impact and make targeted preparations to meet the legal requirements. According to the current status, transposition into German law is expected by early 2026 at the latest.

(Click to enlarge)

Sectors affected

The NIS2 Directive represents an important step in the European cybersecurity strategy and affects numerous sectors that are of central importance to society and the economy, including critical infrastructure and other essential areas.
NIS2 distinguishes between Sectors of particularly important and important institutions¹ and other other important institutions². Depending on the size of the company, the directive also differentiates between essential entities and important entities.

Sectors of particularly important and important institutions

Energy

Transportation & traffic

Banking

Health

Drinking and waste water

Digital infrastructure

Space

Other important institutions

Postal and courier services

Waste Management

Production, manufacture, and trade in chemical substances

Production, processing, and distribution of food

Manufacturing/production of goods

Digital service providers

Research

Essential entities are

Sectors of particularly important and important institutions¹ and
At least 250 employees or
Annual turnover exceeding €50 million and annual balance sheet total exceeding €43 million or
Operators of critical facilities, regardless on company size

Important entities are

Sectors of particularly important and important institutions¹ or other important institutions² and
At least 50 employees or
Annual turnover and annual balance sheet total each exceeding €10 million

(in accordance with Annex 1¹ and Annex 2² of the BSI Act)

NIS2 impact check

Our NIS2 impact analysis offers you initial, non-legally binding guidance on whether you are affected by the regulations within just a few moments. Regardless of the result, we strongly advise you to address your company’s security needs.

For legal advice on whether you fall under NIS2, the experts at our legal cooperation partner BDO Legal Rechtsanwaltsgesellschaft mbH are at your disposal.

Obligations

Companies affected by the NIS2 Directive must review their classification and register with the Federal Office for Information Security (BSI) within three months, providing basic information such as contact details and relevant services.

NIS-2 imposes stricter cyber security requirements. Companies are required to actively identify and assess risks to their systems in order to minimise security incidents. Important measures include effective backup management, disaster recovery, protection of sensitive data and regular training and awareness-raising measures.

Security aspects of the supply chain and the use of cryptography should also be incorporated into the security strategy, based on the latest technical standards, applicable norms and regulatory requirements of data protection law.

Organizations are required to report significant security incidents - including those involving personal data - to the BSI immediately, with the initial report being made within 24 hours of becoming aware of the incident. Regular updates and a comprehensive final report with a detailed analysis are also required.

Important: Additional reporting requirements apply to incidents that are relevant to data protection law.

The management bears central responsibility for implementing and monitoring risk management measures. Members of the management must attend regular training courses to acquire sufficient knowledge to be able to assess risks, impacts, and interactions between technical and organisational measures. This is because the management is liable for any damage caused by negligence - especially if there is evidence that duties of care were breached when implementing security and data protection requirements.

In the event of serious security incidents, the BSI may require that affected service recipients are informed immediately. In certain sectors, information about cyberthreats and recommended countermeasures must also be provided.

Operators of critical infrastructure must demonstrate the implementation of NIS2 measures every three years. The BSI specifies the requirements for providing evidence, which must be fulfilled no later than three years after classification. This includes security audits as well as the submission of results and plans for remedying deficiencies.

For particularly important facilities, audits are carried out on a random basis; for important facilities, they are held on an ad hoc basis. Complete documentation is therefore extremely important in all cases.

Our solution

With our modular solution, we support you in analyzing your implementation status and identifying gaps. We prioritize the necessary issues, create a roadmap, and carry out measures in a targeted and transparent manner.

Our solution is tailored to your needs to perfectly meet your individual requirements.