The second version of the Network and Information Security Directive (NIS 2) came into force in the EU at the beginning of 2023. The EU member states must transpose NIS 2 into national law by 17 October 2024. In Germany, the Federal Ministry of the Interior has already submitted a draft bill for an NIS2 Implementation Act (NIS2UmsuG).
The NIS2 Directive is a revision and extension of the European Union’s original NIS Directive, which aims to improve the cyber security of information systems and networks in the EU. The NIS2 Directive introduces a number of changes and new requirements that have a significant impact on organisations.
The situation in Germany is currently still characterised by a certain degree of uncertainty. The Federal Government intends to transpose the Directive into national law via various articles of legislation. Although there are currently various draft bills on how exactly the individual requirements of the directive will be implemented, only the next few months will show how detailed, how extensive or how weak the German version will be.
Regardless of the legislative situation, the implementation of the NIS2 Directive will mean a comprehensive review and potentially significant adjustments to companies’ cyber security practices. Processes and systems will need to be reviewed to ensure that the organisation is compliant with the new requirements. The good news is that what companies do in this context directly serves their own interests and public services. NIS2 addresses specific cyber security challenges that companies have to face anyway – and in their own interests – regardless of regulatory requirements.
Another piece of good news: everything that the directive requires is not rocket science. With a methodical approach to the continuous improvement of information security, companies are well equipped to meet the challenges posed by NIS2. ISO 27001 offers a corresponding framework with which numerous requirements of the directive can be proactively addressed. Companies that already operate an ISMS (information security management system) in accordance with ISO 27001 are therefore already well equipped to fulfil the requirements of NIS2. Companies that do not yet operate an ISMS and are looking for a way to fulfil the directive are recommended to take a look at ISO 27001.
Are you unsure whether your company is covered by the directive? Or do you already know – and are wondering how you can best prepare? Contact us for a free initial consultation on NIS2, ISO 27001 and information security.