The second version of the Network and Information Security Directive (NIS 2) came into force in the EU at the beginning of 2023. The EU member states must transpose NIS 2 into national law by 17 October 2024. In Germany, the Federal Ministry of the Interior has already submitted a draft bill for an NIS2 Implementation Act (NIS2UmsuG).

The NIS2 Directive is a revision and extension of the European Union’s original NIS Directive, which aims to improve the cyber security of information systems and networks in the EU. The NIS2 Directive introduces a number of changes and new requirements that have a significant impact on organisations.

The most important aspects from our point of view

  1. Extended scope: NIS2 extends the scope of the directive beyond the original sectors (such as energy, transport, banking, health). It now also includes companies in other important sectors such as food, digital infrastructure, public administration and space. While the original NIS Directive focussed mainly on large and critical infrastructures, NIS2 also includes SMEs. The group of companies covered by the directive will be significantly expanded.
  2. Stricter security requirements: Companies covered by the NIS2 directive must implement stricter security measures to protect their information systems and networks. These include risk management measures, incident response plans and the performance of regular security audits.
  3. Incident reporting obligations: Companies must report certain security incidents and risks to the relevant national authorities. NIS2 tightens the reporting obligations and shortens the deadlines for reporting incidents.
  4. Higher fines: Non-compliance with the directive is likely to result in higher fines. Stricter penalties are also envisaged for breaches of the requirements.
  5. Focus on supply chain and service provider security: Companies must also consider the security of their supply chains and external service providers, which requires additional checks and risk management measures.
  6. Awareness-raising and training: NIS2 places a stronger focus on awareness-raising and training in the area of cyber security.

The situation in Germany is currently still characterised by a certain degree of uncertainty. The Federal Government intends to transpose the Directive into national law via various articles of legislation. Although there are currently various draft bills on how exactly the individual requirements of the directive will be implemented, only the next few months will show how detailed, how extensive or how weak the German version will be.

Regardless of the legislative situation, the implementation of the NIS2 Directive will mean a comprehensive review and potentially significant adjustments to companies’ cyber security practices. Processes and systems will need to be reviewed to ensure that the organisation is compliant with the new requirements. The good news is that what companies do in this context directly serves their own interests and public services. NIS2 addresses specific cyber security challenges that companies have to face anyway – and in their own interests – regardless of regulatory requirements.

Another piece of good news: everything that the directive requires is not rocket science. With a methodical approach to the continuous improvement of information security, companies are well equipped to meet the challenges posed by NIS2. ISO 27001 offers a corresponding framework with which numerous requirements of the directive can be proactively addressed. Companies that already operate an ISMS (information security management system) in accordance with ISO 27001 are therefore already well equipped to fulfil the requirements of NIS2. Companies that do not yet operate an ISMS and are looking for a way to fulfil the directive are recommended to take a look at ISO 27001.

Are you unsure whether your company is covered by the directive? Or do you already know – and are wondering how you can best prepare? Contact us for a free initial consultation on NIS2, ISO 27001 and information security.


Share post

More articles

Numerous details about people, their purchases and other sensitive details could be accessed unprotected on the web for months, as Der Spiegel (German content) prominently reports on its website. A service provider had inadequately secured...
A study by G DATA, Statista and brand eins confirms that IT security in the DACH region is in a poor state. Many organizations still believe that attackers are not interested in them. The organizations...
Are you already familiar with our SCOD consulting service? SCOD stands for Security Consultant on Demand – and for being available to you at short notice at any time for all your information security questions....